rzeldent / esp32cam-rtsp

Simple RTSP (streaming image) server for the ESP32CAM. Easy configuration and monitoring through the web interface.
674 stars 123 forks source link

PUA.Pdf.Trojan.Embedded.JavaScript-1 #134

Open baboeska opened 4 months ago

baboeska commented 4 months ago

Just did a clamav scan and this zip came back as having a trojan in the PDF, the ai_thinker_esp32cam.pdf. Interestingly, my arduino IDE has a lot of JavaScript requests while compiling. Strangely, I never opened that PDF. I've noticed suspicious activity on port 9050 on phone and Linux desktop, found this while searching. Correlation is not causation. I hope this is of use,

Thanks

rzeldent commented 4 months ago

Hi Banoeska,

Where is this file located? I do not see it in the repo. But indeed watch out. Some pdf's can be infected!

baboeska commented 4 months ago

Hi Rzeldent, Possibly a secondary library required for compilation with latest IDE, but probably not. I flattened it from low orbit last night, so I sadly can't say. Also flattened another internal hdd and n external HDD both had software not hardware failures after contact. Physical access and USB key upload is a possible vector re infection,and presence of esp32 security system may have contributed to infected file location. Also noted any external or internal drive apart from main stopped functioning at software level. I believe it may have been a gateway to a zero day exploit that uses tor socks proxy and perhaps ipv6 tunnels to communicate. Sad to lose some photos etc, but, that needed flattening. Glad to know it's not in the repo. Damn it, next time virus total upload for sure. I had never opened said pdf. I'm sorry I can't be more helpful, I'll try to get more data and flatten slower if it happens again, assuming that feels safe. I wonder re Arduino ides java script aspects and zero day potential.

Best wishes

baboeska commented 4 months ago

It showed up in the zip as well. I wonder as to dns spoofing potential to deliver malware in place of actuals via compromised hidden proxies. Seems far fetched but it is what it is. Have had major issues dling from GitHub without a VPN in the past.