What Does Miner.JS.CoinHive.a Threat Means and How To Deal With It?

Problem

  1. In the detection system and IPS logs, there is a threat as Miner.JS.CoinHive.a or CoinHive.MinerScript. What does this detection mean and how should we deal with it?
  2. My Padvish detected an attack from the DNS address and on Port 53 (or the proxy server on the related port). The name of the threat is Miner.JS.CoinHive.a

Concept

Your browser connected to a site that included a Crypto-currency extraction script.

Today some sites (even Persian sites, news agencies, etc.), put digital crypto-currency extraction scripts on their pages without the permission of users, and as a result, without your knowledge, when you visit the site, the website’s CPU will engage with your Phone and make money for the site manager. Also, some attacks can infect a site with these scripts with other methods, which will explain here.

Padvish detects these types of scripts and prevents them from uploading into your system. Detecting Miner.JS.CoinHive.a is one of these detections which detect and neutralized by Padvish IPS. This component has the duty to protect your system from any network attacks.

Facing this message

In general, this message needs no special following from the client.

Note that three general situations are possible when you face this message:

  1. The site is hacked and scripted without the knowledge of the site manager- there is no need to do anything on your client’s side. (you can inform the manager)
  2. The site manager has deliberately added a Crypto-currency script on its page- there is no need to do anything on your client side (you can inform the manager)
  3. One of the network equipment adds the script to the site in the middle of the way- this is a series issue. If you have a MikroTik router in your network, check it.

Meanwhile, it is proper to remember this message is not a threat or a classical attack, and your system is not in danger. Padvish prevents from receiving and running the extraction script and as a result, your system CPU is not struggling. So- except for condition 3 which shows your network equipment is not infected- you do not need any other client.

Note: the IP address which is registered in the Padvish IPS log system, basically is your organizational DNS server IP or Proxy server. These servers are not infected and simply, the system client (due to visiting a website) is connected to them to receive scripts.
Warning to network administrators: if you use MikroTik equipment in your network, study the next part.

MikroTik equipment and crypto-currency extraction attacks

This section has been written for the network manager

MikroTik equipment with the OS version No.6.42 or lower, has a very dangerous vulnerability (CVE-2018-14847) that gives anyone who can connect to Device Control point the admin access to change the device settings.

Today, there are attacks around the world (and in Iran) that by using this vulnerability will take the MikroTik device control out of your hand, and from now on, your device will inject the crypto-currency extraction script in every site that clients will visit.

Padvish IPS will prevent the implementation of crypto-currency extraction scripts on clients. But your MikroTik can have serious consequences and lead to a breakdown or complete network hack and should be overcome as quickly as possible:

  • Check all MikroTik equipment and update them to the latest version- meanwhile, it is proper to backup settings before you do anything.
  • Correct network firewall and MikroTik setting- your network equipment control port should not be accessible for general computers. Defining proper VLAN limits access to just administrative and admin computers.

 

 

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>