news-android icon indicating copy to clipboard operation
news-android copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Role of "Interact.sh"?

Open Sunsheep opened this issue 1 year ago • 0 comments

Hi,

Current Nextcloud server version: 24.0.3 Current Android Nextcloud News version: 0.9.9.75

Since the update from 0.9.9.74 to 0.9.9.75 (F-Droid) my IDS/IPS System warned me, that my mobile devices tries to connect to interact.sh, which is an "OOB interaction gathering server and client library". This tool is often used to detect vulnerabilities that cause external interactions. In this case a DNS interaction, which tried to resolve

caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh

IDS/IPS Log:

Timestamp | 2022-08-02T10:11:42.578674+0200
-- | --
Alert | ET MALWARE Interactsh Control Panel (DNS)
Alert sid | 2034201
Protocol | UDP
Destination port | 53

i tracked it down by simply searching for the string caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh on my mobile device. Furthermore I could detect that the file /data/app/de.luhmer.owncloudnewsreader-1/oat/arm64/base.odex contains the string:

File contents:

$ cat /data/app/de.luhmer.owncloudnewsreader-1/oat/arm64/base.odex | grep -a [caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh]
(http://caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh/)                      httpMethohttpOnlhttponlyhttpshttpshttps://:https://caezcs32vtc000025v70gf8xscw(--shortened--).interact.sh.interact.sh/?id=;https://github.com/nextcloud/news-android/issues/new?title=[https://github.com/nextcloud/news/blob/master/docs/install.md#installing-from-the-app-storeDhttps://pgl.yoyo.org/as/serverlist.php?hostformat=nohtml&showintro=0Bhttps://play.google.com/store/apps/details?id=com.nextcloud.clientLhttps://raw.githubusercontent.com/nextcloud/news-android/master/CHANGELOG.md 
[...]

I could not find any references to interact.sh in this repo and the sources. I initially wanted to open an issue on F-Droid at https://gitlab.com/fdroid/fdroiddata/-/issues. Since I can't log in to the gitlab site due to the unreliable and unstable "captcha" implementation, I was forced to bring it to attention here first.

Therefore, anyone may feel free to open an issue there too and link back here.

BTW: A downgrade to 0.9.9.74 dont throw IDS/IPS Alerts. Therefore it must have to do sth. with this specific app version 0.9.9.75.

Sunsheep avatar Aug 08 '22 11:08 Sunsheep