BITCOIN MINER on this site?!? - Fiberglass RV



Reply
 
Thread Tools Search this Thread Display Modes
 
Old 06-29-2018, 02:30 PM   #1
Senior Member
 
Alex Adams's Avatar
 
Name: Alexander
Trailer: 1979 Boler B1300
New Hampshire
Posts: 445
Malwarebytes Showing Riskware popup from Forums

I don't know if anyone else is seeing this, but I keep getting a riskware warning popup from Malwarebytes that shows a .ru web address. It only pops up when I am in the Forum. If I click on the Manufacturer's tab it stops. Hee is what I am seeing:
Attached Thumbnails
Riskware_popup.png  
__________________

Alex Adams is offline   Reply With Quote
Old 06-29-2018, 02:46 PM   #2
Senior Member
 
Name: Steve
Trailer: Lite House
Minnesota
Posts: 311
Registry
I have not been seeing that, and I have Malwarebytes at home.
__________________

Steve Carlson is online now   Reply With Quote
Old 06-29-2018, 02:50 PM   #3
Senior Member
 
Alex Adams's Avatar
 
Name: Alexander
Trailer: 1979 Boler B1300
New Hampshire
Posts: 445
Steve is that the free or pay version? Mine is the pay version.
Alex Adams is offline   Reply With Quote
Old 06-29-2018, 03:19 PM   #4
Senior Member
 
Byron Kinnaman's Avatar
 
Name: Byron
Trailer: 2006 Scamp 13' towed with a 2005 Dodge Dakota 4.7l Magnum W/full tow package (over kill)
Oregon
Posts: 6,886
Registry
MY guess is that it's a ghost. This site is processor hungry and I believe some malware protection software measures the amount of CPU capacity used. Which could give a false alarm.




The IP listed on your screen shot is from Germany. I don't know where this site is hosted or gets it's advertising.
__________________
Byron & Anne enjoying the everyday Saturday thing.
Byron Kinnaman is offline   Reply With Quote
Old 06-29-2018, 03:35 PM   #5
Senior Member
 
Name: Steve
Trailer: Lite House
Minnesota
Posts: 311
Registry
Quote:
Originally Posted by Alex Adams View Post
Steve is that the free or pay version? Mine is the pay version.
Pay.
Steve Carlson is online now   Reply With Quote
Old 06-29-2018, 05:23 PM   #6
Senior Member
 
John in Santa Cruz's Avatar
 
Name: John
Trailer: Escape 21
CA
Posts: 1,536
ah, my uBlock advertising filter is showing that .ru URL being used by a websocket, too... guessing there's some malware sliding in via the advertising stream, or the massive number of tracking scripts this site loads.

I'm trying to figure out where its being invoked from... so far, I've just found this mostly useless info about it.

Request URL: wss://www.qlzwfzfatjth.ru/
Request Method: GET
Status Code: 101 Switching Protocols
HTTP/1.1 101 Switching Protocols
connection: Upgrade
date: Fri, 29 Jun 2018 23:19:44 GMT
sec-websocket-accept: 55L4VKDFS/6B8v0yDa9VM6P3UDM=
server: Cowboy
upgrade: websocket
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: Upgrade
Host: www.qlzwfzfatjth.ru
Origin: The Fiberglass RV Community
Pragma: no-cache
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Key: LAcnQeSDQ3EfCgpKAURlig==
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
John in Santa Cruz is offline   Reply With Quote
Old 06-29-2018, 05:26 PM   #7
Senior Member
 
John in Santa Cruz's Avatar
 
Name: John
Trailer: Escape 21
CA
Posts: 1,536
all the communications over that websocket is encrypted/hashed so it just looks like random garbage, but data is being sent to it fairly regularlly while this site is open.
John in Santa Cruz is offline   Reply With Quote
Old 06-29-2018, 05:29 PM   #8
Senior Member
 
John in Santa Cruz's Avatar
 
Name: John
Trailer: Escape 21
CA
Posts: 1,536
crap, that domain is associated with a bitcoin miner trojan.

