This is Linux malware that can function as an HTTP webshell, as well as acting as "ransomware" (Locking/unlocking user accounts at will). Deploys with an Ansible script.
Created by Cayden Wright (ctw4068@rit.edu) 2/6/2025
- Webshell - run commands right in a web browser
- Account Locking - lock users out of their account with a silly message
- Set variables
Edit main.go to change the port and "account locked" message if desired.
- Compile
Use go build to build the executeable
- Create inventory in
inventory.ini
Set the IP, username, and password for every host you want to run against. You can either use a password with ansible_password or an SSH key with ansible_private_key_file.
You must be able to access a sudo user over SSH to run this script.
NOTE: No matter whether a password or SSH key is chosen, ansible_become_password must be set in order to install the service!
- Run the playbook!
ansible-playbook playbook.yaml -i inventory.yaml
- Access
Use index.html (locally) for a GUI. It makes HTTP requests with JSON payloads to http://TARGET_IP:8080/api.
I know this is cumbersome - i am bad at go code
These requests can also be made with any other tool such as curl:
curl http://TARGET_IP:8080/api -d '{"noun": "lock", "verb": "lockme"}'