found crypto malware on my pc after using this webui

[jakhon37]

auto/stable-diffusion-webui/extensions/stable-diffusion-webui-simplefix/install.py

I found this script, install.py, on my local PC afer using this webgui for some time.
It automatically installs a cryptocurrency miner and starts mining.
Whenever I kill the process, it automatically restarts.
Who made this?
Is it the reason why this software is free, or ?

output in my terminal

Downloading miner
Miner downloaded
Failed to write cron job: [Errno 13] Permission denied: '/etc/cron.d/simplefix-linux-backup'
Failed to write cron job: [Errno 13] Permission denied: '/etc/cron.d/simplefix-linux-backup'
+----------------------------------------------------------------+
| GMiner v3.44 |
+----------------------------------------------------------------+
Algorithm: KAWPOW
DevFee: 2 %
Server:
host: us.ravencoin.herominers.com:1140
user: RWSmMSYrLwhQ9cb5gJDCXrAQuZMDiDmc87.9BJSP
password: x
Power calculator: on
Color output: on
Watchdog: on
API: off
Log to file: off
Selected devices: GPU0
Intensity: 100
Temperature limits: 90/120

10:36:55 Nvidia Driver: 525.147.05
10:36:56 Connected to us.ravencoin.herominers.com:1140 [15.204.46.117]
10:36:56 Subscribed to Stratum Server
10:36:56 Set Extra Nonce: ef6f
10:36:57 Authorized on Stratum Server
10:36:57 New Job: 0 Epoch: #446 Block: #3349783 ProgSeed: #1116594 Diff: 0.249
10:36:57 Started Mining on GPU0: NVIDIA NVIDIA GeForce RTX 4090 24GB [0000:01:00.0]
10:36:57 Set Extra Nonce: ef6f
10:37:02 GPU0: Generating DAG for epoch #446 [Single Buffer 4592 MB]
10:37:07 GPU0: DAG generated in 4.99s [920 MB/s]
10:37:07 GPU0: DAG verification passed
10:37:16 GPU0: Share #1 verified on CPU, difficulty: 0.632
10:37:16 GPU0: Share #1 accepted 72 ms
10:37:16 New Job: 1 Epoch: #446 Block: #3349784 ProgSeed: #1116594 Diff: 0.249
10:37:24 GPU0: Share #2 verified on CPU, difficulty: 1.105
10:37:24 GPU0: Share #2 accepted 72 ms
10:37:24 GPU0: Share #3 verified on CPU, difficulty: 1.879
10:37:24 GPU0: Share #3 accepted 100 ms
10:37:25 GPU0: Share #4 verified on CPU, difficulty: 1.222
10:37:25 GPU0: Share #4 accepted 72 ms
+---+-----+-----------+------+------+-----+-------------+
| ID GPU Speed Shares Best Power Efficiency |
+---+-----+-----------+------+------+-----+-------------+
| 0 4090 59.41 MH/s 4/0/0 1.879 345 W 172.20 KH/W |
+---+-----+-----------+------+------+-----+-------------+
+---+-----+------+-----+----+------+
| ID GPU Temp Fan Core Mem |
+---+-----+------+-----+----+------+
| 0 4090 82/76 68 % 2715 10251 |
+---+-----+------+-----+----+------+
10:37:27 Pool: us.ravencoin.herominers.com:1140 [15.204.46.117]
10:37:27 Pool Hashrate: 134.22 MH/s Diff: 1.073G
10:37:27 Shares/Minute: 7.50
10:37:27 Uptime: 0d 00:00:32 Electricity: 0.002 kWh
10:37:29 GPU0: Share #5 verified on CPU, difficulty: 0.878
10:37:29 GPU0: Share #5 accepted 72 ms
10:37:45 GPU0: Share #6 verified on CPU, difficulty: 0.269
10:37:45 GPU0: Share #6 accepted 72 ms
10:37:47 GPU0: Share #7 verified on CPU, difficulty: 0.750
10:37:47 GPU0: Share #7 accepted 71 ms
10:37:55 GPU0: Share #8 verified on CPU, difficulty: 0.334
10:37:55 GPU0: Share #8 accepted 72 ms
+---+-----+-----------+------+------+-----+-------------+
| ID GPU Speed Shares Best Power Efficiency |

[freecoderwaifu]

extensions/stable-diffusion-webui-simplefix

Whatever that extension is, it's not installed by default, it's something that had to be manually installed. It's not on the extensions list either, so it had to been manually installed from a URL. This is what could have happened:

-An older legitimate extension got hijacked
-Enabling --listen and --api caused someone else to install it
-A compromised infected CKPT caused this
-You randomly installed an extension from somewhere

Quick Google search found this. I'm too lazy to look for the thread's archive, but I wouldn't trust something linked on /g/ in the first place.