I think someone has infected this website and is using our browsers to mine bitcoin . there are an insane number of obfuscated/encrypted javascript 'apps' associated with this site, far more than a simple web forum has any possible legitimate use for.
John in Santa Cruz is offline   Reply With Quote
Old 06-29-2018, 05:32 PM   #9
Senior Member
 
John in Santa Cruz's Avatar
 
Name: John
Trailer: Escape 21
CA
Posts: 1,536
I added qlzwfzfatjth.ru to my uBlock Origin custom blockers list, and WOW, the 80% CPU usage has gone entirely away.
John in Santa Cruz is offline   Reply With Quote
Old 06-29-2018, 05:37 PM   #10
Senior Member
 
John in Santa Cruz's Avatar
 
Name: John
Trailer: Escape 21
CA
Posts: 1,536
BITCOIN MINER on this site?!?

So several of us have commented that this site, when left open, consumers nearly 100% of a CPU core the entire time its open.

I did some more digging and found via the Chrome domain inspector and my uBlock Origin adware blocker that there's a websocket being opened to a russian obfuscated URL from some seriously obfuscated javascript code, I can't track down where the reference is coming from, but its hitting websocket wss://www.qlzwfzfatjth.ru/ every couple seconds with an encrypted string of junk.

http://www.fiberglassrv.com/forums/f...tml#post704268

when I google that domain name, I find references to it in bitcoin mining hackery, I do believe someone has hacked this server, or one of the related advertising servers and has injected a coin miner.

PLEASE FIX THIS ASAP.
John in Santa Cruz is offline   Reply With Quote
Old 06-29-2018, 05:56 PM   #11
Senior Member
 
John in Santa Cruz's Avatar
 
Name: John
Trailer: Escape 21
CA
Posts: 1,536
extra fun, the websocket?

$ host www.qlzwfzfatjth.ru
www.qlzwfzfatjth.ru has address 144.76.58.136
www.qlzwfzfatjth.ru has address 85.10.201.70
www.qlzwfzfatjth.ru has address 144.76.32.66
www.qlzwfzfatjth.ru has address 5.9.61.75
www.qlzwfzfatjth.ru has address 144.76.91.146
www.qlzwfzfatjth.ru has address 5.9.110.228
www.qlzwfzfatjth.ru has address 5.9.67.171
www.qlzwfzfatjth.ru has address 144.76.76.226
www.qlzwfzfatjth.ru has address 144.76.65.203
www.qlzwfzfatjth.ru has address 5.9.81.135
www.qlzwfzfatjth.ru has address 85.10.201.199
www.qlzwfzfatjth.ru has address 144.76.68.4
www.qlzwfzfatjth.ru has address 144.76.40.218


man, thats a lotta different IPs

144.76.58.* is in germany
85.10.201 is also in germany
5.9.*.* is in germany...

in fact all of these are part of "Hetzner Online GmbH", I have no idea who they are, but google suggests they are a large hosting and datacenter operator.
John in Santa Cruz is offline   Reply With Quote
Old 06-29-2018, 06:18 PM   #12
Senior Member
 
Alex Adams's Avatar
 
Name: Alexander
Trailer: 1979 Boler B1300
New Hampshire
Posts: 445
I was afraid of that. Hopefully the moderators will check this and do something. I tend to be paranoid when it comes to the internet. I've been running antivirus and anti-malware since it has been available even before some upstart kid named McAffee got started!
Alex Adams is offline   Reply With Quote
Old 06-29-2018, 06:30 PM   #13
Senior Member
 
John in Santa Cruz's Avatar
 
Name: John
Trailer: Escape 21
CA
Posts: 1,536
Adding that qxxxx domain (without any www.) To my ublock spam list has stopped the 100% CPU usage.
John in Santa Cruz is offline   Reply With Quote
Old 06-29-2018, 06:42 PM   #14
Senior Member
 
Alex Adams's Avatar
 
Name: Alexander
Trailer: 1979 Boler B1300
New Hampshire
Posts: 445
Steve, check your settings in Malwarebytes. Something like Realtime Protection is turned off. You should be getting the same messages I am.
__________________

Alex Adams is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Web site for free camp site when traveling... Gilles General Chat 14 02-03-2017 01:13 PM
Just a neat site Jackie General Chat 17 12-13-2005 03:08 PM
Closeouts/overrun RV parts site on the net Legacy Posts Modifications, Alterations and Updates 1 05-17-2003 08:11 PM

» Trailer Showcase

Boler

BrynTara

Carmela

rvaldez
» Upcoming Events
No events scheduled in
the next 465 days.
» Featured Campgrounds

Reviews provided by


Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -6. The time now is 10:11 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.