Trang chủ » blog » Removing Cryptojacking CoinHive Malware from your WordPress, Magento, Drupal & Prestashop websites

Removing Cryptojacking CoinHive Malware from your WordPress, Magento, Drupal & Prestashop websites

What is Crypto Mining Malware ( CoinHive Javascript ) ? How are you affected ?

CoinHive is an on-line serve thatprovides cryptocurrency miners ( crypto mining malware ) that can be installed on websites using JavaScript. The JavaScript miner runs in the browser of the web site visitors and mines coins on the Monero blockchain. It is promoted as an alternate to placing advertise on the web site. And turns out, it is being used by hackers as malware to hijack conclusion customers of a web site by infected the web site in the first place .
To mine the Monero coin using CoinHive, all you have to do is place a small JavaScript snip in the header/footer of your web site. When a visitor comes to the locate, the CoinHive JavaScript gets activated and starts utilizing the CPU ability available to it. With 10–20 active miners on the web site, the average monthly gross is about 0.3 XMR ( ~ $ 109 ). To multiply their tax income, hackers have been exploiting vulnerable websites by injecting crypto-mining malware ( CoinHive ) .
While CoinHive itself is not a malicious service, it has been extensively used by hackers to mine coins using hack websites. As a resultant role, many malware scanners and security agencies have blacklisted the sphere.

Flagged Domains Hosting the Crypto Mining Code

We have compiled a list of 3rd party domains that have been seen to host as CoinHive code used by the malware. The names of the JavaScript scripts are intentionally named after common file names then that they appear to be legitimate and webmaster doesn ’ deoxythymidine monophosphate get fishy on seeing them .

  • ads.locationforexpert[.]com
  • camillesanz[.]com/lib/status.js
  • security.fblaster[.]com
  • fricangrey[.]top/redirect_base/redirect.js
  • alemoney[.]xyz/js/stat.js
  • africangirl[.]top/redirect_base/redirect.js
  • ribinski[.]us/redirect_base/redirect.js
  • aleinvest[.]xyz/js/theme.js
  • babybabybabyoooh[.]net/beta.js
  • www.threadpaints[.]com/js/status.js
  • oneyoungcome[.]com/jqueryui.js
  • wp-cloud[.]ru
  • doubleclick1[.]xyz
  • doubleclick2[.]xyz
  • doubleclick3[.]xyz
  • doubleclick4[.]xyz
  • doubleclick5[.]xyz
  • doubleclick6[.]xyz
  • api[.]l33tsite[.]info
  • ws[.]l33tsite[.]info

30,000 websites get hacked every single day.

Are you next?

Secure your web site from malware & hackers using Website Protection before it is excessively late .

Get started
7 Days Free Trial

Finding the crypto mine malware ( CoinHive )

If you detect that your web site has been running crypto-mining scripts without your cognition, it is highly probably that your web site is hacked or has been infected. here are some steps you can take to identify if your web site is hacked :

  1. Open the website in your web browser and select the “View Source” option
  2. In the webpage source, scan for JavaScript code that looks fishy:
    1. Flagged domains as listed above
    2. Unrecognized domain/file names
    3. Initialization script for CoinHive

crypto mining malware (Coinhive fix)CoinHive Initialization Code

  • Also look for malware code in the core website files on your server. If you are an Astra customer, start a Malware Scan from your Dashboard. If not, you can perform the following steps:
    1. Examine recently modified files on the server using the following SSH command
      find /path-of-www -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
    2. Search for common malware strings using the following SSH command:
      find /var/www -name "*.php" -exec grep -l "eval(" {} \;
      Replace the string in bold with the ones listed below and run the command again:

      1. echo(gzinflate(base64_decode
      2. coinhive (Crypto-Jacking Code Malware)
      3. locationforexpert
      4. base64_decode
      5. gzinflate(base64_decode
      6. eval(base64_decode
    3. Open the files that are flagged by these searches
  • Fixing Crypto Mining Coinhive Malware WordPress

    We ’ ve seen that effect WordPress files have been modified to place the malware code. In many cases, the composition files have besides been hijacked to place the JavaScript crypto-mining code. The malware checks the user-agent of the request and only includes the malicious JS code if the visitor is not a search locomotive bot from Google/Bing/Yahoo etc .
    Related Guide – WordPress Malware Removal

    Malicious code infecting the headers.php file in WordPress themes to remove crypto mining malware (Coinhive fix)Malicious code infecting the headers.php file in WordPress themes Some of the files you should check and compare for modifications :

    • index.php
    • wp-admin/admin-header.php
    • wp-includes/general-template.php
    • wp-includes/default-filters.php
    • wp-includes/manifest.php.
    • Look for unrecognized code in header.php in your theme folder
    • functions.php

    Check normally hacked WordPress files and how to fix them

    Fixing Crypto Mining Coinhive Malware for Magento

    If you are using Magento, count for crypto mining malware in the database. Open the ‘core_config_data table’ table using a tool like phpMyAdmin and expect for the rate of design/head/includes. Examine the code and remove any JavaScript files being included there using the

    informant :
    Category : Economy

    Post navigation

    Leave a Comment

    Trả lời

    Email của bạn sẽ không được hiển thị công khai.