Cryptomining Hack Websites

What is Crypto Mining Malware (CoinHive Javascript)? How are you affected?

CoinHive is an online service which provides cryptocurrency miners (crypto mining malware) that can be installed on websites using JavaScript. The JavaScript miner runs in the browser of the website visitors and mines coins on the Monero blockchain. It is promoted as an alternative to placing advertising on the website. And turns out, it is being used by hackers as malware to hijack end customers of a website by infected the website in the first place.

To mine the Monero coin using CoinHive, all you have to do is place a small JavaScript snippet in the header/footer of your website. When a visitor comes to the site, the CoinHive JavaScript gets activated and starts utilizing the CPU power available to it. With 10–20 active miners on the site, the average monthly revenue is about 0.3 XMR (~$109). To multiply their revenue, hackers have been exploiting vulnerable websites by injecting crypto mining malware (CoinHive)

While CoinHive itself is not a malicious service, it has been extensively used by hackers to mine coins using hacked websites. As a result, many malware scanners and security agencies have blacklisted the domain.

Flagged Domains Hosting the Crypto Mining Code

We have compiled a list of 3rd party domains that have been seen to host as CoinHive code using by the malware. The names of the JavaScript scripts are intentionally named after common file names so that they appear to be legitimate and webmaster doesn’t get suspicious on seeing them.

  • ads.locationforexpert[.]com
  • camillesanz[.]com/lib/status.js
  • security.fblaster[.]com
  • fricangrey[.]top/redirect_base/redirect.js
  • alemoney[.]xyz/js/stat.js
  • africangirl[.]top/redirect_base/redirect.js
  • ribinski[.]us/redirect_base/redirect.js
  • aleinvest[.]xyz/js/theme.js
  • babybabybabyoooh[.]net/beta.js
  • www.threadpaints[.]com/js/status.js
  • oneyoungcome[.]com/jqueryui.js
  • wp-cloud[.]ru
  • doubleclick1[.]xyz
  • doubleclick2[.]xyz
  • doubleclick3[.]xyz
  • doubleclick4[.]xyz
  • doubleclick5[.]xyz
  • doubleclick6[.]xyz
  • api[.]l33tsite[.]info
  • ws[.]l33tsite[.]info

Finding the crypto mining malware(CoinHive)

If you detect that your website has been running crypto-mining scripts without your knowledge, it is highly likely that your website is hacked or has been infected. Here are some steps you can take to identify if your website is hacked:

  1. Open the website in your web browser and select the “View Source” option
  2. In the webpage source, scan for JavaScript code that look fishy:
    1. Flagged domains as listed above
    2. Unrecognized domain/file names
    3. Initialization script for CoinHive
      crypto mining malware (Coinhive fix)
      CoinHive Initialization Code
  3. Also look for malware code in the core website files on your server. If you are an Astra customer, start a Malware Scan from your Dashboard. If not, you can perform the following steps:
    1. Examine recently modified files on the server using the following SSH command
      find /path-of-www -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
    2. Search for common malware strings using the following SSH command:
      find /var/www -name "*.php" -exec grep -l "eval(" {} \;
      Replace the string in bold with the ones listed below and run the command again:

      1. echo(gzinflate(base64_decode
      2. coinhive (Crypto-Jacking Code Malware)
      3. locationforexpert
      4. base64_decode
      5. gzinflate(base64_decode
      6. eval(base64_decode
    3. Open the files that are flagged by these searches

Fixing Crypto Mining Coinhive Malware WordPress

We’ve seen that core WordPress files have been modified to place the malware code. In many cases, the theme files have also been hijacked to place the JavaScript crypto mining code. The malware checks the user-agent of the request and only includes the malicious JS code if the visitor it not a search engine bot from Google/Bing/Yahoo etc.

Malicious code infecting the headers.php file in WordPress themes to remove crypto mining malware (Coinhive fix)
Malicious code infecting the headers.php file in WordPress themes

Some of the files you should check and compare for modifications:

  • index.php
  • wp-admin/admin-header.php
  • wp-includes/general-template.php
  • wp-includes/default-filters.php
  • wp-includes/manifest.php.
  • Look for unrecognized code in header.php in your theme folder
  • functions.php

Check commonly hacked WordPress files and how to fix them

Fixing Crypto Mining Coinhive Malware for Magento

If you are using Magento, look for crypto mining malware in the database. Open the ‘core_config_data table’ table using a tool like phpMyAdmin and look for the value of design/head/includes. Examine the code and remove any JavaScript files being included there using the <script> tag.

