this post was submitted on 10 Jul 2023
252 points (97.4% liked)

Asklemmy

43812 readers
967 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

Are they just an issue with wefwef or trying to use an exploit

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 97 points 1 year ago (17 children)

Lemmy.world instance under attack right now. It was previously redirecting to πŸ‹ πŸŽ‰ and the title and side bar changed to antisemitic trash.

They supposedly attributed it to a hacked admin account and was corrected. But the instance is still showing as defaced and now the page just shows it was β€œseized by reddit”.

Seems like there is much more going on right now and the attackers have much more than a single admin account.

[–] [email protected] 41 points 1 year ago (8 children)

I just want to add a quick note:

From OPs screenshot, I noticed the JS code is attempting to extract the session cookie from the users that click on the link. If it’s successful, it attempts to exfiltrate to some server otherwise sends an empty value.

You can see the attacker/spammer obscures the url of the server using JS api as well.

May be how lemmy.world attackers have had access for a lengthy period of time. Attackers have been hijacking sessions of admins. The one compromised user opened up the flood gates.

Not a sec engineer, so maybe someone else can chime in.

[–] [email protected] 36 points 1 year ago (3 children)

Here's a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done

Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It'll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.

[–] [email protected] 12 points 1 year ago (1 children)

Try

while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64) > /dev/null ; sleep 1; done

It'll prevent you from having to see the drivel that curl returns from that site.

[–] [email protected] 8 points 1 year ago (1 children)

Oh weird, it wasn't returning anything a few minutes ago. I wonder if we pissed then off lol

[–] [email protected] 2 points 1 year ago

Not sure, I wasn't that long after you and I started getting HTML responses back from the page. Standard Russian Propaganda that doesn't need to be repeated here - if you've seen the claims once you've seen 'em a million times!

I did take the steps of reporting this abuse to cloudflare (who they're using for DDOS protection) and their registrar.

[–] [email protected] 7 points 1 year ago (1 children)

Why would you include your hostname in the hash? That just sounds like an invitations for a mistake to leak semi-private telemetry data.

Come to think of it.... Isn't obscured telemetry exactly what your suggestion is doing? If they get or guess your hostname by other means, then they have a nice timestamped request from you, signed with your hostname, every second

[–] [email protected] 13 points 1 year ago

It's essentially to add a unique salt to each machine that's doing this, otherwise they'd all be generating the same hash from identical timestamps. Afaik, sha hashes are still considered secure; and it's very unlikely they'd even try to crack one. But even if they did try and were successful, there isn't really anything nefarious they can do with your machines local name.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Here's the one where it uses epoch time (better randomization) and also hides the output of curl

while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date +%s) | shasum | sed 's/.\{3\}$//' | base64) &> /dev/null ; echo "done."; done

load more comments (4 replies)
load more comments (12 replies)