D2sage

Actualized.org Trying to install crypto miner?

54 posts in this topic

Freaky


 "Unburdened and Becoming" - Bon Iver

                            ◭"89"

                  

Share this post


Link to post
Share on other sites
11 hours ago, D2sage said:

Also, on one of my sites, I have a js script that when the user visit my site they are unaware of it. 

A user on my site don't have to install, agree, or anything like that, just by visiting, the js script is loaded.

And this gives me so much information about them


<script type="text/javascript">
window._qevents = window._qevents || [];

(function() {
var elem = document.createElement('script');
elem.src = (document.location.protocol == "https:" ? "https://secure" : "http://edge") + ".quantserve.com/quant.js";
elem.async = true;
elem.type = "text/javascript";
var scpt = document.getElementsByTagName('script')[0];
scpt.parentNode.insertBefore(elem, scpt);
})();

window._qevents.push({
qacct:"p-xxx",
uid:"__INSERT_EMAIL_HERE__"
});

 

That's the script almost. Does it tell you that it will collect TV show, income, car, financial, retail, travel, resturants info etc? So why would a potential miner tell you immediately?

 

That very obviously loads an external script which would very obviously show up within any web inspector tool, neither of which are present on actualized. The problem is it just looks like a bunch of random characters to you that don't mean anything. There is nothing happening anywhere that remotely suggests "bitcoin mining" is going on other than your broken software. If you can post a screenshot of your actualized.org tab using a bunch of cpu, or a pointer to the specific code in that file that could be doing the mining, or an external script that has been loaded within your page sources, then sure lets see it.

Share this post


Link to post
Share on other sites

@thepixelmonk It Will not show up on actualized tab. It Will show as a legit thing inside task manager, hence the name trojan. it is also possible for a trojan to be hidden from task manager, but an engineer like you already knew that.
and only a small percentage of resources Will be used for staying hidden. 

Edited by D2sage

Share this post


Link to post
Share on other sites
1 hour ago, D2sage said:

@thepixelmonk also, how can you be sure.

You havent even seen the code thats flagged as a trojan?

I double checked.

The thing you presented with using f12 is not the same file that is being flagged.

Front_front_profile.js is not even accessable with f12

Only web admin can see it.

wtf are you on about, of course it's accessible to us that's the literal definition of client-side code. the php is what's running on leo's server. the javascript is what's running on your browser and accessible to you by definition. if your browser and anti-virus can see it obviously you can as well.

Screenshot 2023-02-17 194003.png

Share this post


Link to post
Share on other sites

@thepixelmonk

The fact that it is an 8 year old php version that doesn't get updated since 5 years ago, I would be more alert on security alerts and not assume its false negative or whatever. If anything, it should me more likely that it is a positive.

https://www.actualized.org/forum/uploads/javascript_core/front_front_profile.js.9e438f42c137b264a74ca2bedb278289.js?csrfKey=013e39e9da0b4445373c91cb3c9971e4&antiCache=6dcee3118d <-- This

It flags 2 things at once. Reminds me of CSRF vulnerability. A token is generated and flagged as a script miner, which means there's a security flaw. 

It is most likely a possible  Cross-site request forgery (CSRF). Might also explain why this site is unreachable at times.

Quote

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts.[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags,  hidden forms, and JavaScript fetch or XMLHttpRequests, for example

https://en.wikipedia.org/wiki/Cross-site_request_forgery

It can also trick an user's browser into sending unauthorized requests to a web application (miner).

Since the security flaw is discovered on the profile section, it is most likely something worth looking into.

Actualized is running on a 8 year old PHP version, which is a security risk on its own. 

Outdated PHP versions, such as those prior to 7.1, are considered end-of-life and are no longer patched. Known security vulnerabilities for these versions exists right now. This alone makes Actualized an easy prey.

PHP.jpg

https://actualized.org/phpinfo.php

First of all, I would update php and take threat alerts more seriously, especially when the server is not in the current decade.

