URGENT: Mining-script in Primfaces-Page? Where does it come from??

[tandraschko]

The URL should be the same actually - but not sure. Blocking can be simple done in apache or nginx AFAIR.

[Melloware]

From what I can tell it can be any URL that has "pfdrid=" in the URL as a query param is what looks like a resource that triggers the PrimeResourceHandler.

[deathkryz]

dataCore commented 5 days ago
Temporary fix in apache config (/etc/apache2/sites-available/-ssl) by blocking (deny access) the exploit xhtml page:
<Location /javax.faces.resource/dynamiccontent.properties.xhtml>
Order allow,deny
Deny from all
</Location>

WARNING: if your page uses a functionality from 'dynamiccontent', it won't work anymore

I'm with the same problem with the miner script, I found that temporary fix

[diogomaster]

The novelty and what they are now using for mining. After the compromised marquina and installed a bot that varnishes ranges of vulnerable ips.
Here's how the bug is explored first.

http://blog.mindedsecurity.com/2016/02/

[tak3shi]

Since i upgraded to PF6.1 there were no issues anymore. If someone has still problems after upgrading, i would check for old deployments on the same server, because the injection can change files outside the current domain (happend to me).

[dpiccolo]

There was a security issue in PrimeFaces 5.x, please update PrimeFaces to get this patched. The minimum versions required for the patch are;

5.2.21, 5.3.8 or 6.0

I'm using Primeface v 5.3 from maven. How can I update to 5.3.8? I tried registering as an Elite member of this site, but the cart cannot process my credit card (Actually my cc rejects the purchase). Any help is appreciated since I have that miner showing up every day.
Damian

[tandraschko]

I would contact PrimeTek directly if buying something from the store doesn't work.

[eodom]

Hello,
We are currently affected by this exploit.
Our website get the jhondi33.duckdns.org... deepMiner.js
Avast, AVG notifed our users about a security issue. Chrome up to 100% cpu.
Internet explorer open a popup with 404 error.
It becomes a nightmare

I looked at the pom.xml in our app :
<!-- Servlet et pages -->
<mojarra.version>2.1.18</mojarra.version>
<primefaces.version>5.2</primefaces.version>
<primefaces-themes.version>1.0.10</primefaces-themes.version>
<primefaces-extensions.version>3.2.0</primefaces-extensions.version>
<java-ee-api.version>6.0</java-ee-api.version>

The app was made by a third party 2 years ago. I was not in the society at this time. But, now, I have to fix it
I do not find any information about any suscription.
As it is a maven project, I think it is a maven version.
I saw update from 5.2 to 5.3 have no issues. https://github.com/primefaces/primeface ... tion-Guide
I download the 5.3 version from maven website.
But which 5.3 is it ? Is it the last one with the patch ? I can see also a v5.3 RC2. What is it ?

I am not enough confortable to upgrade to v6.1 as I do not know how the app really works. (and have no really skills in java).
And I will not have the money to pay the fix from my board.

I will try to block it with Apache this afternoon.

Looking for any advices, Hints ot wathever.

Guillaume

[chimmelb]

As it is a maven project, I think it is a maven version.
I saw update from 5.2 to 5.3 have no issues. https://github.com/primefaces/primeface ... tion-Guide
I download the 5.3 version from maven website.
But which 5.3 is it ? Is it the last one with the patch ? I can see also a v5.3 RC2. What is it ?

I am not enough confortable to upgrade to v6.1 as I do not know how the app really works. (and have no really skills in java).

Community version 5.3 is not enough. You would need paid version 5.3.X. I do not know the "X" off hand, just that you would need to pick your point release and "5.3" isn't enough on its own.

Regarding 6.1, for our pages it was as easy as choosing the new version and rebuilding. We happened to not use any of the breaking changes in the migration notes. https://github.com/primefaces/primeface ... tion-Guide. It's worth a build for you to try!

[eodom]

I feel ransomed.
As I could see on a google search , many website have this issue.(6 pages)
99$ to fix the security issue.
So, You will get rich soon...