Crypto Jacking Campaign, hundreds of Drupal sites hacked!

See: https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/edit#gid=0
Attackers used a so-called coinhive-script

Troy Mursch detected this script: https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/

Is this being blocked by avast?

polonus

Yep. Confirmed for at least one site: forumdelcafe.com/ [not blacklisted] (Avast does not detect.)

UrlQuery: http://urlquery.net/report/92b44b3c-4af0-458d-bb0a-7b41c5e1d74f

Sucuri: https://sitecheck.sucuri.net/results/forumdelcafe.com/

Zscaler: https://zulu.zscaler.com/submission/25303afe-9b1e-4800-9151-ab5418c2b0c5

See what this https://www.virustotal.com/#/file/370be45f65276b3b8de42a29adfb1220fc44a5e018c37e3e9b62fa7d5b523fd0/community
8 votes unsafe, also 3 flag malware here: https://www.virustotal.com/#/url/ef1b19e8c29190341d022529031dfd6f0f0a955ecd2a0c6ee8422314173c324c/detection
does here: https://urlquery.net/report/b9af203d-b922-4061-869d-9debcc96f822 Server Microsoft-IIS/httpd 7.5
https://asafaweb.com/Scan?Url=vuuwd.com This is QuadraNet abuse in USA. sslv2: | SSLv2 supported ; | ciphers:
| SSL2_RC4_128_WITH_MD5 & |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 (homepage link for hardware location.
Re: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=aiaf.it&ref_sel=GSP2&ua_sel=ff&fs=1

polonus (volunteer website security analyst and website error-hunter)