Reading Time: < 1 minute

I stumbled on an article from . In his description he has reliazed that the meterpreter return “It works” return one byte short the standard message.

The original sha256 of the index.html is : f2dcc96deec8bca2facba9ad0db55c89f3c4937cd6d2d28e5c4869216ffa81cf and 45 bytes

The meterpreter sha256 which missed the \n at the end is : 8f3ff2e2482468f3b9315a433b383f0cc0f9eb525889a34d4703b7681330a3fb and 44 bytes

Censys returns at today’s date 42k Meterpreters running which i think must be overestimated. I think some other tools have the same issue, like Spiceworks running on port 16992/http which has the same hash, but nevertheless it can be an additional interesting IOC.

https://censys.io/ipv4?q=8f3ff2e2482468f3b9315a433b383f0cc0f9eb525889a34d4703b7681330a3fb

0