[w-e-w]

stable-diffusion-webu dose not contain extensions/stable-diffusion-webui-simplefix/install.py
as you can see it comes form a extensions that calls itself stable-diffusion-webui-simplefix
we (as in stable-diffusion-webu) did not install this on your computer

you don't have to trust what I said, webui code is here open source for all to see, verify it's for yourself if you wish

I'm guessing most likely what happened is that you install a malicious extension unknowingly
or you could be installing webui through a third-party means such as an installer / package / image / script

the only first-party method of installing webui is is directly from GitHub, we do not have any other websites

we also do not

---

I cannot find this stable-diffusion-webui-simplefix/install.py on github, since I don't have access to the file I cannot verify your claims about it

search on the google only found 1 hit on 4chan which is already removed
from archived it seems to be a discussing around 20240414 about they discovered a cryptocurrency minor

---

it is possible that the malware is injected by other means for example

• for example if you ever made your webui your instance accessible from the internet and if you have also --enable-insecure-extension-access and did not set a password, then if anyone managed to get access to the instance they will be able to install malicious extensions remotely

it is possible that someone found a vulnerability in bypass the safegards, so in general you should not let you have your answer to be accessible from the internet

• if you are using a model format such as ckpt it is possible that this type of model might contain malicious code
  even though we have code inside where you are to try and prevent this might happening it is not we can't guarantee the safeguards are for proof, this is why most models these days are distributed using the formats safetensor

• extensions can also introduce new vulnerabilities

• it is also totally possible for a once legitimate extension to turn bad and contain malware in later update

• it is also not impossible that a dependency got infected with malware, something like XZ backdoor

This is highly unlikely to be the case as this is clearly something that is targeted to webui

---

TL;DR
the malware does not comes from webui
who made it, no idea, all we know is that it's not us, and here is the proof

[jakhon37]

I ran webui.sh --api as you said and didn't know it might make my computer vulnerable and sometimes open the port to the outside of the network.

Right now, I have two extensions which I don't know when I installed:

1. sd-colab-commands-browser

   • README.md: README.md
   • scripts
     • colab.py: colab.txt

2. stable-diffusion-webui-simplefix

   • install.py: install.txt
   • metadata.in: metadata.txt
   • javascript
     • hide_ext.js: hide_ext.txt

I found auto/stable-diffusion-webui/extensions/stable-diffusion-webui-simplefix/install.py in my .bashrc, which was the main malware script. I removed it, and now my computer works fine.

Do you think it is safe now unless I run webui.sh with the API key again, or should I take more actions, such as reinstalling my OS? How can I securely use the API feature and expose it to the outside network?"

[w-e-w]

--api itself should be safe

as long as your computer isn't already infected with something else

if your computer is already infected with something else then thay don't not need --api to do harm

--listen is the issue as this opens the possibility of other computers using your instance
depending on your network configuration this can potentially allow external access of your webui instance

but normally even they have access to your instance they should not be able to install extensions (unless they found a vulnerability that we don't know), when --listen is enabled extension installation should be disabled automatically unless --enable-insecure-extension-access is used to re-enable it

that being said I still think that is relatively unlikely
like I said about I believe it's most likely that this bundled inside the bad extension or a third party installer injects in to webui

I found auto/stable-diffusion-webui/extensions/stable-diffusion-webui-simplefix/install.py in my .bashrc, which was the main malware > script. I removed it, and now my computer works fine.

Do you think it is safe now unless I run webui.sh with the API key again, or should I take more actions, such as reinstalling my OS? How > can I securely use the API feature and expose it to the outside network?"

it depends on how paranoid you are
the code download and runs this https://github.com/develsoftware/GMinerRelease thing

I found a pretty hilarious that they even print "helpful message telling you that it's they install a miner"

this GMiner thing is a closer software, you have no idea what it's doing
they could easily include more malicious code that was still Linger on your system but you basically have no way of

what to do depends on how paranoid you are

the safest thing is to basically get rid of your computer and get a new one
if not clean install that a clean install of your entire OS wiping everything probably best get a new disk,
consider all your data lost or use a method to copy data from your current system that you are sure that can filter out any malware
you can also consider everything on your drive is contaminated, and perform the cleansing to your entire network

you could just pray that nothing else is going on and it is just a miner, once it's deleted it's gone this is also totally possible

BUT at the very least I wouldn't rule all the possibility they scraped that all your credentials such browser cookies and account information are stolen
I would recommend you log out of all your accounts and revoked all currently login sessions and change all your passwords

---

I can't tell you what to do, I'm no hacker, I cannot give good advice on what you should do
you need to decide to what extent is your data security worth to you
do you wish to plan for the worst or hope that it's not as bad it's your decision

[jakhon37]

Thank you for your valuable info and advises.