Are they just an issue with wefwef or trying to use an exploit

  • malloc@programming.dev
    link
    fedilink
    English
    arrow-up
    95
    arrow-down
    1
    ·
    1 year ago

    Lemmy.world instance under attack right now. It was previously redirecting to 🍋 🎉 and the title and side bar changed to antisemitic trash.

    They supposedly attributed it to a hacked admin account and was corrected. But the instance is still showing as defaced and now the page just shows it was “seized by reddit”.

    Seems like there is much more going on right now and the attackers have much more than a single admin account.

    • malloc@programming.dev
      link
      fedilink
      English
      arrow-up
      42
      ·
      1 year ago

      I just want to add a quick note:

      From OPs screenshot, I noticed the JS code is attempting to extract the session cookie from the users that click on the link. If it’s successful, it attempts to exfiltrate to some server otherwise sends an empty value.

      You can see the attacker/spammer obscures the url of the server using JS api as well.

      May be how lemmy.world attackers have had access for a lengthy period of time. Attackers have been hijacking sessions of admins. The one compromised user opened up the flood gates.

      Not a sec engineer, so maybe someone else can chime in.

      • Gellis12@lemmy.ca
        link
        fedilink
        arrow-up
        38
        arrow-down
        1
        ·
        1 year ago

        Here’s a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done

        Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It’ll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.

        • Kangie@lemmy.srcfiles.zip
          link
          fedilink
          arrow-up
          13
          ·
          1 year ago

          Try

          while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64) > /dev/null ; sleep 1; done
          

          It’ll prevent you from having to see the drivel that curl returns from that site.

          • Gellis12@lemmy.ca
            link
            fedilink
            arrow-up
            9
            ·
            1 year ago

            Oh weird, it wasn’t returning anything a few minutes ago. I wonder if we pissed then off lol

            • Kangie@lemmy.srcfiles.zip
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Not sure, I wasn’t that long after you and I started getting HTML responses back from the page. Standard Russian Propaganda that doesn’t need to be repeated here - if you’ve seen the claims once you’ve seen 'em a million times!

              I did take the steps of reporting this abuse to cloudflare (who they’re using for DDOS protection) and their registrar.

        • milicent_bystandr@lemmy.ml
          link
          fedilink
          arrow-up
          9
          arrow-down
          2
          ·
          1 year ago

          Why would you include your hostname in the hash? That just sounds like an invitations for a mistake to leak semi-private telemetry data.

          Come to think of it… Isn’t obscured telemetry exactly what your suggestion is doing? If they get or guess your hostname by other means, then they have a nice timestamped request from you, signed with your hostname, every second

          • Gellis12@lemmy.ca
            link
            fedilink
            arrow-up
            13
            ·
            1 year ago

            It’s essentially to add a unique salt to each machine that’s doing this, otherwise they’d all be generating the same hash from identical timestamps. Afaik, sha hashes are still considered secure; and it’s very unlikely they’d even try to crack one. But even if they did try and were successful, there isn’t really anything nefarious they can do with your machines local name.

        • gandalftheBlack@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          1 year ago

          Here’s the one where it uses epoch time (better randomization) and also hides the output of curl

          while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date +%s) | shasum | sed 's/.\{3\}$//' | base64) &> /dev/null ; echo "done."; done
          
          
      • Mic_Check_One_Two@reddthat.com
        link
        fedilink
        arrow-up
        18
        ·
        1 year ago

        You seem to be correct. Some sort of drive by login token scraper. Changing your password won’t help, because they still have an authorized copy of your login token. And I don’t think Lemmy has any sort of “Log out of all devices” button, (which deauthorizes all of the account’s login tokens) so there’s not much that a compromised account holder can do to stop it once the hacker has that token.

        It’s the same thing that got Linus Tech Tips a few weeks back. Their entire YouTube account got hacked and turned into a fake “buy into our crypto and Elon Musk will give you a bunch of money” scam a few weeks back. And Linus quickly discovered that changing their passwords didn’t help, because the hackers were able to simply continue using the token they already had.

        This was likely going on for a while, and only recently got activated because they finally snagged an admin account. Shit like this can lurk for a long time, simply waiting for the right target to stumble into it. They don’t really care about the individual accounts, except for helping spread the hack farther. But once they grabbed that admin account, they had what they wanted.

      • humanreader@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I thought I had forgotten about it all. Now they’re all back. I can even hear the piano from 2g1c slowly playing out. Help.

    • Wahots@pawb.social
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      Must be some boomer if they know what lemon party is, lmao. It’s been a hot minute since lemon party, one man one jar, or two girls one cup were being talked about.

      • Wxnzxn@lemmy.ml
        link
        fedilink
        English
        arrow-up
        14
        ·
        1 year ago

        Linking to lemonparty and saying “seized by reddit” strikes me as the playbook of an old 4chan troll/raid, trying to instigate more drama between two places they both hate at once.

    • BanjosKazoo@geddit.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I can’t log into my account on lemmy.world, but I guess this is what they mean by federation and different instances continuing to work.