Re: [PLUG] Mining for Cycles (Pavel Kovtunenko)

On Wed, Jan 23, 2019 at 12:57 PM Rich Freeman <r-plug@thefreemanclan.net> wrote:

What you had was a full rooting of your system. Based on the info you
posted there is no way to be sure it even got in via a browser, let
alone _javascript_. There are many ways (in theory) such an attack can
take place, and if your system were free of exploits it simply
wouldn't have happened in the first place.

I wouldn't assume that the whole thing wouldn't have happened if you
had been running noscript everywhere. That /might/ have stopped it,
but not if it came in via some entirely different route. And of
course even if hostile _javascript_ were running it requires both a
browser exploit and a local root exploit to progress to a full rootkit
like what you had installed.

Very much seconded.

Jeff: your explanation of a _javascript_ exploit seems like a case of confirmation bias: it's possible, but you've been looking for evidence to support your current theory, instead of trying to rule out other possible ways that your system got compromised.

Yes, there are sneaky browser-based _javascript_ cryptominers. There are also trojans — including browser plugins — that use local privilege escalation exploits to install rootkits and then cryptominers. But I haven't found any evidence to support the theory that the attack vector went browser _javascript_ -> rootkit -> installed cryptominer.

Soren Harward

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug