Suspicious JavaScript code on admin page


Recently I was having problems accessing the admin login page on my Gl-inet router, a Creta model, which is one of three models I have used in the past year or so. Out of curiosity about the coding on the login page, I opened Web inspector and found quite a few JavaScript files — one of which, I thought was a bit concerning.

To make a long story short: on October 24, 2018, I discovered that a person I went on a few dates with was accessing my computer remotely. I was a lot more naive about tech security then, which is why I was stupid enough to let them install an application on my computer called Remote Mouse a few months before…

For the last several years, I have struggled to eliminate this malware without much success, even though I’ve replaced most of my tech devices multiple times. This includes multiple routers by different companies, which is why I switched to gl-Inet in the hopes of not having to go through the same hell all over again.

As such, I when I saw a JavaScript file in the code when I used web inspector on my router login page, I was concerned to find a few lines of code in a file called “mock.js” that included these lines of code:

cloudget: 1
access_anywhere_enable: false,
api: “cloudget”,
bindtime: “2018-11-12”,
cloud_enable: true
ddns_enable: false,
email: “jayden1024@****.com”

(Edited for brevity, see screenshot with the full code (email redacted) attached).

As my name is one that rhymes with Jayden, the date I realized I was hacked was October 24th, and the domain listed is one based in China — I was a little concerned about what I was seeing.

I sent an email to the address listed, AND received a response. The person claimed to be a former Gl-inet employee, and told me to contact support about this issue.

After emailing support, I was told that this is completely normal. That this JavaScript file, with this reference to that very specific email hosted on a Chinese mail server, is completely normal. And not to worry. That this code is present in every router that is made by Gl-inet. The support person said that this is an old code remnant used for testing, and that the use of a non-company email address was a simple mistake.

I own 2 Creta routers, and one Mango router, and found this code in all of them; however, they were all connected to my primary network a few months ago when I once again began having computer issues.

Could anyone in this forum please review the code present on their router login page for a file called “mock.js” and let me know if it is present in their router as well??

Considering that I fear my emails, tech devices, and internet connection have all been compromised, I cannot help but think this is an attempt to gaslight me for something that is NOT normal.

Any replies on this would be incredibly appreciated.

Thank you.

Additional JavaScript files visible in web inspector

That is a just a mock script that should not be included in the final firmware.

It has been removed from the snapshot several data again.

If you are certain your ex is doing this, you should report it to your local authorities.

If you want to make sure this malware is completely removed, I’d recommend resetting your devices & not restore any backups. If you truly want to be safe, create new accounts after resetting (new microsoft, new google, anything that has cloud storage/backups). For other things you should just reset all passwords.

After doing this you should be malware free completely. If it remains after a normal windows reset, use an ISO file to complete wipe your disk & install a clean OS. Same goes for other devices you suspect to be compromised.

The main thing is to not restore backups, as these can contain said malware.

~Edit: You can of course create local backups, just make sure to manually check your files & check each directory you copy, to make sure it’s not infected either.

Thank you for your responses. I have previously reported this to authorities, who were not much help. I’ve also erased my devices, or reset them to factory settings, countless times; unfortunately, whatever malware has affected them seems to be embedded in the firmware itself because these actions have no lasting effect. Throwing away and replacing every device i have is expensive.

However, can anyone direct me to somewhere that has the files in this firmware listed so I can see for myself that these are normal lines of code?

I would feel a lot better if the claims that this is nothing to worry about could be corroborated by actual proof — like the actual (supposedly open source) code — that I can actually examine for myself.

I find it concerning that my router should be linked to a cloud API linked to a personal email account on a Chinese web server supposedly belonging to a former Gl-inet employee…

We have explained to you and asking for evidence.

Didn’t recevice something showing the real problem.

1 Like

From your screenshot basicly what that script output is saying is a debug message, so you are fine no malware :), indeed the router has rich api features to connect to gl-inet cloud, but in your case it says false there which means it won’t connect to it.

As a dev myself not for gl-inet I often also tend to forget removing debug messages even pieces of shellcode in trainers ive build in the past for games can have those, normally they shouldn’t be a big of an issue aslong it won’t annoy the end user, hence even windows can have those to😋

So you are fine :+1:


I overlooked the image, it says true on the cloud, have you used this feature before?, If so you can disable it in settings, if its disabled and the debug script still returns true, maybe that is a bug, I don’t think you have to worry about the router too much.