ShipSpotting.com Forum

Shipspotters all over the world => Site related news, functions and modules => Topic started by: Richard Paton on October 10, 2017, 05:27:10 pm



Title: Coinhive threat warning
Post by: Richard Paton on October 10, 2017, 05:27:10 pm
Has anybody else been getting an anti virus alert for coinhive.com on this site when you click on it?

The warning beeps saying virus detected only happen on this site an no other.


Title: Re: Coinhive threat warning
Post by: andrecas on October 10, 2017, 06:35:40 pm
Just today I've been getting pop up screens from Malwarebytes (to which I subscribe to) indicating this "coinhive" site is being blocked. It makes me wonder (again) when this site will update (or implement) security features similar to other sites (such as marine Traffic), etc.


Title: Re: Coinhive threat warning
Post by: simonwp on October 10, 2017, 06:48:39 pm
Yes I'm getting the same. Fortunately by anti-virus software is blocking it.


Title: Re: Coinhive threat warning
Post by: Richard Paton on October 10, 2017, 06:50:34 pm
Glad to hear it's not just me then, having googled it it seems coinhive is a way for a website to generate revenue..

Coinhive is a cryptocurrency miner written in Javascript, which sends any coins mined by the browser to the owner of the web site.


Title: Re: Coinhive threat warning
Post by: Cedric Hacke on October 10, 2017, 08:23:52 pm
I did notice very high CPU usage on this page, despite not seeing the ads with an adblocker.


Title: Re: Coinhive threat warning
Post by: davidships on October 10, 2017, 09:02:34 pm
Yes Cedric.
That's what it does, apparently, though I don't pretend to understand it.
However this seems to touch on it - and in particular on the issue around it being set to maximise CPU usage:
https://www.reddit.com/r/beermoney/comments/751c8m/beware_the_coinhivecom_jsminerc/

I'm waiting for Cody to come back to me on this.
(Cedric, I am working offsite on the category question and will email you)


Title: Re: Coinhive threat warning
Post by: Cody Williams on October 11, 2017, 05:47:54 am
Hi Everyone,

Remember when we had issues with the site being rerouted to ad-websites on some mobile devices a while back? That was caused by Tizermedias which was placed into our site’s directory – where all the files on our server are that make site work – by a hacker. So far Henrik hasn’t been able to fully get rid of Tizermedias and so what’s happened now is that Tizermedias is now using Coin Hive to mine Bitcoin by using other people’s computers to do the work – it’s an extra source of revenue for them on top of ad-revenue.

When the site loads all of the scripts that make features like buttons work, show photos and ads et cetera; the Coin Hive script also gets run. From what I understand it's not malicious but I'll try to find out more about it.

Best Wishes
Cody


Title: Re: Coinhive threat warning
Post by: Cedric Hacke on October 11, 2017, 08:08:58 am
Thanks for the update Cody and David. I hope the issue gets resolved soon, CPU usage is so high that I can hardly scroll through pages after a while.

Kind regards
Cedric


Title: Re: Coinhive threat warning
Post by: Phil English on October 11, 2017, 08:25:45 am
I've also noticed that shipspotting has been making by CPU run at 100%. Consequently, everything else on my PC runs slower than it should. Nothing else is doing it, as soon as it close ss.com, my CPU goes down to <10%.

Brgds
Phil


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 11, 2017, 08:59:47 am
There are Coin Hive extensions that you can download for Chrome, Firefox, Opera etc. they not only stop it loading but clean your browser. Just "Google" .. eg search for Coin Hive blocker +Chrome etc.  Note the search works best if Coin and Hive are separated or as Coin-Hive.
see http://cryptomining-blog.com/tag/no-coin-browser-extension/ for extra info if required.

Once its loaded there will be an icon in your browser bar ... On and Off so make sure you turn it on.


Title: Re: Coinhive threat warning
Post by: Robert J Smith on October 11, 2017, 12:16:46 pm
I’m getting a lot of cache files being blocked by my anti-virus, is this the same problem? Files are all various f_XXXXXX numbers e.g. F_011356
Problem only on shipspotting.com on different browsers, all other sites are ok.


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 11, 2017, 12:43:11 pm
Although its not a virus, its a trojan via Java script. Searching Norton, Bitdefender, Kaspersky websites they have the tools to detect and remove. Need to run the Norton etc. system scan, to find and remove.
It would appear that antivirus does not detect until its actually within your browser.  Its downloaded with free software and via adverts so reinfects looking for any Bitcoins you may have in your "piggy bank".Then steals them. An adblocker will stop it infecting but Shipspotting may not like you using ad blockers as its part of their revenue. As I use an ad blocker within my browsers I do not see any ads on the site so cannot comment if one or more of the ads are infected. I'm assuming Shipspotting still displays ads.
Clear your browser cache but that will not stop "reinfection". Need to prevent the source/ads reinfecting.
See https://malwaretips.com/blogs/remove-coin-hive-miner/ for remedies.


Title: Re: Coinhive threat warning
Post by: Allan RO on October 11, 2017, 01:52:30 pm
my AVG free is picking it up and disposing.

Allan


Title: Re: Coinhive threat warning
Post by: pieter melissen on October 11, 2017, 02:11:32 pm
my AVG free is picking it up and disposing.

Allan

so does mine but it is quite irritating, and I have a feeling that even though it has been picked up it has not been disposed of as it still manages to slow my computer.


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 11, 2017, 02:38:31 pm
Unless its TOTALLY removed then it will keep coming back when you restart computer. Try https://www.malwarebytes.com/adwcleaner/ and run as Administrator ..its free. Stay away from ads on sites. You do not even have to look at the infected ads.


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 11, 2017, 02:56:02 pm
Robert re your f_0113ad file ..this is the file reference to one of the files sitting in your browser cache. Depending how often you clean your cache you might have a few in number or thousands. They are small but lots accumulate wasted disc space. Your Norton might just have been cleaning your cache as these files are generally useless as they are kept in a temporary storage area in memory or on disk that holds the most recently downloaded Web pages. Just speeds up you going back to a recent or much older web page ( doesn't go back to the website ) at the expense of your memory or disc space.
Doesn't mean its found virus / trojan ..that would be flagged up.


Title: Re: Coinhive threat warning
Post by: Robert J Smith on October 12, 2017, 12:12:42 pm
Thanks for your comments.
I've done a complete system scan with no problems found.
Cleared the cache on all browsers.
Still get the f_xxx files being removed, very annoying.
Also get "Web Attach JSCoinminer Download 6" & "Download 8" notification of stopped & removed by my anti virus when I connect to Shipspotting, no other sites.

This has got to be a Shipspotting issue

REgards

Bob


Title: Re: Coinhive threat warning
Post by: Robert J Smith on October 12, 2017, 12:14:12 pm
Also get

Database Error: Got error 28 from storage engine
File: /www/www/smf1/Sources/Subs-Post.php
Line: 1410

when posting the above although the post is successful



Title: Re: Coinhive threat warning
Post by: andrecas on October 12, 2017, 01:03:14 pm
In spite system update and regular cleansing of cache, anti virus components still constantly blocking "coinhive". Happening only on Shipspotting and none of the other sites visited...


Title: Re: Coinhive threat warning
Post by: Graham Darling on October 12, 2017, 05:57:56 pm
Everytime I log into shipspotting I get pop up saying Norton has blocked an attack by web attack JS Coinminer Download 8..  I am using adblocker and have cleared my file history and cache but as soon as I click on shipspotting the pop up is back..


Title: Re: Coinhive threat warning
Post by: Patrick Hill on October 12, 2017, 06:07:40 pm
Virus scan (McAfee and Malwarebytes) finds nothing, Chrome cleared and reset but still get this issue from home page. Malwarebytes blocks multiple outward events while processor goes full ahead. :( Adblock plus in use.

Only happens on photo pages.


Title: Re: Coinhive threat warning
Post by: Richard Paton on October 12, 2017, 06:12:56 pm
Whilst coinhive is not malicious it seems to be embedded into this website, and as such it's a pest.

To me this site is now compromised with adware, and that's a real shame.

I still get the pop up to, not all the time but occasionally, this is despite having the coinhive blocker working.  :(

Will there be a plan to rid the site of this?, or will we just have to accept it as the norm from now on?



Title: Re: Coinhive threat warning
Post by: ChasB46 on October 12, 2017, 08:21:21 pm
Coin_hive is designed not to be found and removed; and further injects an in-browser Miner Trojan. Its now being used by cyber-criminals and "injected" with a tweaked Java script.
Once its "allowed" in its not only in your browser (the usual route in) but hides itself within your system. You can detect when its "onboard" with extremely high CPU and graphics use, thus diminishing the life of your motherboard through stress. Once the miner starts it does not stop ..why your CPU hits 100%. There is protection with some adblockers and very recently updated antivirus programmes BUT if its already in your system its designed to be hidden and guards itself against removal.
If you are tech savvy you need to delve/search  into your system looking for variations of coin-hive ( there are many derivations now) and also into your registry (dangerous if you do not know what you are doing).
Your best chance .... Q. When did you last make a backup of your system or system restore point?   If you have one prior to when you first noticed the problem, roll your system back. Then install the ad blockers you failed to use previously before browsing. Of course you do regularly make system backups?


Title: Re: Coinhive threat warning
Post by: Richard Paton on October 12, 2017, 08:39:26 pm
Chas yes i have backup points before the problem arose, so will try that suggestion as a solution.

Thanks for your input and advice, it's much appreciated.


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 12, 2017, 09:44:23 pm
Richard,wish you all success with system restore. See previous postings re advisory software to install before hitting the browser too hard. eg Adblock Plus or similar, Coin Hive blockers specific for Firefox, Opera, Chrome etc; and Admuncher. Personally I would start by downloading and installing Admuncher. Then the others as browser use would be less intensive just downloading one file and that would protect while searching for others. Direct source https://www.admuncher.com ... saves you using browser to search etc.


Title: Re: Coinhive threat warning
Post by: Pieter Inpyn on October 14, 2017, 09:11:24 am
Because I am under constant attack with this Coin-thing and Odessa.htm-warnings, I will stop using this website, posting pictures and end my work as photo-editor for some time.
I hope that I can return to the website after the admin/webmaster/ICT-master or who ever can send me a solution for this plague, suitable for a digital nitwit like me.
Regards,  Pieter Inpyn


Title: Re: Coinhive threat warning
Post by: Patrick Hill on October 14, 2017, 09:57:36 am
I have reset my system to an earlier restore point, run McAfee and Malwarebytes checks (nothing found) confirmed AdBlock Plus still working. I will not however open any photo pages until it has been confirmed that this issue has been resolved. There isn't an issue with this forum page if accessed directly, the issue only seems to be on any page with images (main page, photos, and your own photo pages) so I suspect somehow embedded in image viewing code?

Hope this helps.

Patrick


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 14, 2017, 11:12:16 am
Firstly I have no association with the programmes used in this remedial work. Its going to take time on your part but the programmes are free (download from reputable sources). Hitman Pro is free for 30 day trial. https://malwaretips.com/blogs/remove-coin-hive-miner/  . The longer coin hive is in your system the more it buries itself into more & more places.


Title: Re: Coinhive threat warning
Post by: Henrik Soderberg on October 14, 2017, 07:54:03 pm
Hi all,

I would just like to say that the problems some of you are experiencing is caused by bad ads added by our third party ad agencies. We are working on finding the exact source, to be able to block this out.

The Error from database is now gone. It is not related to the coinhive problem.

Regards,
Henrik


Title: Re: Coinhive threat warning
Post by: Pilot Frans on October 14, 2017, 11:43:20 pm
Thanks Hendrik for you update and all the input you put into it.

regards
Frans


Title: Re: Coinhive threat warning
Post by: Hannes van Rijn on October 15, 2017, 03:00:13 pm
I recive this warning ,of this site: This website has been reported as harmful.
We recommend not visiting this website.

http://tizermedias.com/odessa/?54vFcZ&se_referrer=http://forum.shipspotting.com/index.php?action=post;topic=15939.0;num_replies=29&default_keyword=My%20Uploaded%20Photos%20-%20ShipSpotting.com%20-%20Ship%20Photos%20and%20Ship%20Tracker&r=7308

Is there a virus in this site ????


Title: Re: Coinhive threat warning
Post by: Peter Lenderink on October 15, 2017, 09:08:59 pm
I have noticed slowing of the site as well, plus when this site is opened, some other programs are also slowing down.


