How to Search for CoinHive Miner on Criminal IP Asset Search
When searching for “CoinHive” using Criminal IP Asset Search, 14,590 IP addresses are displayed, all of which may be considered infected servers. The search result suggests that different web applications like WordPress, Magento, and Drupal are infected by these malicious codes and exploited to mine cryptocurrency.
The following are the keywords we used to look for CoinHive Miner.
The default name for the CoinHive JS library files is “coinhive.min.js”, although it may sometimes be used with different names. To obtain the most accurate results on Criminal IP, it is essential to confirm the presence of the “CoinHive.Anonymous” string.
You can find the domain address of the CoinHive mining pool as well. Currently, this website cannot be reached.
How to Search for DeepMiner on Criminal IP
How to Search for Crypto-Loot Bot on Criminal IP
Crypto-Loot is a mining bot that competes with CoinHive. When searching for the keyword “CRLT.Anonymous” on Criminal IP Asset Search, 1,209 results are displayed, but many of these servers have a 403 forbidden status for their server code.
As 403 Forbidden sites do not provide much information, it is recommended to narrow the search results to only 200 OK servers to find the infected servers.
How to Search for CoinIMP Bot on Criminal IP
CoinIMP is a browser-based cryptocurrency mining script that can be installed on vulnerable Drupal websites by infecting their index.php files. Once installed, it starts mining cryptocurrencies when visitors browse the website’s main page. When searched on Criminal IP Asset Search, 389 sites were found.
CoinIMP Miner is different from previously mentioned mining bots in that its JS file names are always randomly generated, making it difficult to detect using simple file names. In addition, CoinIMP Miner is particularly concerning because it can consume up to 30% of a victim’s CPU resources, which is much higher than other cryptojackings.
Recently, there have been reports of malware called “Denonia” that installs a CryptoMiner in AWS cloud environments. Although it is uncertain whether the following website is infected by Denonia, a message believed to be left by a hacker was found on Criminal IP.
It is possible that Amazon ECS (Elastic Container Service) has been infected by the installation of Coin Miner. This may have been done through the functionalities of AWS Lambda, a serverless computing platform provided by AWS that can run applications or functions without actually using servers.
Source : Criminal IP