Edited by D2sage

Share this post


Link to post
Share on other sites

Lol, you should not be able to view the phpinfo of a website :P that’s not ideal, neither is running PHP 5

I’m pretty sure that JS script is not a miner, you can see other references to that javascript_core thing online where it’s identified as a false positive. But you were definitely right to point it out

@thepixelmonk even if you’re right, there’s no need to be a dickhead about it. I often find myself agreeing with you but you always have such a hostile tone that just isn’t necessary

Share this post


Link to post
Share on other sites

@something_else

26 minutes ago, something_else said:

Lol, you should not be able to view the phpinfo of a website :P that’s not ideal, neither is running PHP 5

You can clearly view it right here:  https://actualized.org/phpinfo.php 

It says: PHP Version 5.6.40 

So what are you even talking about?

Ideal or not, it is running on a dead version. Admin must update it, it won't update itself.

Maybe not a miner but it is a potental Cross-site request forgery. Common among forums and sites wiht old PHP. Anyone can make a profile here and upload files.

Edited by D2sage

Share this post


Link to post
Share on other sites
13 minutes ago, D2sage said:

So what are you even talking about?

I was saying that the /phpinfo.php route should be protected and not publicly visible. Most websites that run PHP hide that info because it’s very valuable for an attacker, actualized.org should have it secured.

However I think the chance of that JS file being a miner is pretty low. I had a good look through it and I can’t see anything that suggests it’s dangerous, I work with PHP and JS pretty much every day as web developer. You can also see here that it was identified but marked as not a threat

https://www.hybrid-analysis.com/sample/5ac82f8848374af9e726d97ab93344a95948a5b99768358b749246ddede31a18

It’s likely a false positive but still worth pointing out. That javascript_core library is used on lots of forums if you Google for it. They are likely all using the same forum software as actualised.

And a ‘CSRF token’ is there to prevent CSRF attacks, not cause them

Share this post


Link to post
Share on other sites

@something_elseOnly if he make it invisible. And it is clearly publicly visible.

Yeah it should, but it isn't.

Can't you see it is visible right here? https://actualized.org/phpinfo.php

axax.jpg

That version haven't got patched for 5 years and thus it is filled with security flaws.

So why would the anti-CSRF work properly?  It is the token that is being flagged aswell.

Edited by D2sage

Share this post


Link to post
Share on other sites

It’s not even obvious what CSRF attack an attacker would actually want to run on the profile page specifically. CSRF attacks involve tricking a user/browser into submitting a request they didn’t mean to, bad ones would be like a password/email change, but those are almost certainly protected by CSRF tokens in professional software like this. See below, especially the “impact” section

https://portswigger.net/web-security/csrf

But there are no such forms available on that profile page that would be a CSRF risk. And it’s not clear how that JS would play a role either. Generally it would be another website that told the users browser to make a request to a vulnerable actualized.org action/form which does not verify a CSRF token. That’s how CSRF attacks usually work.

That JS file is very likely part of the forum software that actualized.org runs on. It’s not maliciously placed there.

Edited by something_else

Share this post


Link to post
Share on other sites

@something_else There are many ways in which a malicious website can transmit with CSRF, such commands; specially-crafted image tags,

Specially-crafted image tags typically refer to HTML tags used to embed images in a webpage, which have been designed or manipulated in a way to exploit vulnerabilities in web browsers or web applications. 

It is 100%  possible to make an image have code in it. 

The vulnerability can occur if the website does not properly validate and sanitize user-generated image files. This can allow an attacker to upload a malicious image file that contains code or scripts that can be executed when the image is displayed on the website. 

And as php 5.6 - It is an easy prey. Security flaws that existed 5 years ago still do because it's abandoned. There's plenty of security flaws to attack. Anyone can upload files to Actualized forum profile. The fact that the CSRF system is being flagged is concerning itself.

PHP 5.6 has reached its end of life and is no longer officially supported by the PHP development team. As a result, it is generally not considered safe to use in forum environments.

PHP 5.4 contained several known security vulnerabilities that could be exploited by attackers to compromise web applications and servers. It can use specialized software that is specifically designed to stealthily mine cryptocurrency in the background, without the victim's knowledge. Nothing will show up on your task manager. 

