SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.cryptominer.6

malware.cryptominer.6

Description:
Website contains an encrypted CoinHive JavaScript miner library, which usually means that it's used without webmaster's consent.

eval​(function(p,​a,c,k,e,r){e=function(c)...skipped...document|​google_analytics​|function|var|type|text|javascript|5000|addScript|getElementsByTagName|body|appendChild|setTimeout|createElement|stats|11|​3104709642|lib|jquery|onload|src|innerHTML|min|new|googleanalytics​|Anonymous||​NPRak9QU4lFBSneFt23qEIChh5r0SZev​|start|http|window|js'.split('|'),0,{}))

This code injects a script from hxxp:// 3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 that loads the CoinHive JavaScript miner under disguise of Google Analytics.

More information:
Microsoft Malware Protection Center notice.
Fake jQuery and Google Analytics Hide Yet Another Cryptominer
This infection usually comes along with the cloudflare.solutions WordPress keylogger.

Affecting: Mostly WordPress sites

Mitigation How to clean a hacked WordPress site