Are they just an issue with wefwef or trying to use an exploit

  • malloc@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I just want to add a quick note:

    From OPs screenshot, I noticed the JS code is attempting to extract the session cookie from the users that click on the link. If it’s successful, it attempts to exfiltrate to some server otherwise sends an empty value.

    You can see the attacker/spammer obscures the url of the server using JS api as well.

    May be how lemmy.world attackers have had access for a lengthy period of time. Attackers have been hijacking sessions of admins. The one compromised user opened up the flood gates.

    Not a sec engineer, so maybe someone else can chime in.

    • Gellis12@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Here’s a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done

      Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It’ll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.