 

The CSRF system could be compromised.

Most commonly in a forum:

  1. A person creates a profile
  2. Person uploads manipulated image  on his profile

Then: --->>>> from Actualized.orgvia profile and then through the many security flaws in PHP 5.4 - a malcious code has made it into the fragile and outdated server.

I've had forums before Actualized.org had a forum.

Mostly I have dealt with people who upload their own ads to make money with my traffic.

But imagine now that the code is programmed to function as a cookie, for example:

Cookie-based cryptojacking is a type of cryptocurrency mining malware that uses cookies to track a user's web browsing activity and mine cryptocurrency without the user's consent. When a user visits a website that has been infected with this type of malware, the malware uses the cookies stored in the user's browser to track their activity and run cryptocurrency mining scripts in the background. 

Again, checking for CPU usage is naive as these stuff are stealthed and doesn't show up on your task manager, hence the name trojan. And no Leo have not implemented this, that's not what I am saying.

Developers are usually intelligent and limit the resources to a minimum, but if you get a lot of those cookies then its another Dollar Bill.

So, scanning a piece of code in online tool is not the way to go. The javascript doesn't have to be the miner itself. Its more like a trace right now. Firewalls and advanced threat intelligence can also pickup traces of malware, in this case the javascript and the questionable CSRF systen.

Edited by D2sage

Share this post


Link to post
Share on other sites

I agree with you about PHP 5 being insecure. Obviously that’s not ideal, but it’s unrelated to the file your AV picked up.

Actualized.org is not likely to be attacked via CSRF, because it has nothing that would be valuable for an attacker to trick your browser into doing. The worst would be like an attacker tricking your browser into making a post here maybe?? Or changing your password? But the chances of these forms being vulnerable are unlikely. They will be using CSRF protection, which is what that csrfKey thing is related to.

The CSRF key in that JS URL would not be able to contribute anything towards a CSRF attack. A CSRF attack does not need a CSRF token. It can be done specifically because a website is NOT using those CSRF tokens in the right places.

A CSRF attack is also not going to be able to trick your browser into mining cryptocurrency. Those are unrelated threats.

And your AV identified that file as a potential miner anyway, not CSRF vulnerability. The threat we are discussing here would be some JS someone had managed to get loaded in your browser on an actualized page that wasn’t intended to be there. It’s not related to backend PHP vulnerabilities. 

From looking at that file, there is nothing suspicious happening in that particular JS file. It’s all stuff that looks related to the forum software actualized.org uses. If there was specific miner code, your AV would have identified that exact JS file that was running the miner code instead of just a trace of it.

Lots of AV identify false positives. It’s common. That is very likely what happened here. Not everything your AV points out is an actual threat.

And it would have to be a serious, serious vulnerability in your OS/browser that allowed a process to use your CPU without it showing up in activity monitor or task manager. Everything in a tab in modern browsers is sandboxed inside a specific process you can monitor and see if it’s using a lot of CPU. Bypassing that is not something a random JS miner online is going to be able to do.

Share this post


Link to post
Share on other sites

@something_else 

Alright. CSF is out.

My last thought is forum image uploading rely on PHP.

I'm not using AV, but ATI, which can detect traces of malware. 

ATI involves the use of advanced technologies such as machine learning, artificial intelligence, and big data analytics to process and analyze large amounts of data from multiple sources. These sources may include network traffic, log files, threat intelligence feeds, and open source intelligence (OSINT). The goal is to identify patterns and anomalies in the data that may indicate the presence of a threat, and to use this information to proactively defend against cyber attacks.

So the AI detects presence within the profile section of actualized. The teason the js file is flagged.

On my forum this was the thing;

Someone creates a profile->Uploads altered image--> then the code in that image shows ads for people and they earn money.

Malware code can be embedded in an image in a few different ways, for example: Attached to the end of a file, or through slight tweaks to individual bits of the code, or through changes to the metadata associated with a file.

https://www.reversinglabs.com/blog/malware-in-images

Edited by D2sage

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now