Jump to content











Photo
- - - - -

Compromised JS file on reboot.pro


  • Please log in to reply
2 replies to this topic

#1 Tuxedo Jack

Tuxedo Jack
  • Members
  • 5 posts

Posted 20 January 2022 - 05:34 PM

The eSentire appliance I have on one of my networks went absolutely insane when I loaded this site up earlier this morning.

It appears that one of the JS files on reboot.pro has been replaced with a 302 redirect pointing towards alnera.eu. The Firefox headers are below (JSON format, apologies).

eSentire says that's a known Dotkachef EK botnet C&C node, and while that domain is expired and returns zero bytes of content, you all may want to look into that - I've got to write up a full incident report for my employers now as a result of it, and nuke my box as well due to their insistence.

 

I've already sent PMs to the mods who are online to have them look at this, but if you visited here before 15 Jan 22, you will want to scan your boxes to ensure they're clean.

 

-----


{
"GET": {
"scheme": "http",
"host": "reboot.pro",
"filename": "/",
"query": {
"ipbv": "b00d0ec59668aa9e7dba46b35b57e89b",
"f": "public/js/ips.quickpm.js"
},
"remote": {
"Address": "178.63.26.112:80"
}
}
}

{
"Status": "302Found",
"Version": "HTTP/1.1",
"Transferred": "448 B (0 B size)",
"Referrer Policy": "strict-origin-when-cross-origin"
}

{
"Response Headers (448 B)": {
"headers": [
{
"name": "Cache-Control",
"value": "no-cache, no-store, must-revalidate"
},
{
"name": "Connection",
"value": "Keep-Alive"
},
{
"name": "Content-Length",
"value": "0"
},
{
"name": "Content-Type",
"value": "text/html; charset=UTF-8"
},
{
"name": "Date",
"value": "Thu, 20 Jan 2022 16:45:21 GMT"
},
{
"name": "Expires",
"value": "1970-01-01 00:00:00"
},
{
"name": "Keep-Alive",
"value": "timeout=5, max=100"
},
{
"name": "Location",
"value": "http://alnera.eu/1C0...?cp=reboot.pro"
},
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Server",
"value": "Apache/2.4.41 (Ubuntu)"
},
{
"name": "Set-Cookie",
"value": "__utmxy=1; expires=Fri, 20-Jan-2023 16:45:21 GMT; Max-Age=31536000; path=/"
}
]
}
}

{
"Request Headers (411 B)": {
"headers": [
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.5"
},
{
"name": "Cache-Control",
"value": "max-age=0"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Cookie",
"value": "session_id=ebf272dbfe91bf83fd28b37682697d0a"
},
{
"name": "DNT",
"value": "1"
},
{
"name": "Host",
"value": "reboot.pro"
},
{
"name": "Referer",
"value": "http://reboot.pro/"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
}
]
}
}



#2 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 20 January 2022 - 07:44 PM

wierd.

must be something quite old as alnera.eu does not resolve to an ip today.

and is probably offline for sometime.

i'll have a look thus.

 

be aware thus that this could be down to your client/device as well : some web browser externsion, intercepting tool, etc.

 

thx,

Erwan

 

Edit : the below command does not return any file containing alnera.

At this stage, false positive to me.

grep --include=\*.{js,html,php} -rnw '/path/to/www' -e 'alnera'


  • Brito likes this

#3 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 21 January 2022 - 12:12 PM

Thanks for warning. Erwan has already verified.

 

Looking at the logs, it seems to be some problem inside the PM (private message) function. That file is indeed reachable to public, you can look at it here: https://reboot.pro/p.../ips.quickpm.js

 

Was looking at the source code for that file, don't see any code that would trigger that kind of call.

 

One other thing is that we are not using HTTPS to access this website. So one attack vector would be some other machine detecting the request, acting as man-in-middle and modify that script file to perform malicious actions.

 

Such an attack would have to be done at DNS-level. So, it would be needed to control the machine where your network is making DNS requests for that attack to succeed.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users