Also, check the Copyright text in the footer to make sure no additional malicious code is given here. Navigate and examine  System -> Configuration -> Design -> Footer -> Copyright.

Don’t forget to clear all your Magento after removing any malicious code.

Worried about your website’s safety in light of rampant online vulnerabilities? Astra’s security suite can detect crypto mining hacks & further your protection from online vulnerabilities.

Did you detect a suspicious crypto mining script? Drop us a message on the chat widget and we’d be happy to help you fix it. Fix my website now.

Fixing the Crypto Malware(Coinhive) Hack from OpenCart

Some of the common files infected in OpenCart are mentioned below. The steps to clean are similar to those mentioned for WordPress. Check the integrity of these files by comparing them with the original OpenCart code.

  • index.php
  • catalog/view/theme/default/template/common/header.tpl
  • catalog/view/theme/default/template/common/header.twig

Fixing CoinHive Malware in Drupal

In the case of Drupal sites, look at .js files of modules. We found the crypto mining code in the Google Analytics module:

  • sites/all/modules/google_analytics/googleanalytics.js

The CoinHive code was added to this file, right after the Google Analytics code. It triggered the code to begin mining of the coins in the client’s browser.

Cryptomining Malware CoinHive in Database

Hackers inject Malicious CoinHive Crypto mining code into the website’s database. Here is the screenshot of the code.

Coinhive malware in databse of WordPress Magento Opencart Drupal

Preventing Cryptojacking Malware (CoinHive) Hack

  • Perform regular file integrity monitoring: Use tools like Astra to regularly monitor files on the server and see when they have changed. Hackers tend to modify files on the server and add malware, and viruses in the core files of your website. Such code can be executed server-side i.e in PHP, Python etc or even on the client’s browser, i.e in JavaScript.
  • Only include JavaScript files from trusted sources and CDNs: Be careful before you include JS files into your website. JavaScript is a very powerful tool and
  • Create a Content Security Policy (CSP): It is a computer security standard to prevent code injection attacks like cross-site scripting (XSS), clickjacking etc. which allow execution of malicious content in the trusted web page on client browsers. Read this guide from Google about the fundamentals of CSP and how you can set one.
  • Regularly update your CMS: Security patches/updates are often released with newer versions of the CMS. It is highly recommended to routinely scan for new versions and upgrade.
  • Install ALL security patches released by vendors: Almost all CMSs release security patches as and when critical issues are reported. Subscribe to their security mailing lists/RSS feeds and keep your software up to date.

Conclusion

CoinHive itself is not a malicious service, but it has been extensively used by hackers to mine cryptocurrencies like Ethereum, Litecoin etc. To mitigate such unauthorized use, CoinHive has released a new ‘AuthedMine’ version of their JavaScript library which requires explicit consent from the site visitors to begin mining the coins. However, the older version is still out there allowing hackers to mine coins from unsuspecting site visitors and owners of hacked sites.

As an online business owner, your website is the center of your business and needs continuous security monitoring to ensure smooth functioning of your business. We’re happy to help you in this mission to keep your website secure and malware free.

Also, check our blog post on RawGit CDN is Abused by CryptoLoot Cryptominers.

How Astra protects you from CoinHive and other malware attacks?

At Astra, we have a team of security experts who daily resolve several crypto malware issues and ensures it come back again. Our powerful web application firewall protects the website in real time from Malware, XSS, SQL injection and 80+ threats. Every request coming to your website is scanned through our security engine and only legitimate request are passed.

Web Application Firewall Magento, Opencart Prestashop

Take an Astra Demo now.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda is a security researcher at Astra.

1 Comment

  1. Detailed Guide on Website Malware Attacks: Causes, Consequences & Steps to Fix - Astra Web Security Blog - Reply

    […] More details on finding this malware & fixing it can be found in our detailed guide here. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close