Josh Terrill joshterrill
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] | |
| csv files/PTUSER_202404150056.csv:[email protected] |
joshterrill
/ ida-hex-to-str.py
Last active
February 6, 2024 06:58
NodeJS TCP emulator for WinRAR malware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import idc | |
| import idaapi | |
| def get_hex_string_from_addr(ea): | |
| """ | |
| Given an address, return the hex string it points to up to a null-terminator (considering UTF-16LE encoding). | |
| """ | |
| out = [] | |
| while True: |
joshterrill
/ wordpress-malware-removal.sh
Created
January 24, 2024 16:31
wordpress malware removal scripts from https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "Renaming all plugins to temporarily disable them" | |
| for d in ./wp-content/plugins/*; do | |
| if [ -d "$d" ]; then | |
| mv -- "$d" "${d}_bak" | |
| fi | |
| done | |
| echo "Removing radio.php and fox.php malware files" | |
| find . -type f -name "radio.php" -delete | |
| find . -type f -name "fox.php" -delete |
joshterrill
/ domain-verification.js
Last active
May 9, 2023 01:01
supporting files for blog post on https://hacked.codes called Introduction to finding malware in the wild
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const axios = require('axios'); | |
| const fs = require('fs'); | |
| const args = process.argv; | |
| if (args.length < 3) { | |
| throw new Error('Please provide a file to read from i.e.: node domain-verification.js lastpass-domains.txt'); | |
| } | |
| (async () => { |
joshterrill
/ reformstring.py
Created
January 17, 2023 03:03
a python script that decrypts foscam firmware encryption given args found in FirmwareUpgrade (see post for more details: https://hacked.codes/2023/extracting-firmware-reverse-engineering-encryption-keys-foscam/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Psuedo C code from Ghidra: | |
| ReformString(char*, char const*, unsigned int, ...) | |
| char * ReformString(char *param_1,char *param_2,uint param_3,...) { | |
| char *pcVar1; | |
| int in_r3; | |
| uint uVar2; | |
| int local_4; | |
joshterrill
/ foscam-serial-startup.txt
Last active
January 4, 2023 09:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| UU LLL | |
| JJJ TTTTTTT AAAAA GGGGGGGGGGG UUUU LLL AAAAA TTTTTTTT OOOOOOO RRRRRRRRR | |
| JJJJ TTTTTTT AAAAAA GGGGGGG UUUU LLL AAAAAA TTTTTTTT OOOOOOO RRRRRRRR | |
| JJJJ TTTT AAAAAAA GGG UUU UUUU LLL AAA AAA TTT OOOO OOO RRR RRR | |
| JJJJ TTTT AAA AAA GGG GGG UUUU UUUU LLL AAA AAA TTT OOO OOO RRRRRRR | |
| JJJJ TTTT AAA AA GGGGGGGGG UUUUUUUU LLLLLLLL AAAA TTT OOOOOOOOO RRR RRR | |
| JJJ TTTT AAA AA GGGGGGGGG UUUUUUUU LLLLLLLLL AAA TTT OOOOOOOOO RRR RRR |
joshterrill
/ #Wordpress December 2022 Malware Reverse Engineered Files
Last active
November 24, 2023 08:44
These are sample files from malware that has been reverse engineered from previously infected PHP Wordpress sites in December 2022. A full writeup can be found here: https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/ and a full reverse engineering of all infected files can be found here: https://github.com/joshterrill/wordpr…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| These are sample files from malware that has been reverse engineered from previously infected PHP Wordpress sites in December 2022. A full writeup can be found here: https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/ and a full reverse engineering of all infected files can be found here: https://github.com/joshterrill/wordpress-malware-december-2022 |
joshterrill
/ entropy.sh
Created
December 28, 2022 07:37
A shell script that checks files for entropy then orders files by highest entropy and saves the paths to a file called `entropy.txt`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "Getting entropy readings from all .php files" | |
| rm -rf entropy.txt entropy.tmp.txt | |
| for entry in $(find . -type f -name "*.php" -maxdepth 4); do | |
| entropy=$(ent $entry | sed -n 's/.*Serial correlation coefficient is //p' | sed "s/ .*//") | |
| echo "$entry $entropy" >> entropy.tmp.txt | |
| done | |
| sort -k2 -n entropy.tmp.txt > entropy.txt | |
| rm -rf entropy.tmp.txt | |
| echo "Entropy readings saved to entropy.txt" |
joshterrill
/ #Wordpress December 2022 Malware Infected Files
Last active
January 17, 2023 05:28
These are sample files from malware that infected PHP Wordpress sites in December 2022. Full writeup can be found here: https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/ and a full reverse engineering of all infected files can be found here: https://github.com/joshterrill/wordpress-malware-december-2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| These are sample files from malware that infected PHP Wordpress sites in December 2022. A full writeup can be found here: https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/ and a full reverse engineering of all infected files can be found here: https://github.com/joshterrill/wordpress-malware-december-2022 |
joshterrill
/ data.csv
Created
July 19, 2022 18:19
a list of all USA zip codes with corresponding cities, latitude, and longitudes
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ZIP,CITY,LAT,LNG | |
| 601,ADJUNTAS,18.180555,-66.749961 | |
| 602,AGUADA,18.361945,-67.175597 | |
| 603,AGUADILLA,18.455183,-67.119887 | |
| 606,MARICAO,18.158345,-66.932911 | |
| 610,ANASCO,18.295366,-67.125135 | |
| 612,ARECIBO,18.402253,-66.711397 | |
| 616,BAJADERO,18.420412,-66.671979 | |
| 617,BARCELONETA,18.445147,-66.559696 | |
| 622,BOQUERON,17.991245,-67.153993 |
NewerOlder