Hey!
Have you looked at the base64 encoded payload at all?
The long string that is being echoed is piped into base64 -d which decodes the base64 and the result is piped into bash for execution.
The decoded payload that is piped into bash is the following script (click here if gist doesn't load):
To correctly assess your situation and the impact this might have had on your systems and users you should definitely take a look to see what effects on your server and data this script might have had.
A very nice tool for this kind of forensic work is GCHQs CyberChef. It has lot's of functions for encoding and decoding different formats.
Thanks Daniel. Don't know why I missed the piping into base64 -d command. Never had seen that command so my brain missed it :D. This has become more interesting. Am looking into what is this script doing
Nice! Hope it's nothing too serious.
I'm also using this corona isolation time to analyze a phishing attempt against me that took place a few weeks ago.
Guess I'll be having a series of articles up over the next days :D
Thanks Valts, I have added a bit commented (whatever I could understand) version to post itself. Please comment if I might have done anything wrong there.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey!
Have you looked at the base64 encoded payload at all?
The long string that is being echoed is piped into
base64 -d
which decodes the base64 and the result is piped into bash for execution.The decoded payload that is piped into bash is the following script (click here if gist doesn't load):
To correctly assess your situation and the impact this might have had on your systems and users you should definitely take a look to see what effects on your server and data this script might have had.
A very nice tool for this kind of forensic work is GCHQs CyberChef. It has lot's of functions for encoding and decoding different formats.
Thanks Daniel. Don't know why I missed the piping into base64 -d command. Never had seen that command so my brain missed it :D. This has become more interesting. Am looking into what is this script doing
Nice! Hope it's nothing too serious.
I'm also using this corona isolation time to analyze a phishing attempt against me that took place a few weeks ago.
Guess I'll be having a series of articles up over the next days :D
For anyone else interested, here is the malicious script after base64 decode and some tidying up:
Thanks Valts, I have added a bit commented (whatever I could understand) version to post itself. Please comment if I might have done anything wrong there.