Hello,
I'm on VB 4.2.3 PL 1.
Only plugins I have a Bluepearl, social page icons, disable lockout notification emails, glowhost, and tapatalk.
Somehow someone injected a script into the footer template. I won't post the full script unless anybody is curious, but just know it goes to coinhive.com, pulls the script coinhive.min.js, and that the coinhive user is "XRp4BmFx9n8gReuyEvoeDIVlIFS4DfQq".
It should be noted that coinhive itself, as well as this script, may be perfectly valid technology someone may choose to install on their own website and give users an option to allow it or not as an alternate income to using ads.
But of course, in my case, I don't want it, it was injected into VB, and I removed it.
That said, we discovered it on November 13th, it was probably installed this day, or maybe day before. Users started getting their security tools blocking our forum.
I would like additional information about how the hell these things get injected into our templates in the first place. When I run the system file checker tool, it didn't see any files out of the ordinary.
I have to assume this was not done via an admin user or through the control panel, it was more likely some vulnerability in the forum itself, through API or I don't know what, there is no backtrace for the template change (unless there is??).
What can I do further to guard against these freaking tools from putting code into my site at will? The script injected itself into a very specific place in the footer template. Not just appended to the top or bottom but went directly after the copyright notice. How is this possible?
Everybody on VB4 should scan often for coinhive.
I'm on VB 4.2.3 PL 1.
Only plugins I have a Bluepearl, social page icons, disable lockout notification emails, glowhost, and tapatalk.
Somehow someone injected a script into the footer template. I won't post the full script unless anybody is curious, but just know it goes to coinhive.com, pulls the script coinhive.min.js, and that the coinhive user is "XRp4BmFx9n8gReuyEvoeDIVlIFS4DfQq".
It should be noted that coinhive itself, as well as this script, may be perfectly valid technology someone may choose to install on their own website and give users an option to allow it or not as an alternate income to using ads.
But of course, in my case, I don't want it, it was injected into VB, and I removed it.
That said, we discovered it on November 13th, it was probably installed this day, or maybe day before. Users started getting their security tools blocking our forum.
I would like additional information about how the hell these things get injected into our templates in the first place. When I run the system file checker tool, it didn't see any files out of the ordinary.
I have to assume this was not done via an admin user or through the control panel, it was more likely some vulnerability in the forum itself, through API or I don't know what, there is no backtrace for the template change (unless there is??).
What can I do further to guard against these freaking tools from putting code into my site at will? The script injected itself into a very specific place in the footer template. Not just appended to the top or bottom but went directly after the copyright notice. How is this possible?
Everybody on VB4 should scan often for coinhive.
Comment