Daniel Roberson droberson

## gist:f1283a8204aace067ae499ba38d053b6
#!/usr/bin/env python3

# Extract IP address and port from "ConnectBack" shellcode used in Gitlab intrusions
# https://bazaar.abuse.ch/browse/tag/ConnectBack/

import sys
import struct
import socket

with open(sys.argv[1], "rb") as fp:

## verify_libs.sh
#!/bin/bash

PIDS=$(pidof sshd)
PACKAGES=""

for pid in $PIDS;
do
	for lib in $(cat /proc/$pid/maps |awk {'print $6'} |grep ^/ |sort |uniq);
	do
		PACKAGES="$PACKAGES $(rpm -q --whatprovides $lib)"

## find_ld_preload.sh
#!/bin/bash

PIDS=$(pidof sshd)

for pid in $PIDS;
do
	for lib in $(cat /proc/$pid/maps |awk {'print $6'} |grep ^/ |sort |uniq);
	do
		rpm -q --whatprovides $lib |grep " package"
	done

## splunk_to_discord.py
#!/usr/bin/env python3

import json
import requests

from twisted.web import server
from twisted.web.resource import Resource
from twisted.internet import reactor

def http_log(request):

## python_getattr.py
#!/usr/bin/env python3

import os
import fcntl
from array import array

# https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/fs.h
FS_IOC_GETFLAGS	= 0x80086601

f = os.open("/bin/ls", os.O_RDONLY)

## masscan-favicon-grab.py
#!/usr/bin/env python3

import os
import sys
import time
import fcntl
import errno
import socket
import hashlib
import requests

## masscan-ssh-banner-grab.py
#!/usr/bin/env python3

import os
import sys
import time
import fcntl
import errno
import socket
from threading import Thread
from queue import Queue

## masscan-ftp-banner-grab.py
#!/usr/bin/env python3

import os
import sys
import time
import fcntl
import errno
import socket
from threading import Thread
from queue import Queue

## generate-lots-of-ssh-keypairs.sh
#!/bin/sh

# This will generate a keypair for each command line argument:
#
# Create keys named "daniel", "jacob", and "whitley"
#  % generate-lots-of-ssh-keypairs.sh daniel jacob whitley
#
# Create 100 numbered keys
#  % generate-logs-of-ssh-keypairs.sh $(seq 100)

## lolbins-group-permissions.sh
#!/bin/sh

# This changes permissions on lolbins to only be executable by the lolbins
# group members.
#
# Beware; if you use an X11/Xorg display manager, this may cause your system
# not to boot properly. Add lightdm, xdm, etc to "lolbins" group if you are
# using a GUI.
#
# Beware again; this breaks apt. If you get gpg errors when doing apt updates,
	#!/usr/bin/env python3

	# Extract IP address and port from "ConnectBack" shellcode used in Gitlab intrusions
	# https://bazaar.abuse.ch/browse/tag/ConnectBack/

	import sys
	import struct
	import socket

	with open(sys.argv[1], "rb") as fp:
	#!/bin/bash

	PIDS=$(pidof sshd)
	PACKAGES=""

	for pid in $PIDS;
	do
	for lib in $(cat /proc/$pid/maps \|awk {'print $6'} \|grep ^/ \|sort \|uniq);
	do
	PACKAGES="$PACKAGES $(rpm -q --whatprovides $lib)"
	#!/usr/bin/env python3

	import json
	import requests

	from twisted.web import server
	from twisted.web.resource import Resource
	from twisted.internet import reactor

	def http_log(request):
	#!/usr/bin/env python3

	import os
	import fcntl
	from array import array

	# https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/fs.h
	FS_IOC_GETFLAGS = 0x80086601

	f = os.open("/bin/ls", os.O_RDONLY)
	#!/bin/sh

	# This will generate a keypair for each command line argument:
	#
	# Create keys named "daniel", "jacob", and "whitley"
	# % generate-lots-of-ssh-keypairs.sh daniel jacob whitley
	#
	# Create 100 numbered keys
	# % generate-logs-of-ssh-keypairs.sh $(seq 100)
	#!/bin/sh

	# This changes permissions on lolbins to only be executable by the lolbins
	# group members.
	#
	# Beware; if you use an X11/Xorg display manager, this may cause your system
	# not to boot properly. Add lightdm, xdm, etc to "lolbins" group if you are
	# using a GUI.
	#
	# Beware again; this breaks apt. If you get gpg errors when doing apt updates,