Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Chat about Linux in general
felemur
Level 4
Level 4
Posts: 386
Joined: Sun Sep 20, 2015 2:22 pm

Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby felemur » Wed Nov 01, 2017 11:56 am

I'm just curious - can this happen with Linux, or is it just a Windows issue?

Citizen229
Level 5
Level 5
Posts: 673
Joined: Fri Nov 04, 2016 12:09 pm
Location: NW Ohio

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Citizen229 » Wed Nov 01, 2017 12:26 pm

Got an article to link? Or is this made up?
Folding@home Project
Team Linux Mint-76140
PM for info on how you can help. Or visit https://forums.linuxmint.com/viewtopic.php?f=58&t=243792
More GPU's needed!


Mick-Cork
Level 2
Level 2
Posts: 76
Joined: Sun Mar 23, 2014 10:10 pm
Location: West Cork & London

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Mick-Cork » Wed Nov 01, 2017 12:43 pm

It can be done both secretly (malicious) and openly (honest) via browsers running on any OS. The malicious way tends to happen when a website gets hacked by a 3rd party, or the owner doesn't tell you they are doing it themselves. The honest method is when the owner is up front and it's typically used as an alternative to making voluntary donations.

I read an article about it recently, and in the comments an honest broker linked back to his thank you page where the script would run automatically. He had an explanation on the page explaining why he was using it. Basically it uses the power of your machine to generate the hashes required to create cryptocoins (if that's the right term?). When I landed on the page both of my CPU processors went up to 100% utilisation (LM 18.2 Cinnamon) - fans came on fairly quickly!

If I can find the page I'll come back and add it.

Edit: Original article: https://www.wordfence.com/blog/2017/10/cryptocurrency-mining-wordpress/

and page mentioned in comments that runs mining script... http://www.joelevi.com/thanks.html

Warning: it will start eating up available CPU power whilst you're on the page, but stops once you close it.

felemur
Level 4
Level 4
Posts: 386
Joined: Sun Sep 20, 2015 2:22 pm

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby felemur » Wed Nov 01, 2017 1:36 pm

I posted the same question on the Vivaldi Browser forum (as that is the one I use the most), and one of the people indicated that using the uBlock Origin extension would stop it.

Is that true?

EDIT: Here is a cross-post of my same question on the Vivaldi Forum, as some of the answers are interesting.

https://forum.vivaldi.net/topic/21956/w ... tocurrency

felemur
Level 4
Level 4
Posts: 386
Joined: Sun Sep 20, 2015 2:22 pm

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby felemur » Wed Nov 01, 2017 1:42 pm

FYI: Here is an extension that is supposed to block this (from one of the answers on the Vivaldi Forum). This should work on Chromium based browsers like Chrome, Vivaldi, SlimJet, etc.

https://chrome.google.com/webstore/deta ... fmgmpblogb

Mick-Cork
Level 2
Level 2
Posts: 76
Joined: Sun Mar 23, 2014 10:10 pm
Location: West Cork & London

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Mick-Cork » Wed Nov 01, 2017 2:04 pm

Just tested that extension in Chromium and on the website I mentioned - it worked :)

Not sure how it filters/blocks, so whether it will remain effective over time remains to be seen.

Edit: hmmm, think it just blocks connection to domains, in this case 'coinhive.com'.

User avatar
BigEasy
Level 5
Level 5
Posts: 994
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby BigEasy » Wed Nov 01, 2017 2:48 pm

felemur wrote:I'm just curious - can this happen with Linux, or is it just a Windows issue?

Can happen with everything (Windowses, Linuxes, Androids, iOS, macOS...) where exists applications able to run JS and internet.
Windows assumes I'm stupid but Linux demands proof of it

felemur
Level 4
Level 4
Posts: 386
Joined: Sun Sep 20, 2015 2:22 pm

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby felemur » Wed Nov 01, 2017 3:40 pm

Mick-Cork wrote:Just tested that extension in Chromium and on the website I mentioned - it worked :)

Not sure how it filters/blocks, so whether it will remain effective over time remains to be seen.

Edit: hmmm, think it just blocks connection to domains, in this case 'coinhive.com'.


Yes, it is list based. I hope it updates regularly with any new mining domains.

I guess the good side of being a list based domain blocker, is it is unlikely to cause any problems.

