Mike Place cachedout

## gist:2950de63aa102ec9ccb895deea1aa539
## Overview

What we know so far:
Source: https://github.com/saltstack/salt/issues/57057
Payload distribution point: https://bitbucket.org/samk12dd/git/src/master/ --update: now defunct
Updated payload distrib URL: http://413628.selcdn.ru/cdn/salt-storer
Bootloader distribution link: http://89.223.121.139/sa.sh
backup CNC command source: http://54.36.185.99/c.sh
This is a crypto-mining operation. salt-minions is a compiled xmrig binary (https://github.com/xmrig/xmrig).
salt-store contains a RAT, nspps (https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/).

## gist:3f800a4f8c13016ae08ae8ce498bc3c1
### Keybase proof

I hereby claim:

  * I am cachedout on github.
  * I am mike_place (https://keybase.io/mike_place) on keybase.
  * I have a public key ASBIPskwHSk1KxyzPm_y0EquFvnhsVh8DLulPip-UjMawQo

To claim this, I am signing this object:

## gist:97780a77c1e9a35c18834115cf21faed
PARSING DSN

wrongparsing host: wrong:test@tcp(127.0.0.1:3306)/

goroutine 1 [running]:

runtime/debug.Stack(0x20, 0x0, 0xc00068eeb8)

/usr/local/Cellar/go/1.11.2/libexec/src/runtime/debug/stack.go:24 +0xa7

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                cachedout
                / keybase.md
            
            
              Created
              November 12, 2016 02:06
            
          
    Keybase proof

I hereby claim:

I am cachedout on github.
I am cachedout (https://keybase.io/cachedout) on keybase.
I have a public key whose fingerprint is 1033 ED4A 4116 03F3 E9B5  822B 9136 F4F1 3705 CFD3

To claim this, I am signing this object:

  
## gist:184b55ecddfac107407ddaca6b4a7164
mp@silver ...devel/salt/salt % ping 198.60.22.4                                                                                                                  (git)-[cli_lite]
PING 198.60.22.4 (198.60.22.4) 56(84) bytes of data.
64 bytes from 198.60.22.4: icmp_seq=1 ttl=61 time=1223 ms
64 bytes from 198.60.22.4: icmp_seq=2 ttl=61 time=1493 ms
64 bytes from 198.60.22.4: icmp_seq=3 ttl=61 time=1610 ms
64 bytes from 198.60.22.4: icmp_seq=4 ttl=61 time=1950 ms
64 bytes from 198.60.22.4: icmp_seq=5 ttl=61 time=1567 ms
^C
--- 198.60.22.4 ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5012ms

## gist:761d1cbc05259081e3df
diff --git a/salt/state.py b/salt/state.py
index a6d1932..92fc142 100644
--- a/salt/state.py
+++ b/salt/state.py
@@ -627,7 +627,8 @@ class State(object):
         Execute the aggregation systems to runtime modify the low chunk
         '''
         agg_opt = self.functions['config.option']('state_aggregate')
-        if low.get('aggregate') is True:
+#        if low.get('aggregate') is True:

## gist:9510539
Downloading Packages:
PyYAML-3.10-3.el6.x86_64.rpm                                           | 157 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : PyYAML-3.10-3.el6.x86_64                                                   1/1
Error unpacking rpm package PyYAML-3.10-3.el6.x86_64
error: unpacking of archive failed on file /usr/lib64/python2.6/site-packages/PyYAML-3.10-py2.6.egg-info: cpio: rename
  Verifying  : PyYAML-3.10-3.el6.x86_64                                                   1/1

## gist:7813079
Index: salt/client/__init__.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- salt/client/__init__.py	(date 1386195501000)
+++ salt/client/__init__.py	(revision )
@@ -1028,6 +1028,7 @@
             yield {}
         # Wait for the hosts to check in

## gist:7346441
precise64:
----------
    State: - file
    Name:      /tmp/f/g/foo.txt
    Function:  managed
        Result:    False
        Comment:   An exception occurred in this state: Traceback (most recent call last):
  File "/salt_mount/salt/state.py", line 1265, in call
    # state call.
  File "/salt_mount/salt/states/file.py", line 1135, in managed

## Attempt_to_fix_#7690.patch
Index: salt/states/user.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- salt/states/user.py	(revision e013d26cac0e87bcbcb87c55a792a8480ae7045a)
+++ salt/states/user.py	(revision )
@@ -258,7 +258,7 @@
             log.warning('Group "{0}" specified in both groups and '
                         'optional_groups for user {1}'.format(isected, name))
	## Overview

	What we know so far:
	Source: https://github.com/saltstack/salt/issues/57057
	Payload distribution point: https://bitbucket.org/samk12dd/git/src/master/ --update: now defunct
	Updated payload distrib URL: http://413628.selcdn.ru/cdn/salt-storer
	Bootloader distribution link: http://89.223.121.139/sa.sh
	backup CNC command source: http://54.36.185.99/c.sh
	This is a crypto-mining operation. salt-minions is a compiled xmrig binary (https://github.com/xmrig/xmrig).
	salt-store contains a RAT, nspps (https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/).
	### Keybase proof

	I hereby claim:

	* I am cachedout on github.
	* I am mike_place (https://keybase.io/mike_place) on keybase.
	* I have a public key ASBIPskwHSk1KxyzPm_y0EquFvnhsVh8DLulPip-UjMawQo

	To claim this, I am signing this object:
	PARSING DSN

	wrongparsing host: wrong:test@tcp(127.0.0.1:3306)/

	goroutine 1 [running]:

	runtime/debug.Stack(0x20, 0x0, 0xc00068eeb8)

	/usr/local/Cellar/go/1.11.2/libexec/src/runtime/debug/stack.go:24 +0xa7
	mp@silver ...devel/salt/salt % ping 198.60.22.4 (git)-[cli_lite]
	PING 198.60.22.4 (198.60.22.4) 56(84) bytes of data.
	64 bytes from 198.60.22.4: icmp_seq=1 ttl=61 time=1223 ms
	64 bytes from 198.60.22.4: icmp_seq=2 ttl=61 time=1493 ms
	64 bytes from 198.60.22.4: icmp_seq=3 ttl=61 time=1610 ms
	64 bytes from 198.60.22.4: icmp_seq=4 ttl=61 time=1950 ms
	64 bytes from 198.60.22.4: icmp_seq=5 ttl=61 time=1567 ms
	^C
	--- 198.60.22.4 ping statistics ---
	6 packets transmitted, 5 received, 16% packet loss, time 5012ms
	diff --git a/salt/state.py b/salt/state.py
	index a6d1932..92fc142 100644
	--- a/salt/state.py
	+++ b/salt/state.py
	@@ -627,7 +627,8 @@ class State(object):
	Execute the aggregation systems to runtime modify the low chunk
	'''
	agg_opt = self.functions['config.option']('state_aggregate')
	- if low.get('aggregate') is True:
	+# if low.get('aggregate') is True:
	Downloading Packages:
	PyYAML-3.10-3.el6.x86_64.rpm \| 157 kB 00:00
	Running rpm_check_debug
	Running Transaction Test
	Transaction Test Succeeded
	Running Transaction
	Installing : PyYAML-3.10-3.el6.x86_64 1/1
	Error unpacking rpm package PyYAML-3.10-3.el6.x86_64
	error: unpacking of archive failed on file /usr/lib64/python2.6/site-packages/PyYAML-3.10-py2.6.egg-info: cpio: rename
	Verifying : PyYAML-3.10-3.el6.x86_64 1/1
	Index: salt/client/__init__.py
	IDEA additional info:
	Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
	<+>UTF-8
	===================================================================
	--- salt/client/__init__.py (date 1386195501000)
	+++ salt/client/__init__.py (revision )
	@@ -1028,6 +1028,7 @@
	yield {}
	# Wait for the hosts to check in
	precise64:
	----------
	State: - file
	Name: /tmp/f/g/foo.txt
	Function: managed
	Result: False
	Comment: An exception occurred in this state: Traceback (most recent call last):
	File "/salt_mount/salt/state.py", line 1265, in call
	# state call.
	File "/salt_mount/salt/states/file.py", line 1135, in managed
	Index: salt/states/user.py
	IDEA additional info:
	Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
	<+>UTF-8
	===================================================================
	--- salt/states/user.py (revision e013d26cac0e87bcbcb87c55a792a8480ae7045a)
	+++ salt/states/user.py (revision )
	@@ -258,7 +258,7 @@
	log.warning('Group "{0}" specified in both groups and '
	'optional_groups for user {1}'.format(isected, name))