Soren Harward on 23 Jan 2019 12:56:07 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Mining for Cycles (Pavel Kovtunenko)

On Wed, Jan 23, 2019 at 12:57 PM Rich Freeman <> wrote:
What you had was a full rooting of your system.  Based on the info you
posted there is no way to be sure it even got in via a browser, let
alone _javascript_.  There are many ways (in theory) such an attack can
take place, and if your system were free of exploits it simply
wouldn't have happened in the first place.

I wouldn't assume that the whole thing wouldn't have happened if you
had been running noscript everywhere.  That /might/ have stopped it,
but not if it came in via some entirely different route.  And of
course even if hostile _javascript_ were running it requires both a
browser exploit and a local root exploit to progress to a full rootkit
like what you had installed.

Very much seconded.

Jeff: your explanation of a _javascript_ exploit seems like a case of confirmation bias: it's possible, but you've been looking for evidence to support your current theory, instead of trying to rule out other possible ways that your system got compromised.

Yes, there are sneaky browser-based _javascript_ cryptominers.  There are also trojans — including browser plugins — that use local privilege escalation exploits to install rootkits and then cryptominers.  But I haven't found any evidence to support the theory that the attack vector went browser _javascript_ -> rootkit -> installed cryptominer.

Soren Harward
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --