My forum users recently complained about malware software flagging the forum and their CPU usage increasing.
I traced this back to a bitcoin miner called Coin Hive.
I found that the script was injected through global header/footer which I am seeing as most recently updated (4th October). Very confused, as I'd performed no manual update.
The package that seems to have been updated was: Global-Headers-and-Footers-2.0.1
Can anybody help me pin down what happened here and how I can prevent it happening in the future?
I don't include that script in any of mod and never would
I would change your passwords and other admins and check your file permissions. Make sure you are on the latest version of SMF.
Thanks for your reply.
I'm really confused. I have a strong admin password which is now changed. I've not been able to find any logins other than my own (and I hadn't logged into the forum on the 4th when it occurred, my admin account show no login that day). But that is where the the coin miner was added, and the only mod that was updated. I'm on the latest version. I've contacted my host too but they can't see anything malicious. Totally confused.