Actualized.org Trying to install crypto miner?

[Girzo]

@D2sage It's you who have some antivirus that gives you false positives. You have fallen for some bullshit marketing of how good their software is. It protects you from imaginary threats.

[A_v_E]

4 minutes ago, Girzo said:

@D2sage It's you who have some antivirus that gives you false positives. You have fallen for some bullshit marketing of how good their software is. It protects you from imaginary threats.

you the straight anti bs patch on this forum I like this

[D2sage]

@Girzo

All you did there was pure assumption.

Do you own websites yourself? Then you know that you can get malware injected into your site without your knowledge.

This post was not to get your insight from your expertise in Software Engineering. It was to make Leo aware that he maybe has some malware worth looking into. 

False or not, still worth mentioning that I get alerts only on his profile and not somewhere else on the page.

If you just assume threat alert as false then you are an idiot.

Edited February 16, 2023 by D2sage

[UnbornTao]

Calm down, guys. The point is to check for a potentially harmful piece of software. I'm sure Leo is looking into it. Let's just hope that it gets sorted out soon.

Edited February 16, 2023 by UnbornTao

[thepixelmonk]

7 hours ago, D2sage said:

@Joyboy @thepixelmonk

Do you have a d'egree in computer science?

I do.

7 hours ago, D2sage said:

A trojan doesn't need your permission to install.

It does. Like you mentioned something like coinimp could use in-browser javascript execution to theoretically contribute to some sort of mining but nothing is "installed".

7 hours ago, D2sage said:

And the code only tries to install on my PC when I visit Leo Gura profile. 

Nothing is special about his profile. Your shit is broken.

[something_else]

@thepixelmonk Websites mining cryptocurrency when you visit is absolutely a thing. And it is absolutely possible for it to be injected into a site, too:

https://blog.sucuri.net/2018/10/obfuscated-javascript-cryptominer.html

https://threats.kaspersky.com/en/threat/Trojan.JS.Miner/

Edited February 16, 2023 by something_else

[zurew]

Quote

Unauthorized drive-by downloads are downloads which happen without a person's knowledge, often a computer virus, spyware, malware, or crimeware.[2]

Drive-by downloads may happen when visiting a website,[3]

https://en.wikipedia.org/wiki/Drive-by_download

 

[thepixelmonk]

36 minutes ago, something_else said:

@thepixelmonk Websites mining cryptocurrency when you visit is absolutely a thing. And it is absolutely possible for it to be injected into a site, too:

https://blog.sucuri.net/2018/10/obfuscated-javascript-cryptominer.html

https://threats.kaspersky.com/en/threat/Trojan.JS.Miner/

Again, yes, in-browser javascript execution could theoretically contribute to some form of mining, but nothing gets "installed", and once you close the tab you're fine. And yes, if you already have malware of some form installed of course it can inject itself into certain places.
 

Quote

Unauthorized drive-by downloads are downloads which happen without a person's knowledge, often a computer virus, spyware, malware, or crimeware.[2]

Drive-by downloads may happen when visiting a website,[3]

https://en.wikipedia.org/wiki/Drive-by_download

99.9% of "drive by downloads" are the first type described- authorized, but unintended.

Edited February 16, 2023 by thepixelmonk

[something_else]

25 minutes ago, thepixelmonk said:

Again, yes, in-browser javascript execution could theoretically contribute to some form of mining, but nothing gets "installed" and once you close the tab you're fine. And yes, if you already have malware of some form installed of course it can inject itself into certain places.

You're pedantically focusing on OPs technically incorrect use of the word install, but it's pretty obvious what OP was talking about. You can infer from context that he is talking about malicious/trojan JS being downloaded and executed behind the scenes on the website.

He even uses the correct word 'injected' in the post you quoted originally to give him a hard time about using the word 'install'. That original post more gives me the impression that you misunderstood what was happening, and you're clinging to the fact that he technically used 'install' incorrectly to avoid admitting that. Maybe because English isn't his first language 

Quote

theoretically contribute to some form of mining

If it was theoretical, no one would do it. But lots of people do. If you have 10k users running that script it will generate some income. There was talk of using that to replace ads on websites at one point.

6 hours ago, Girzo said:

@D2sage It's you who have some antivirus that gives you false positives. You have fallen for some bullshit marketing of how good their software is. It protects you from imaginary threats.

There is always a tradeoff between being too strict and too lenient with AV. If you are too strict, you get lots of false positives, if you are too lenient you get lots of false negatives. Considering the cost of a false negative (real virus not being found) can be very high (identity theft, money theft, theft of your computer resources, leaked passwords, keylogger, nudes sent to the entire world, blackmail, etc. etc.), good AV often errs on the side of caution and provides more false positives.

Edited February 16, 2023 by something_else

[thepixelmonk]

3 hours ago, something_else said:

You're pedantically focusing on OPs technically incorrect use of the word install, but it's pretty obvious what OP was talking about. You can infer from context that he is talking about malicious/trojan JS being downloaded and executed behind the scenes on the website.

