General > General Technical Chat
What is this IR-type-y board doing inside of my set-top-box?
<< < (4/7) > >>
thinkfat:
Goes to show that social engineering also works with the technically savvy. You just need a different bait.
Syntax Error:
Possibly, I suspect the server, or some DNS shadow, runs a suspicious http-request script that's looking for certain combinations of user-agent, referer and cookies.

A hypothetical attack may go like this: First browser http request, and the server responds with an image, but sets the cache expiry to one minute. After a minute, the user clicks on the image and, as the browser no longer has a valid cached copy, raises a second http request with the server. Server knows the IP has already been seen, so it checks if the user agent matches a known vulnerability and if so, sends a malware payload. Otherwise, the server returns the same image but, with no cache expiry; hence so no-one else notices. This is only a theoretical attack, which I have not created in a lab condition.

On a forensic note, in linux use 'wget' to simulate different browser types. E.g. a Chrome browser with different OS versions, or Internet Explorer with a variable referer strings. Thus a remote server thinks it's dealing with IE when it's not. Record returned responses with 'pcap' and use Wireshark to identify any dubious traffic. Alternatively, use 'netcat' or 'nc' to the same effect.
CherryDT:
This is my own filesharing site, targeted at a certain community mostly (RPG Maker) and used by just a handful of people who prefer a trustworthy site by a guy they know personally over companies like Dropbox or Google nowadays. Before I gave it its own domain a few months ago and rebuilt it with a bit more modern technologies, the domain was share.cherrytree.at and if you google that you'll see it's been around for ages and used in many forum posts in that community.

I don't see what risk you are getting reported there, it's supposed to be a "like in the old times" site which doesn't use any trackers or analytics or anything like that, there is no third party code loaded even. :| And it's running Caddy in a version which I compiled myself (which gets the SSL certificate from LetsEncrypt (R3)) and a pretty basic node.js application on top, with the frontend written with Svelte. Do you have any more details about what is supposedly wrong about my page? O_o And you mentioned SSL doesn't verify - but it sure does, I never encountered any issues with it - do you have a screenshot of what's shown as a problem with the certificate? It should deliver a certificate by R3. Domain, DNS and the cloud server itself (which is a container) are hosted by the German webhosting company Dogado which I use and trust for many years. I'm at a loss now...

DNS is supposed to resolve to 89.22.111.7 and 2a02:2b80:1:0:5652::693 by the way. And I ran a check in a DNS propagation checker now and I didn't see any country in which it's resolved to anything else.

Also @Syntax Error the link and the image aren't the same URL, my site has a feature exactly for forum posts like this, where it generates a nice (url)(img)(/url) combination for you which delivers a thumbnail as image and links to the page with the full-size image. (Why not linking to the image directly? Well in this case here it doesn't matter much but in general it's designed to load the page because it contains metadata such as the author and the upload date, and the author can also optinally set a title and a description which would be shown on the page as well.)

Anyway I submitted a false positive report with Bitdefender now, and I swapped the link in the post for a Dropbox link (which I personally trust less than my own site, but I understand it'll be different for you)...

---

Anyway thanks for your feedback, these are all pretty interesting possibilities. The device did have a way to control the TV's on/off and volume functions but I thought this was done through the remote control itself. If there was any gesture thing, it wasn't used with this software version, that's why I was very surprised when I found this weird board. The device is white-labelled and marketed as "A1 Mediabox Recorder" but it seems in reality it's a TLA-5720SWFX by Advanced Digital Broadcast (sorry I should have mentioned that from the start). I wasn't able to find much information about it online.

I was originally taking it apart because I wanted to see if I can access my recordings on the harddisk of the device, since it appears that after I cancelled my contract, I lost access to my recordings too (I hate this sort of thing). But I failed with that as well because the harddisk, once connected to the computer via SATA, didn't even register at all, and I couldn't figure out why.

---


--- Quote ---OP pops up here out of the blue
--- End quote ---
Actually I had an account since June 2016 and I still have the welcome email but for some reason the account seems to have been deleted because I had to create a new one (and I was able to do so with the same username). And I'm a Patreon supporter, but I don't know how to get the "supporter" title (if that's even related) - but I also asked about the uRuler (which was written on Patreon I'd get) many times on different channels over the years and never got an answer, let alone the uRuler itself; and now this thread makes me look like a spammer, and by the way I'm writing this edit for the 2nd time because previously I was dropped to an empty "reply" page instead of getting my edit saved - so it seems the EEVBlog universe is conspiring against me maybe ;) - Anyway, sorry, I could have introduced myself better. I'm a 28yo software developer from Austria who is also into tinkering with electronics and I've been enjoying the EEVBlog videos for many years.
Syntax Error:
One possibly, DNS cache poisoning?

https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
CherryDT:
Yes but I don't understand who would be the bad actor then? Dogado? (Which is unlikely unless they got hacked themselves, I guess.) Unfortunately I didn't get any actual evidence (bad IP plus info which server resolved it) so far so I don't even know where to look or whom to report it to.

Normally I understand DNS cache poisioning to happen in a local network with the possibility to inject some malicious UDP packages, but unless both you and dunkemhigh are on the same network (are you?), that's not a logical explanation for both of you seeing an issue. Do you remember what error you got for the SSL certificate, was it a wrong common name, and do you happen to remember which?

EDIT: Hm actually I'm starting to get another thought. You said you saw the same suspicious activity, were you referring to a BitDefender alert as well? In that case, the SSL error could have an even simpler explanation - Bitdefender would intercept the request and return its own warning page probably, which however won't have a valid certificate because it can't impersonate cherryshare.at. I get the same with Malwarebytes - if the web protection intercepts a request, I see a Malwarebytes page if it was HTTP, but I get an SSL error if it was HTTPS. In that case the only issue would be a false positive of BitDefender (for whatever reason), and the SSL issue would be just a symptom of that... Is that possible?
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod