Volcyy Posted January 28, 2018 Share Posted January 28, 2018 style-console's npm page links to another package. I went ahead and installed it from npm myself and I'm fairly sure I found it. Now I'm not sure what *exactly* this does, but I'm 100% certain that this doesn't have anything to do with some nice console output. See for yourself... Link to comment Share on other sites More sharing options...
appy Posted January 28, 2018 Share Posted January 28, 2018 4 minutes ago, Volcyy said: style-console's npm page links to another package. I went ahead and installed it from npm myself and I'm fairly sure I found it. Now I'm not sure what *exactly* this does, but I'm 100% certain that this doesn't have anything to do with some nice console output. See for yourself... i think you have found it, fyi that code has been run through a obfuscation tool to make it unreadable and hard to understand. You can see the code is making a request and constructing an URI Link to comment Share on other sites More sharing options...
Volcyy Posted January 28, 2018 Share Posted January 28, 2018 Yup. I ran the IP address through here https://www.iplocation.net and amongst the results was "Linode", which is a cloud hosting provider. Oh well Link to comment Share on other sites More sharing options...
appy Posted January 28, 2018 Share Posted January 28, 2018 For anyone who did not understand, he basically had a dependency called style-console in his code which reached out to a github repo to download, on first glance that looks fine too, it was a dependency in that one that had the code which exported the whole config of the user Link to comment Share on other sites More sharing options...
Bill Doritos Posted January 28, 2018 Share Posted January 28, 2018 Hacksle CHANGE!!!! Link to comment Share on other sites More sharing options...
SmokE Posted January 28, 2018 Author Share Posted January 28, 2018 1 minute ago, Volcyy said: Yup. I ran the IP address through here https://www.iplocation.net and amongst the results was "Linode", which is a cloud hosting provider. Oh well can U give me the IP please I wanna check if its the same for the marketplace.tf login Link to comment Share on other sites More sharing options...
Bill Doritos Posted January 28, 2018 Share Posted January 28, 2018 1 minute ago, « SɱokEy » said: can U give me the IP please I wanna check if its the same for the marketplace.tf login https://pastebin.com/VAxF6RUq Link to comment Share on other sites More sharing options...
Volcyy Posted January 28, 2018 Share Posted January 28, 2018 2 minutes ago, « SɱokEy » said: can U give me the IP please I wanna check if its the same for the marketplace.tf login the IP is at the bottom of the script if you want to check for yourself Link to comment Share on other sites More sharing options...
Enzotoy2 Posted January 28, 2018 Share Posted January 28, 2018 2 minutes ago, Volcyy said: the IP is at the bottom of the script if you want to check for yourself And this can keep all my personnal information ? (Name,Surname,Password) ? Link to comment Share on other sites More sharing options...
Bill Doritos Posted January 28, 2018 Share Posted January 28, 2018 Linode for the win! Link to comment Share on other sites More sharing options...
Volcyy Posted January 28, 2018 Share Posted January 28, 2018 23 minutes ago, Enzotoy2 said: And this can keep all my personnal information ? (Name,Surname,Password) ? As I mentioned before, I'm not entirely sure how this works. It's obfuscated JavaScript and even after running it through a deobfuscator, it's still insanely hard to find out what the hell it's doing. Looking at the code though, it appears (read: *no idea how exactly this works*) to create obfuscated RegEx-es (simply put, something you use to extract text from other text). The malicious function is called exactly once in the entire codebase, namely right after the bot has logged on: client.on('loggedOn', function() { DEBUG1 && console.info("Logged into Steam"); }); That didn't turn out as readable as I intended it to be, but anyways. I think this is also why SmokEy lost his items even after running the bot for only 30 minutes. console is the imported malicious module style-console: var console = require('style-console'); Since the only input it receives here is "Logged into Steam", I assume that the obfuscated function somehow grabs a hold of text containing the credentials somewhere, matches the important bits via RegEx, and then sends it to the server. @Enzotoy2 back to your question, I assume it """just""" sends the credentials in that you had config.json. Again, take this with a grain of salt. I have no idea how exactly it works, and it will probably take some time until someone figures it out. Fact is, you should take this as a lesson to not trust any code you see online, just because it's open source, until you've fully read it yourself and understood what it does. Link to comment Share on other sites More sharing options...
Enzotoy Posted January 28, 2018 Share Posted January 28, 2018 3 minutes ago, Volcyy said: As I mentioned before, I'm not entirely sure how this works. It's obfuscated JavaScript and even after running it through a deobfuscator, it's still insanely hard to find out what the hell it's doing. Looking at the code though, it appears (read: *no idea how exactly this works*) to create obfuscated RegEx-es (simply put, something you use to extract text from other text). The malicious function is called exactly once in the entire codebase, namely right after the bot has logged on: client.on('loggedOn', function() { DEBUG1 && console.info("Logged into Steam"); }); That didn't turn out as readable as I intended it to be, but anyways. I think this is also why SmokEy lost his items even after running the bot for only 30 minutes. console is the imported malicious module style-console: var console = require('style-console'); Since the only input it receives here is "Logged into Steam", I assume that the obfuscated function somehow grabs a hold of text containing the credentials somewhere, matches the important bits via RegEx, and then sends it to the server. @Enzotoy2 back to your question, I assume it """just""" sends the credentials in that you had config.json. Again, take this with a grain of salt. I have no idea how exactly it works, and it will probably take some time until someone figures it out. Fact is, you should take this as a lesson to not trust any code you see online, just because it's open source, until you've fully read it yourself and understood what it does. oh wow ty for this reply Link to comment Share on other sites More sharing options...