Title: Re: Coinhive threat warning
Post by: lappino on October 16, 2017, 02:05:05 am
Simple check: processor usage jumps to 100% as soon as the site opens.

This is theft, you know. :)

I am outta here until they sort it out.


Title: Re: Coinhive threat warning
Post by: davidships on October 16, 2017, 02:34:38 am
A reminder - I think that it is mentioned somewhere below that the problem is only related to www.shipspotting.com addresses and not to the different domain that runs this Forum.

We do not recommend that members ignore the 99% CPU usage caused by this if your anti-virus or other security software doen't fix it, at least temporarily.  I suggest members, especially those who have no temporary fix for the main site and wish to withdraw from general activity for the moment, keep in touch with progress via this forum and access it directly by bookmarking http://forum.shipspotting.com/index.php (http://forum.shipspotting.com/index.php)

We are in the hands of Henrik at the moment and I am sure that he will post an update here as soon as possible.

best wishes to all

David





Title: Re: Coinhive threat warning
Post by: ChasB46 on October 16, 2017, 10:11:14 am
To see if you have Coin-hive aboard give Zemana a try. https://www.zemana.com/download .If you do not want to load the programme into your system there is a portable version available. Its free for 14 days and does remove any nasties it finds without you having to pay in that time span (some "free for 30 days etc" ones scan but ask for cash before removing). I've been a regular user of Malwarebytes and SuperAntispyware but trialling Zemana found extra nasties and removed them. In reviews it does zap coin-hive so if you suspect your infected give it a try. To prevent reinfection initiate a good adblocker.
As Shipspotting is reliant on ads, once the site has been cleared of the coin-hive intrusion, you can support the site by allowing its ads etc.  
NOTE ... Zemana will do an initial scan of most likely areas of infection but not the whole drive . To search whole drive drag and drop your 'C' drive etc. into the box on its start-up page.


Title: Re: Coinhive threat warning
Post by: Patrick Hill on October 16, 2017, 07:23:05 pm
Just a quick point, I have run AdBlock plus for quite some time but still suffered with this trojan - however all scans with McAfee and Malwarebytes found no issues on my system.


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 16, 2017, 08:24:02 pm
How do you know that its coin-hive (Manero) causing your problem if its not been detected? Malwarebytes is blocking 5 million "attacks" a day.


Title: Re: Coinhive threat warning
Post by: Patrick Hill on October 16, 2017, 08:44:49 pm
How do you know that its coin-hive (Manero) causing your problem if its not been detected? Malwarebytes is blocking 5 million "attacks" a day.

Because malwarebytes blocks the outgoing connection to coin-hive sites....


Title: Re: Coinhive threat warning
Post by: Oldkayaker on October 17, 2017, 04:42:50 pm
Yes, getting the same malware warning about coinhive.com


Title: Re: Coinhive threat warning
Post by: Cody Williams on October 18, 2017, 01:31:22 am
How to Block Coin-Hive

Hi Everyone,

I think I may have found a solution. You can add the extension, No Coin for your browser:

No Coin for:
• Chrome (https://chrome.google.com/webstore/detail/no-coin/gojamcfopckidlocpkbelmpjcgmbgjcl)
• Firefox (https://addons.mozilla.org/en-US/firefox/addon/no-coin/?src=search)
• Opera (https://addons.opera.com/en/extensions/details/no-coin/?display=en)

Alternatively you can block Coin-Hive within Ad-Block itself. Here’s how you can do that:

1. Click on the Ad-block icon in your browser and select Options.
2. Click on the Customise tab at the top of the page.
3. Click block an ad by its URL.
4. In the text field that appears, enter the URL from the code box below.

Code:
https://coinhive.com/lib/coinhive.min.js

And that should hopefully block it.

Best Wishes
Cody

EDIT: Corrected link


Title: Re: Coinhive threat warning
Post by: pieter melissen on October 18, 2017, 06:01:48 am
Thanks Cody, I can get as far as clicking on the icon, (Adblock ultimate 2.28) but nowhere the "options" button appears. Where do I go wrong?


Title: Re: Coinhive threat warning
Post by: Cody Williams on October 18, 2017, 06:15:17 am
Sorry Pieter, I meant this AdBlock (https://getadblock.com/) extension.





