Outbound traffic trojan ?

10 年 前
I just installed the latest version (1.4) from the code download and it is exhibiting trojan-like behavior.

After starting the app to demo and clicking around a few pages, ESET Smart Security alerted me that Visual Studio 2008's integrated web server (WebDev.WebServer.exe) was trying to communicate to a remote computer.  72.76.7bae.static.theplanet.com  I denied the request and after a few seconds, it tried to communicate to the same server.  It also tried to communicate to lander.sitesense-oo.com

Another thing that leads me to believe it is tied to the site code/behavior is that when I tried to go to the Admin section, the outbound message appeared.  I denied it.  And it reappeared.  After denying it a couple more times, I just left that window open and moved it to the side.  But what I noticed was that NopCommerce was stuck and not loading the Admin site.  I re-clicked the Admin button/link and it still went nowhere.

Finally, I re-denied the outbound communication like 4 more time and it stopped popping up and it was at that point that the Admin site loaded itself.  That outbound request has to be tied to some Request or Response code somewhere...

I tried doing a search for both of those URLs in the source code with no luck.  Since I just now installed it, I haven't done an exhaustive search on what could be happening here, but it looks quite suspicious.  If someone hacking into the download system and placed malicious code or dlls into the code, that would suck.

Any other possible reason's for this?  Has anyone else encounteded this?

Thanks in advance.

rick
10 年 前
see answer below
10 年 前
rpreston wrote:
I just installed the latest version (1.4) from the code download and it is exhibiting trojan-like behavior.

After starting the app to demo and clicking around a few pages, ESET Smart Security alerted me that Visual Studio 2008's integrated web server (WebDev.WebServer.exe) was trying to communicate to a remote computer.  72.76.7bae.static.theplanet.com  I denied the request and after a few seconds, it tried to communicate to the same server.  It also tried to communicate to lander.sitesense-oo.com

Another thing that leads me to believe it is tied to the site code/behavior is that when I tried to go to the Admin section, the outbound message appeared.  I denied it.  And it reappeared.  After denying it a couple more times, I just left that window open and moved it to the side.  But what I noticed was that NopCommerce was stuck and not loading the Admin site.  I re-clicked the Admin button/link and it still went nowhere.

Finally, I re-denied the outbound communication like 4 more time and it stopped popping up and it was at that point that the Admin site loaded itself.  That outbound request has to be tied to some Request or Response code somewhere...

I tried doing a search for both of those URLs in the source code with no luck.  Since I just now installed it, I haven't done an exhaustive search on what could be happening here, but it looks quite suspicious.  If someone hacking into the download system and placed malicious code or dlls into the code, that would suck.

Any other possible reason's for this?  Has anyone else encounteded this?

Thanks in advance.

rick





first, i have to say that this is the first time i heard about these issues but one thing is clear. : you must have had the trojan in your VS Dev server already. this should explain the first warning.

second, the only thing that Nop does in the administration area as soon as it loads (default.aspx) which is the dashboard, it opens a RSS Feed to nopcommerce.com to pull the latest news which appear on the right side of the page.

besides that, the only code in the pages that is external to the application is the ggogle analytics script that is loaded in the masterpage, thus it exists in every page.

so i advice you to do a thorough scan using different AV and trojan cleaners (not all tools detect everything) and some misjudge certain behaviors as trojans and produce false alarms.

hope this helps.