Advertisement:

Author Topic: Global headers and footers update including bitcoin miner?  (Read 605 times)

Offline franhaselden

  • Newbie
  • *
  • Posts: 4
Global headers and footers update including bitcoin miner?
« on: October 06, 2017, 06:31:33 AM »
My forum users recently complained about malware software flagging the forum and their CPU usage increasing.

I traced this back to a bitcoin miner called Coin Hive.

I found that the script was injected through global header/footer which I am seeing as most recently updated (4th October). Very confused, as I'd performed no manual update.

The package that seems to have been updated was: Global-Headers-and-Footers-2.0.1

Can anybody help me pin down what happened here and how I can prevent it happening in the future?

Offline vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,349
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Global headers and footers update including bitcoin miner?
« Reply #1 on: October 06, 2017, 12:15:03 PM »
I don't include that script in any of mod and never would

I would change your passwords and other admins and check your file permissions. Make sure you are on the latest version of SMF.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline franhaselden

  • Newbie
  • *
  • Posts: 4
Re: Global headers and footers update including bitcoin miner?
« Reply #2 on: October 12, 2017, 06:29:47 AM »
Thanks for your reply.

I'm really confused. I have a strong admin password which is now changed. I've not been able to find any logins other than my own (and I hadn't logged into the forum on the 4th when it occurred, my admin account show no login that day). But that is where the the coin miner was added, and the only mod that was updated. I'm on the latest version. I've contacted my host too but they can't see anything malicious. Totally confused.