Title: Re: Coinhive threat warning
Post by: pieter melissen on October 18, 2017, 06:38:25 am
OK, I did that, but I had to retyp the link in Domain, not in the URL box, because when I did that the "flash" extension that was there reappered after typing the URL (Copy-paste did not work there).
The results are that I do not get a message from AVG anymore that the connection with coinhave was discontinued, so I hopefully can assume that it was established. In other words cody, your suggestion works. Thanks a lot.


Title: Re: Coinhive threat warning
Post by: sisko111 on October 18, 2017, 08:22:21 am
Hi all ,
I am using Chrome and AdBlock too
In my case correct code is : https://coinhive.com/lib/coinhive.min.js
and the problem is solved !
Brgds Siniša


Title: Re: Coinhive threat warning
Post by: Robert J Smith on October 18, 2017, 11:46:02 am
Hi

Also using Chrome and AdBock in Windows 7, did the above but still getting "Web Attach JSCoinminer Download 6" & "Download 8" notification saying its been blocked by Norton when opening a screen with photos.

Not the solution for me, this needs to be resolved at site level and not just by attempting to block it on everyone's PC

May be a clue here.

Getting the same problem on an old laptop, I did a full system scan (takes a few hours) and no problem found. As an experiment I deactivated my AV and connected to Shipspotting for less than a minute, no pop up because no AV, reactivated my AV and did another full system scan and got the result below.

CPU normal without photos, 100% with.

I will be steering clear of all shipspotting pages with photos until this is resolved


Regards

Bob



Title: Re: Coinhive threat warning
Post by: Brett Bachmann on October 18, 2017, 05:58:09 pm
Agree, it is time to resolve this, it is on your website and not readers/subscribers problem...it's taken too long now.


Title: Re: Coinhive threat warning
Post by: Bob Scott on October 18, 2017, 07:48:28 pm
Sorry, but I am no computer nerd and don't really understand all this Coinhive stuff. I have always used Windows 10 and Chrome with an AdBlocker and have never noticed anything unusual when uploading photos. Would I be best to refrain from posting pics until this thing is sorted out?


Title: Re: Coinhive threat warning
Post by: Hannes van Rijn on October 19, 2017, 01:49:31 am
I recive this message from my virus scan. Mailware or virus ????

Schadelijke website geblokkeerd
http://tizermedias.com/odessa/?54vFcZ&se_referrer=http://forum.shipspotting.com/index.php?action=post;topic=15952.0;num_replies=0&default_keyword=My%20Uploaded%20Photos%20-%20ShipSpotting.com%20-%20Ship%20Photos%20and%20Ship%20Tracker&r=8992


Title: Re: Coinhive threat warning
Post by: Cedric Hacke on October 19, 2017, 08:58:59 am
Sorry, but I am no computer nerd and don't really understand all this Coinhive stuff. I have always used Windows 10 and Chrome with an AdBlocker and have never noticed anything unusual when uploading photos. Would I be best to refrain from posting pics until this thing is sorted out?

Hi Bob, you'd probably notice if this stuff was running. It uses all the available CPU power so your computer would bog down a bit or the fans would come on. It should be fine if you have Coinhive blocked in AdBlock or if you use a Chrome extension which blocks Coinhive as recommended by Cody. So normally no problems if you haven't already noticed it.

Kind regards
Cedric


Title: Re: Coinhive threat warning
Post by: Bob Scott on October 19, 2017, 09:51:31 am
Thanks, Cedric. Coinhive blocker now on


Title: Re: Coinhive threat warning
Post by: Robert J Smith on October 19, 2017, 12:57:41 pm
Its the "coinminer" that giving me trouble, not "coinhive".

Any progress on this problem yet?


Title: Re: Coinhive threat warning
Post by: ChasB46 on October 19, 2017, 06:15:32 pm
Coinhive and coinminer are variants of the same intrusion/ trojan (as per the horse and sneaks in via various dubious sources). Repeating myself from early reply in this topic read http://www.malwareremovalguides.info/trojan-bitcoinminer-removal-guide/ which gives a good synopsis of the  problem, its burrowing into your system and how to remove. Any trace left will re-infect.