Octoprint hijacked ?!

Now this is really weird. Once a day, at any point when I am using Octoprint a click will produce a pop-up window of a betting site.
I don't want to name it here.
I have my AdBlock working properly and never see any pop-ups at all so I am pretty sure it comes from OctoPrint itself. This can happen when I click on any link or button within octoprint.
My server is latest version and I have access control enabled and password set.

I am quite confused. Anybody knows what's going on ?

It sounds to me like you've been hacked. Did you expose the system with OctoPrint to the internet? Do you trust all the systems / users on your local area network (LAN)? Are any of those other systems exposed to the internet?

An alternative explanation to Octoprint being hacked is your browser being compromised. This is not all that unusual, and can lead to ads and popups on any site you visit. You might want to make sure that you don't have any weird extensions installed.

3 Likes

I am in agreement with @Fabian. Usually the 'once a day's popups are something that had hooked into your browser.
Though if you are not sure, backup and reinstall your octoprint to see if it keeps happening.

Only links within octoprint produce this so I assume it's not a global browser hijack. It is a fresh OctoPi install

Did you open the Pi to the internet, e.g., port forwarding?

Turn it off immediately.

No, it's inside my home network with no forwarding so there's no way it could be accesses from outside.
I am 99.9% sure this comes from either octoprint itself or one of the plugins. Apart from default ones I have installed following:
Octoprint Anywhere
Filamnet Manager
Octoprint-IFTTT
Fan speed control
Pushbullet
TouchUI
Navbar Temperature Plugin

And your network is not using ipv6 right? So Octoprint doesn't have a public ipv6 ipaddress.

There no port forwarding enabled to it so it is not exposed to the outside.
IPv6 not used either

🤦🤦🤦🤦🤦🤦🤦🤦🤦🤦🤦🤦🤦🤦🤦

I had a suspicion about that. Is that the one responsible?

Remote monitoring and control of your 3D printers over the internet. ANYWHERE. ON YOUR PHONE. No more port forwarding or VPN.

It is a online service which might got hacked ?!?
But I think it is just a bit software in the browser which open the sites.

I'd almost be willing to bet real money that Octoprint Anywhere is responsible.

It's easy enough to disable OctoPrint Anywhere to see if it's the culprit.

This could also be a DNS hack (your router, your ISP). Your DHCP lease usually also includes what should be used to resolve DNS. I think most of us these days (for better or worse) are using Google's primary/secondary of 8.8.8.8 and 8.8.4.4. You could try checking this on your computer.

It's assumed here that you're not visiting the web interface from the Raspi itself. My gut tells me the problem isn't anywhere on that microSD card. And yet, I think I would still spin up a new microSD card to see if the problem goes away.

Yes, I tried first disabling and then completely removed Anywhere but still getting that pop-up window.
So: how (and why?) this alleged DNS hack would cause pop-up windows appear when Octoprint interface is used, but NOT on any other page?
Either within 192.168 or outside, every other web link behaves normally

These questions would be specific to the computer you use to go to the web interface:

  1. operating system?
  2. browser?
  3. are you going to http://octopi.local or to http://some_ip_address?

And next, I'm going to suggest:

  • okay, try this now in a different browser (do you still see the problem?)
  • okay, try this now from a different computer (do you still see the problem?)
  • okay, turn off your AdBlock and try all this again (maybe this is what's causing it?)

currently testing with different PC (linux/chrome)
these popups won't appear more than once/twice a day so will take a while

Nothing for two days now. Anything to add?

So, on a completely different computer, you note that you see nothing. Earlier, you asserted that the OctoPrint image on your Raspberry Pi was somehow to blame.

  • It can't be OctoPrint or your plugins because the problem didn't repeat itself as seen from the second workstation. (OctoPrint is clean, plugins are clean)
  • It's likely that your router was commonly used for both workstations so this tends to suggest that your router isn't to blame nor is its DNS settings that it gives out for each DHCP lease (router is clean, DNS selection within DHCP is clean)

So now, you need to return to the original workstation. Try a different browser and "follow the problem". This is a means of troubleshooting called "divide and conquer". You create a test which can exonerate different pieces of your setup until you find the faulty one.

I found a vaguely (extremely remotely vaguely) similar issue with a windows computer a few weeks ago, except that this one was having the search pages hijacked

It would start the search on google, and then switch to bing... wierd

Search settings were ok, malwarebytes and adaware found nothing, but, I wasn't happy with that, so I opened task mgr and didn't see anything there either, then I went to msconfig, and found a few things that didn't look familiar, and canceled the start on them, rebooted, and they came back

Wierd. That sounds like a virus, but the scanners found nothing

So I went back to msconfig, found the new names, hunted them down in the registry, and found them hiding in the recycle bin (sneaky little buggers)

Did a hard shutdown on the pc (not entirely a good thing for a computer BTW, so they wouldn't get the chance to respawn) booted to my nifty bootcd, deleted them, then booted up normally, and the problem magically went away

All in all it was a fun afternoon

2 Likes