news-android
news-android copied to clipboard
Role of "Interact.sh"?
Hi,
Current Nextcloud server version: 24.0.3
Current Android Nextcloud News version: 0.9.9.75
Since the update from 0.9.9.74
to 0.9.9.75
(F-Droid) my IDS/IPS System warned me, that my mobile devices tries to connect to interact.sh
, which is an "OOB interaction gathering server and client library". This tool is often used to detect vulnerabilities that cause external interactions. In this case a DNS interaction, which tried to resolve
caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh
IDS/IPS Log:
Timestamp | 2022-08-02T10:11:42.578674+0200
-- | --
Alert | ET MALWARE Interactsh Control Panel (DNS)
Alert sid | 2034201
Protocol | UDP
Destination port | 53
i tracked it down by simply searching for the string caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh
on my mobile device. Furthermore I could detect that the file /data/app/de.luhmer.owncloudnewsreader-1/oat/arm64/base.odex
contains the string:
File contents:
$ cat /data/app/de.luhmer.owncloudnewsreader-1/oat/arm64/base.odex | grep -a [caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh]
(http://caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh/) httpMethohttpOnlhttponlyhttpshttpshttps://:https://caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh.interact.sh/?id=;https://github.com/nextcloud/news-android/issues/new?title=[https://github.com/nextcloud/news/blob/master/docs/install.md#installing-from-the-app-storeDhttps://pgl.yoyo.org/as/serverlist.php?hostformat=nohtml&showintro=0Bhttps://play.google.com/store/apps/details?id=com.nextcloud.clientLhttps://raw.githubusercontent.com/nextcloud/news-android/master/CHANGELOG.md
[...]
I could not find any references to interact.sh in this repo and the sources. I initially wanted to open an issue on F-Droid at https://gitlab.com/fdroid/fdroiddata/-/issues. Since I can't log in to the gitlab site due to the unreliable and unstable "captcha" implementation, I was forced to bring it to attention here first.
Therefore, anyone may feel free to open an issue there too and link back here.
BTW: A downgrade to 0.9.9.74
dont throw IDS/IPS Alerts. Therefore it must have to do sth. with this specific app version 0.9.9.75
.