He even uses the correct word 'injected' in the post you quoted originally to give him a hard time about using the word 'install'. That original post sounds like you misunderstood what was happening and now you're clinging to the fact that he technically used 'install' incorrectly, maybe because English isn't his first language 

It's not pedantic, the difference between some background javascript running and actually having malicious trojans downloaded and installed onto your computer is a hugely significant difference. Very explicitly stating install multiple times, that it can "be run independently of the actualized.org site", zurew linking the "drive by downloads", etc. in multiple contexts, it was not "pretty obvious" and needed clearing up.

The entire source of the file in question is: https://pastebin.com/raw/uUdgE8xy. There is obviously no "bitcoin miners" here. It's a false positive.

Honestly most likely, if anything, is OP himself has other malware on his computer that is injecting it onto the page lmao.

Edited February 16, 2023 by thepixelmonk

[D2sage]

@thepixelmonk

My PC has a fresh Windows 11 installed and the source of the "malware" is from this site.

12 hours ago, thepixelmonk said:

The entire source of the file in question is

Also, that's not the entire source of the file you linked hehe, here's the whole thing https://pastebin.com/raw/ZeBwZtvG 

You have no clue what you're talking about.

Would be better if a Javascript developer could confirm.

Here's how google analytic script look. 

The code  itself (embedded JavaScript), it is not obvious that this will track your location, device, age etc? 

So the potential miner script here would not be so obvious.

Edited February 17, 2023 by D2sage

[thepixelmonk]

7 minutes ago, D2sage said:

@thepixelmonk

My PC has a fresh Windows 11 installed and the source of the "malware" is from this site.

Also, that's not the entire source of the file you linked hehe, here's the whole thing https://pastebin.com/raw/ZeBwZtvG 

You have no clue what you're talking about.

Would be better if a Javascript developer could confirm.

I deal with javascript every single day, there's nothing on that pastebin either. The source is your browser. How it got there doesn't necessarily have anything to do with actualized.org. Nice malware filled system you got over there lmao.

[D2sage]

@thepixelmonk You don't sound credible at all, more like a fool tbh. "lmao" My system is clean. 

Why am I only getting alerts when visiting profile? But nowhere else on the site?

And you can clearly see the source right here:

February 3rd. First time I visited this site on my new PC. But then I did not care, but now I think its worth mentioning.

Edited February 17, 2023 by D2sage

[thepixelmonk]

17 minutes ago, D2sage said:

 

The code  itself (embedded JavaScript), it is not obvious that this will track your location, device, age etc? 

So the potential miner script here would not be so obvious.

Did you literally just screenshot a completely unrelated, standard installation of google analytics as some sort of proof of actualized bitcoin mining hahahah. And yes, it tracks whatever easily available public information is available to it. What a surprise for an analytics script.

[D2sage]

@thepixelmonk The point was: The code is not obvious that it is a miner. 

To view the tracked data you need another platform. So its 100% possible that the js. file on actualized.org can be a miner. 

Plus, the code here is trying to execute on my computer.

Why am I only getting alerts when visiting profile? But nowhere else on the site?

And you can clearly see the source right here:

February 3rd. First time I visited this site on my new PC. But then I did not care, but now I think its worth mentioning.

 

Edited February 17, 2023 by D2sage

[thepixelmonk]

1 minute ago, D2sage said:

@thepixelmonk The point was: The code is not obvious that it is a miner.

The fact that snippet is loading an outside script is super obvious.
 

Quote

Why am I only getting alerts when visiting profile? But nowhere else on the site?

And you can clearly see the source right here:

 

February 3rd. First time I visited this site on my new PC. But then I did not care, but now I think its worth mentioning.

 

Reposting screenshots of your false positives / malware filled windows computer doesn't mean anything. Nothing is in that file.

[D2sage]

@thepixelmonk I hope you're right. 

@Leo Gura 

You can delete the js file? The site will work just fine. Better safe than sorry.

[thepixelmonk]

2 minutes ago, D2sage said:

@thepixelmonk I hope you're right. 

@Leo Gura 

You can delete the js file? The site will work just fine. Better safe than sorry.

Yeah just delete all the profile page javascript the site will work just fine.

/s

[D2sage]

3 hours ago, thepixelmonk said:

Yeah just delete all the profile page javascript the site will work just fine.

/s

@thepixelmonk

Not all, just that one. 

Well, the path is https://www.actualized.org/forum/uploads/

Isn't that the same catalog where our uploaded media files are. 

Edited February 17, 2023 by D2sage

[D2sage]

3 hours ago, thepixelmonk said:

Reposting screenshots of your false positives / malware filled windows computer doesn't mean anything. Nothing is in that file.

So my computer is now hosted  here on actualized.org/forum/uploads  

I run online servers, a kratom forum, and websites. My PC is cleaner than your vocabulary.

It is classified as a Trojan because it is typically disguised as a legitimate file and is designed to deceive the victim into running it on their computer.

Look, I know some of you guys here would drink Leos bathwater. 

You fail to realize one thing. I am not bashing Leo that he’s injected some code.  On my old PC, I had poor security and did not care about alerts. Then I got my credit card stolen and Instagram hacked. I am just cautious nowadays and more alert online.

Edited February 17, 2023 by D2sage