Hi,
Current Nextcloud server version: 24.0.3
Current Android Nextcloud News version: 0.9.9.75
Since the update from 0.9.9.74 to 0.9.9.75 (F-Droid) my IDS/IPS System warned me, that my mobile devices tries to connect to interact.sh, which is an "OOB interaction gathering server and client library". This tool is often used to detect vulnerabilities that cause external interactions. In this case a DNS interaction, which tried to resolve
caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh
IDS/IPS Log:
Timestamp | 2022-08-02T10:11:42.578674+0200
-- | --
Alert | ET MALWARE Interactsh Control Panel (DNS)
Alert sid | 2034201
Protocol | UDP
Destination port | 53
i tracked it down by simply searching for the string caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh on my mobile device. Furthermore I could detect that the file /data/app/de.luhmer.owncloudnewsreader-1/oat/arm64/base.odex contains the string:
File contents:
$ cat /data/app/de.luhmer.owncloudnewsreader-1/oat/arm64/base.odex | grep -a [caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh]
(http://caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh/) httpMethohttpOnlhttponlyhttpshttpshttps://:https://caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh.interact.sh/?id=;https://github.com/nextcloud/news-android/issues/new?title=[https://github.com/nextcloud/news/blob/master/docs/install.md#installing-from-the-app-storeDhttps://pgl.yoyo.org/as/serverlist.php?hostformat=nohtml&showintro=0Bhttps://play.google.com/store/apps/details?id=com.nextcloud.clientLhttps://raw.githubusercontent.com/nextcloud/news-android/master/CHANGELOG.md
[...]
I could not find any references to interact.sh in this repo and the sources.
I initially wanted to open an issue on F-Droid at https://gitlab.com/fdroid/fdroiddata/-/issues. Since I can't log in to the gitlab site due to the unreliable and unstable "captcha" implementation, I was forced to bring it to attention here first.
Therefore, anyone may feel free to open an issue there too and link back here.
BTW: A downgrade to 0.9.9.74 dont throw IDS/IPS Alerts. Therefore it must have to do sth. with this specific app version 0.9.9.75.
Hi,
Current Nextcloud server version: 24.0.3Current Android Nextcloud News version: 0.9.9.75Since the update from
0.9.9.74to0.9.9.75(F-Droid) my IDS/IPS System warned me, that my mobile devices tries to connect tointeract.sh, which is an "OOB interaction gathering server and client library". This tool is often used to detect vulnerabilities that cause external interactions. In this case a DNS interaction, which tried to resolvecaezcs32vtc000025v70gf8xscw(--shortened--).interact.shIDS/IPS Log:
i tracked it down by simply searching for the string
caezcs32vtc000025v70gf8xscw(--shortened--).interact.shon my mobile device. Furthermore I could detect that the file/data/app/de.luhmer.owncloudnewsreader-1/oat/arm64/base.odexcontains the string:File contents:
I could not find any references to interact.sh in this repo and the sources.
I initially wanted to open an issue on F-Droid at https://gitlab.com/fdroid/fdroiddata/-/issues. Since I can't log in to the gitlab site due to the unreliable and unstable "captcha" implementation, I was forced to bring it to attention here first.
Therefore, anyone may feel free to open an issue there too and link back here.
BTW: A downgrade to
0.9.9.74dont throw IDS/IPS Alerts. Therefore it must have to do sth. with this specific app version0.9.9.75.