Bill Doritos Posted January 28, 2018 Share Posted January 28, 2018 The fun fact is that an opensource program can get backdoors. Axle impersonates code now... Happy new year then... Link to comment Share on other sites More sharing options...
SmokE Posted January 28, 2018 Author Share Posted January 28, 2018 8 minutes ago, Volcyy said: client.on('loggedOn', function() { DEBUG1 && console.info("Logged into Steam"); }); That didn't turn out as readable as I intended it to be, but anyways. I think this is also why SmokEy lost his items even after running the bot for only 30 minutes. console is the imported malicious module style-console: var console = require('style-console'); 2 I am not much of a coder myself but I wanted to know how it works I did read through the code and dint understand most of the shit. Link to comment Share on other sites More sharing options...
SmokE Posted January 28, 2018 Author Share Posted January 28, 2018 6 minutes ago, Volcyy said: Fact is, you should take this as a lesson to not trust any code you see online, just because it's open source, until you've fully read it yourself and understood what it does. yes totally my bad for using it even though it was just to understand how his stock limits worked. should have made someone who is very good with codes go through it 1st Link to comment Share on other sites More sharing options...
Administrators fisk Posted January 28, 2018 Administrators Share Posted January 28, 2018 Good catch finding that it was hidden in a dependency I can say 100% this attack was inspired by an article posted earlier this month, down to it being a console color module containing a payload Link to comment Share on other sites More sharing options...
Mr. Sympathy Posted January 28, 2018 Share Posted January 28, 2018 Yeah it's blindly obvious that it's axle getting his revenge.. He took 50$ from me aswell.. I have literally used that script for about 10 minutes and deleted it I'm sorry for who lost more.. Link to comment Share on other sites More sharing options...
Lucif3r Posted January 28, 2018 Share Posted January 28, 2018 36 minutes ago, Mr. Sympathy said: revenge Revenge warrants him being wronged by the other party. In this case, none of the victims had done anything to him. So calling it revenge is undermining it. This is straight up cyber crime and granted pursuing it in a legal standpoint won't fetch much but at least it gets his name out there and MAYBE valve gets involved. Link to comment Share on other sites More sharing options...
RED265 Posted January 28, 2018 Share Posted January 28, 2018 10 minutes ago, Lucif3r said: Revenge warrants him being wronged by the other party. In this case, none of the victims had done anything to him. So calling it revenge is undermining it. This is straight up cyber crime and granted pursuing it in a legal standpoint won't fetch much but at least it gets his name out there and MAYBE valve gets involved. Actually I believe that this is a cybercrime attack + theft of intellectual and private data. I think it’s easily life in any USA prison? Not sure about the country he’s in. Link to comment Share on other sites More sharing options...
SapienS Posted January 28, 2018 Share Posted January 28, 2018 2 hours ago, SapienS said: This looks like a mass fraud (Crime against property) The victims should consider to reach their local cybercrime police Like i said !!! This guy must not play cowboys within the TF2 community without any repercusion. Fisrt of all, report his email to google, paypal, steam.... Also i recommand to build a case against him since this involve thousands of $$$ Make a list of the victims with the stolen value. Link to comment Share on other sites More sharing options...
Lucif3r Posted January 28, 2018 Share Posted January 28, 2018 Exactly. The last thing people should do right now is forget about this. No one should be allowed to just make off with that much stolen money without any repercussions and I mean REAL repercussions. Think the community as a whole should fight back against a cyber crime of this magnitude. I mean if any of you are in contact of a lawyer and can bring them in here it would be great to hear what options the victims have here. Pretty sure Axle will piss his pants if he sees a lawyer getting involved. Link to comment Share on other sites More sharing options...
Bill Doritos Posted January 28, 2018 Share Posted January 28, 2018 4 minutes ago, Lucif3r said: Exactly. The last thing people should do right now is forget about this. No one should be allowed to just make off with that much stolen money without any repercussions and I mean REAL repercussions. Think the community as a whole should fight back against a cyber crime of this magnitude. I mean if any of you are in contact of a lawyer and can bring them in here it would be great to hear what options the victims have here. Pretty sure Axle will piss his pants if he sees a lawyer getting involved. Lol the amount that Axle stole is not sufficient to pay a lawyer. Link to comment Share on other sites More sharing options...
Derpyyyy Posted January 28, 2018 Share Posted January 28, 2018 If anyone knows a person in the field of law, speak to him/her about this. See what can be done. Valve should get involved in this, although I don't know how. Link to comment Share on other sites More sharing options...
Mrs TS Posted January 28, 2018 Share Posted January 28, 2018 1 minute ago, Bill Doritos said: Lol the amount that Axle stole is not sufficient to pay a lawyer. You'd be surprised how little a lawyer will go after as long as he gets his percentage of what is recovered. Link to comment Share on other sites More sharing options...
manic Posted January 28, 2018 Share Posted January 28, 2018 I'm fairly certain that taking another player's virtual items is not illegal. However, stealing account details might be. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.