The eSentire appliance I have on one of my networks went absolutely insane when I loaded this site up earlier this morning.
It appears that one of the JS files on reboot.pro has been replaced with a 302 redirect pointing towards alnera.eu. The Firefox headers are below (JSON format, apologies).
eSentire says that's a known Dotkachef EK botnet C&C node, and while that domain is expired and returns zero bytes of content, you all may want to look into that - I've got to write up a full incident report for my employers now as a result of it, and nuke my box as well due to their insistence.
I've already sent PMs to the mods who are online to have them look at this, but if you visited here before 15 Jan 22, you will want to scan your boxes to ensure they're clean.
-----
{
"GET": {
"scheme": "http",
"host": "reboot.pro",
"filename": "/",
"query": {
"ipbv": "b00d0ec59668aa9e7dba46b35b57e89b",
"f": "public/js/ips.quickpm.js"
},
"remote": {
"Address": "178.63.26.112:80"
}
}
}
{
"Status": "302Found",
"Version": "HTTP/1.1",
"Transferred": "448 B (0 B size)",
"Referrer Policy": "strict-origin-when-cross-origin"
}
{
"Response Headers (448 B)": {
"headers": [
{
"name": "Cache-Control",
"value": "no-cache, no-store, must-revalidate"
},
{
"name": "Connection",
"value": "Keep-Alive"
},
{
"name": "Content-Length",
"value": "0"
},
{
"name": "Content-Type",
"value": "text/html; charset=UTF-8"
},
{
"name": "Date",
"value": "Thu, 20 Jan 2022 16:45:21 GMT"
},
{
"name": "Expires",
"value": "1970-01-01 00:00:00"
},
{
"name": "Keep-Alive",
"value": "timeout=5, max=100"
},
{
"name": "Location",
"value": "http://alnera.eu/1C0...?cp=reboot.pro"
},
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Server",
"value": "Apache/2.4.41 (Ubuntu)"
},
{
"name": "Set-Cookie",
"value": "__utmxy=1; expires=Fri, 20-Jan-2023 16:45:21 GMT; Max-Age=31536000; path=/"
}
]
}
}
{
"Request Headers (411 B)": {
"headers": [
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.5"
},
{
"name": "Cache-Control",
"value": "max-age=0"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Cookie",
"value": "session_id=ebf272dbfe91bf83fd28b37682697d0a"
},
{
"name": "DNT",
"value": "1"
},
{
"name": "Host",
"value": "reboot.pro"
},
{
"name": "Referer",
"value": "http://reboot.pro/"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
}
]
}
}