femdom Posted December 18, 2017 Report Share Posted December 18, 2017 Hi: it took me a whole day to find why Nod32 is reporting Coin Miner Infection. It is one related to one of the advertiser's zones. As soon as I disable that zone, there are no more warnings. This is what I am getting at the moment when I re-enable that zone : Please advise what to do? I've clicked on the sites from served banners and there I am not getting that message on their sites. thanks Quote Link to comment Share on other sites More sharing options...
joe_1592835 Posted December 18, 2017 Report Share Posted December 18, 2017 (edited) We just had the exact same problem pop up. Fifteen of our ad zones had a script included that loaded a coinminer.f JavaScript. These were all added into the table xxx_zones in the prepend column. To remove the coinminer.js script go into your database and pull up any xxx_zones where prepend or append is not null. You should see the script there and can delete it. More importantly I need to figure out how it got there. I just began looking into this, I will let you know what else I find. This came up right after we upgraded to revive version 4.1.1. That might just be a coincidence. I'll post what I find. I also disabled the prepend/append columns in the xxx_zones table since I do not use these. By "disabled" I mean I just changed their column type from text to char(1). This way nothing can be entered into those columns. Again though, most importantly I need to figure out how they got there in the first place since it means there is a hole somewhere. Edited December 18, 2017 by joe_1592835 Quote Link to comment Share on other sites More sharing options...
femdom Posted December 19, 2017 Author Report Share Posted December 19, 2017 Thank you so much, no way that I could find this considering that I don't have knowledge on this level. Hope you will post what you find soon. I am sure there are many people infected, maybe they are just not aware at this point. This is a huge security breach. If it helps, I am running v3.2.1 , will update now. Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted December 27, 2017 Report Share Posted December 27, 2017 Unfortunately, we often see that people were hacked while running really old versions - there is no denying that there were a lot of remote exploits from back in the day - but while we have fixed those holes, if your install has already been hacked, and someone has admin access, then just upgrading isn't enough, because the hackers still have admin access! http://www.openxconsultant.com/blog/2011/10/what-to-do-when-you-suspect-your-openx-system-has-been-hacked/ is a pretty good place to start. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.