Rich Freeman on 23 Jan 2019 09:57:39 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Mining for Cycles (Pavel Kovtunenko)


On Wed, Jan 23, 2019 at 12:48 PM jeff <jeffv@op.net> wrote:
> On 1/23/19 11:19 AM, Michael Lazin wrote:
> >
> > If it's a desktop you may have been infected by browsing a site like
> > this.  I recommend if you use firefox to use noscript.  This blocks all
> > javascript other than what you explicitly allow.
>
> It's the first extension I install.
> Apparently the user disabled it for the wrong site.

If this were just a javascript cryptominer you could get rid of it by
simply closing the tab or hitting reload after the site removes it
(assuming they didn't put it there to begin with).  Certainly noscript
would stop it as well.  However, this is a pretty harmless "intrusion"
as it is running in a sandbox.

What you had was a full rooting of your system.  Based on the info you
posted there is no way to be sure it even got in via a browser, let
alone javascript.  There are many ways (in theory) such an attack can
take place, and if your system were free of exploits it simply
wouldn't have happened in the first place.

I wouldn't assume that the whole thing wouldn't have happened if you
had been running noscript everywhere.  That /might/ have stopped it,
but not if it came in via some entirely different route.  And of
course even if hostile javascript were running it requires both a
browser exploit and a local root exploit to progress to a full rootkit
like what you had installed.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug