SLR: Bomonero – Crypto-Mining Activity

  • Resolved AAVasilev

    (@aavasilev)


    5 years, 12 months ago

    Hi
    After installing this plugin, the error log is full of these messages:

    [Sun Mar 31 12:45:58 2019] [error] [client 93.80.82.65] ModSecurity: Warning. Matched phrase “m.js” at RESPONSE_BODY. [file “/etc/httpd/mod_security/trustwave_rules.conf”] [line “2977”] [id “2500005”] [rev “11272018”] [msg “SLR: Bomonero – Crypto-Mining Activity”] [severity “CRITICAL”] [tag “attack-crypto mining”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “https://www.trustwave.com/Resources/Trustwave-Blog/All-the-Ways-Cybercriminals-Are-Exploiting-the-Cryptocurrency-Boom/”%5D [hostname “XXXXXXXXX”] [uri “/wp-admin/admin.php”] [unique_id “XKCMVh8fxGAAAJK5FfQAAADB”]

    Now only the admin panel page is specified, if you add the plugin widget for example to the home page, it will also appear in this list

    Vik Booking, what is it?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author e4jvikwp

    (@e4jvikwp)

    Hi,
    There is no reference to Vik Booking in your logs, and since our plugin does not touch the error reporting level, this is probably just a coincidence.

    The errors reported in the log seem to be related to your PHP installation, more precisely to some security modules enabled in your server. Those are not errors that occurred at “runtime” during the execution of the plugin Vik Booking.

    For these reasons you should probably show the error log to your hosting company because the website is not responsible of any of those logs. Those are logs related to your Web Server, not sure if it’s Apache, but it’s definitely something related to your “mod_security”. Only your hosting company could provide more details on this matter.

    Thread Starter AAVasilev

    (@aavasilev)

    No, I repeated the installation on a clean server, but I got the same message. Your plugin really causes this error and after removal leaves 36 tables in the database after itself… it’s a shock

    Plugin Author e4jvikwp

    (@e4jvikwp)

    Hi,

    Vik Booking registers a hook for the activation, the de-activation, and the uninstallation to remove all of its database tables and wp_options. It is not possible that after removing the plugin you still have its database tables, this highlights another issue with your server, maybe with the SQL permissions.

    I understand you tried to install the plugin on a “clean server”, but if you have the same web-server configuration, then the result can only be the same.

    Your errors log doesn’t mention any files of Vik Booking, so there is nothing we can do to help you in this case. If there was even a Notice message related to a PHP file of Vik Booking in the logs, then we could have helped but in your case that’s a generic error with your mod_security.

    You should try to show the error to your hosting company because this has never happened to any of our clients, or similar issues would have been raised already. Yours is clearly a server error, and honestly, Vik Booking doesn’t call or use any PHP function that could trigger a server error.
    Also, your log message mentions a file called m.js which doesn’t belong to the plugin Vik Booking, so there is really nothing we can do to help you, I’m sorry.

    Thread Starter AAVasilev

    (@aavasilev)

    Ok, thank you

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘SLR: Bomonero – Crypto-Mining Activity’ is closed to new replies.