If you could locate up-to-date mining domain lists, you could just add them to uBlock Origin, though if the Cyrpto Mining Blocker does that all automatically, it is the easy way as far as I can tell.

EDIT: Here is the GitHub page for the Crypto Mining Blocker, and it shows what the Blacklist is:\

https://github.com/lesander/crypto-mine ... blocker.js

Mick-Cork
Level 2
Level 2
Posts: 76
Joined: Sun Mar 23, 2014 10:10 pm
Location: West Cork & London

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Mick-Cork » Wed Nov 01, 2017 4:38 pm

Good find, looks like it also tries to block certain js scripts as well so a bit more than just domains. I just added coin-hive.com to my hosts file as a test (using Domain Blocker in LM), and that prevents any app from being able to connect to it. If the spread of this becomes a real problem then I guess keeping the hosts file up to date would be an effective, machine-wide, way of dealing with it.

User avatar
coffee412
Level 5
Level 5
Posts: 721
Joined: Mon Nov 12, 2012 7:38 pm
Location: Indiana, USA
Contact:

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby coffee412 » Wed Nov 01, 2017 5:19 pm

Wow. Glad I read this post. I just added coin-hive to my domain blocking too.

I think either way (honest/dishonest) is bad. I can see some computers just locking up solid when visiting a site like that.
Ryzen x1800 Asus Prime x370-Pro 32 gigs Ram RX480 graphics
IceWarp * Samba AD * Mint 18.1 * RAID 1/5 * OpenVPN * Linux since kernel 2.0.36

Mick-Cork
Level 2
Level 2
Posts: 76
Joined: Sun Mar 23, 2014 10:10 pm
Location: West Cork & London

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Mick-Cork » Wed Nov 01, 2017 7:06 pm

Hi coffee412, from what I can find these are the domains currently involved:

coinhive.com
coin-hive.com
jsecoin.com
crypto-loot.com

I suspect more will start to appear as the bandwagon grows, so whether it ends up with script or domain blocking (or both?) time will tell. Anyway, a few to add to the domain blocker for the moment.

User avatar
lisabonne citadel
Level 3
Level 3
Posts: 126
Joined: Fri Oct 13, 2017 5:13 am

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby lisabonne citadel » Wed Nov 01, 2017 8:08 pm

It seems one type of cryptocurrency ONLY take advantage of 445 TCP UDP port.
You can use firewall to prevent this and you can set iptable to block all tcp and udp ports except 80 and 443...
https://www.scmagazine.com/cryptocurrency-miner-adylkuzz-attack-could-be-bigger-than-wannacry/article/662128/
i published here yesterday how :)

User avatar
coffee412
Level 5
Level 5
Posts: 721
Joined: Mon Nov 12, 2012 7:38 pm
Location: Indiana, USA
Contact:

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby coffee412 » Wed Nov 01, 2017 8:18 pm

Mick-Cork wrote:Hi coffee412, from what I can find these are the domains currently involved:

coinhive.com
coin-hive.com
jsecoin.com
crypto-loot.com

I suspect more will start to appear as the bandwagon grows, so whether it ends up with script or domain blocking (or both?) time will tell. Anyway, a few to add to the domain blocker for the moment.


Big thankyous for the domains to block. Just got back from a service call and added them immediately.

Thanks again,
Ryzen x1800 Asus Prime x370-Pro 32 gigs Ram RX480 graphics
IceWarp * Samba AD * Mint 18.1 * RAID 1/5 * OpenVPN * Linux since kernel 2.0.36

User avatar
coffee412
Level 5
Level 5
Posts: 721
Joined: Mon Nov 12, 2012 7:38 pm
Location: Indiana, USA
Contact:

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby coffee412 » Wed Nov 01, 2017 8:19 pm

lisabonne citadel wrote:It seems one type of cryptocurrency ONLY take advantage of 445 TCP UDP port.
You can use firewall to prevent this and you can set iptable to block all tcp and udp ports except 80 and 443...
https://www.scmagazine.com/cryptocurrency-miner-adylkuzz-attack-could-be-bigger-than-wannacry/article/662128/
i published here yesterday how :)


Thanks for the link. I will be checking into that too.

coffee
Ryzen x1800 Asus Prime x370-Pro 32 gigs Ram RX480 graphics
IceWarp * Samba AD * Mint 18.1 * RAID 1/5 * OpenVPN * Linux since kernel 2.0.36

