Are they just an issue with wefwef or trying to use an exploit

  • Gellis12@lemmy.ca
    link
    fedilink
    arrow-up
    38
    arrow-down
    1
    ·
    1 year ago

    Here’s a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done

    Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It’ll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.

    • Kangie@lemmy.srcfiles.zip
      link
      fedilink
      arrow-up
      13
      ·
      1 year ago

      Try

      while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64) > /dev/null ; sleep 1; done
      

      It’ll prevent you from having to see the drivel that curl returns from that site.

      • Gellis12@lemmy.ca
        link
        fedilink
        arrow-up
        9
        ·
        1 year ago

        Oh weird, it wasn’t returning anything a few minutes ago. I wonder if we pissed then off lol

        • Kangie@lemmy.srcfiles.zip
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Not sure, I wasn’t that long after you and I started getting HTML responses back from the page. Standard Russian Propaganda that doesn’t need to be repeated here - if you’ve seen the claims once you’ve seen 'em a million times!

          I did take the steps of reporting this abuse to cloudflare (who they’re using for DDOS protection) and their registrar.

    • milicent_bystandr
      link
      fedilink
      arrow-up
      10
      arrow-down
      2
      ·
      1 year ago

      Why would you include your hostname in the hash? That just sounds like an invitations for a mistake to leak semi-private telemetry data.

      Come to think of it… Isn’t obscured telemetry exactly what your suggestion is doing? If they get or guess your hostname by other means, then they have a nice timestamped request from you, signed with your hostname, every second

      • Gellis12@lemmy.ca
        link
        fedilink
        arrow-up
        14
        ·
        1 year ago

        It’s essentially to add a unique salt to each machine that’s doing this, otherwise they’d all be generating the same hash from identical timestamps. Afaik, sha hashes are still considered secure; and it’s very unlikely they’d even try to crack one. But even if they did try and were successful, there isn’t really anything nefarious they can do with your machines local name.

    • gandalftheBlack
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Here’s the one where it uses epoch time (better randomization) and also hides the output of curl

      while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date +%s) | shasum | sed 's/.\{3\}$//' | base64) &> /dev/null ; echo "done."; done