User avatar
lisabonne citadel
Level 3
Level 3
Posts: 126
Joined: Fri Oct 13, 2017 5:13 am

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby lisabonne citadel » Thu Nov 02, 2017 8:10 am

take a look https://www.computerworld.com/article/2557263/malware-vulnerabilities/experts-split-on-port-445-security-risk.html
12 years passed by and... many dangerous attacks always came from 445 tcp udp port.
445 port is SMB protocol or File-Sharing Protocol... I already said... I hate Sharing tools.
In case you cant delete SMB, install catfish and search smb in filesystem directory.
NOTE:
Dont get confused with smbios, BECAUSE YOU CANT HAVE system reability if you delete that.
Other easy way, is block with firewall 445 tcp udp port.

lmintnewb2

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby lmintnewb2 » Thu Nov 02, 2017 8:35 am

Interesting stuff, one of the reasons I love tech, just about the time I/you think you know everything, come across 4 million new things I'd known nothing about and realize how much I still have to learn.

Btw: Mick-Cork that pages doesn't do anything if you have Firefox with noscript installed. Much be javascript or similar based cause noscript stops it dead, my cpu(s) showed no additional activity visiting the webpage linked. :)

User avatar
Faust
Level 4
Level 4
Posts: 213
Joined: Thu Jul 14, 2016 3:40 am

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Faust » Thu Nov 02, 2017 9:47 am

Could simply edit the hosts file ( /etc/hosts ) so that those sites point to loopback ( 127.0.0.1 ) , or null ( 0.0.0.0 )
it’s a plain text file so edits are super easy .
example - add this line :
127.0.0.1 coinhive.com

@Mick-Cork
I forgot all about Domain Blocker .... thanks :)
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

User avatar
Pjotr
Level 19
Level 19
Posts: 9004
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Pjotr » Thu Nov 02, 2017 10:26 am

Faust wrote:Could simply edit the hosts file ( /etc/hosts ) so that those sites point to loopback ( 127.0.0.1 ) , or null ( 0.0.0.0 )
it’s a plain text file so edits are super easy .
example - add this line :
127.0.0.1 coinhive.com

Good way, but you'll have to keep it updated as new mining domains spring up. For example by browsing the blacklist of the popular browser add-on No Coin:
https://github.com/keraf/NoCoin/blob/ma ... cklist.txt

Or choose the easy way: put your trust in an add-on like No Coin itself, and install it in your Firefox, Chrome or Chromium. I'm rather lazy myself, so I'm leaning towards that. :mrgreen:

-- Edit (1): it appears that the adblocker uBlock Origin also blocks miners:
https://themerkle.com/ublock-origin-dev ... g-scripts/

Maybe a reason to dump Adblock Plus and switch to uBlock Origin? Probably no need for a dedicated mining blocker like No Coin then.

-- Edit (2): you can see uBlock Origin's mining filters under: "uBlock filters - Resource abuse".
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
Faust
Level 4
Level 4
Posts: 213
Joined: Thu Jul 14, 2016 3:40 am

Re: Websites Secretly Stealing Visitors' Resources Mining Cryptocurrency

Postby Faust » Thu Nov 02, 2017 2:25 pm

Pjotr wrote: .....
Good way, but you'll have to keep it updated as new mining domains spring up.....


Agreed , manual updating would be a bind .

There are some good tools for blocking at browser level , no doubt .
I wonder how many users of uBlockOrigin have actually dug into the settings and found all of the fine-grained
tweaking that's available , in particular those third-party filter lists ( that are regularly updated ) .
Just check the box and that list is included .... easy life !

But I'm more interested in blocking at OS level , and using those same filter lists for rolling updates

It shouldn't be that difficult.
On that other OS , " Hosts Block " ( the dev is called Brocke ) handles this very neatly , with user options for
run-on-boot , auto-update , and opt-ins for all of those useful lists of stinkers .

I haven't seen much discussion of this idea for GNU/Linux systems .... maybe it's a project to save for a rainy day
.... one that's no use for cycling ( I don't care much for walking in the rain , no matter what The Ronettes say :) )
Last edited by Faust on Thu Nov 02, 2017 2:27 pm, edited 1 time in total.
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .


Return to “Chat about Linux”