Coinhive code in header.php

  • Resolved doulou

    (@doulou)


    6 years, 11 months ago

    Hi

    I’m trying to help a new client, who has come to me with a very slow website. I realised they didn’t have any security (and never have – it’s an old site!) on their site, so have installed wordfence which I use on all my sites.

    I’ve done a scan and it says:

    This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: new CoinHive.Anonymous(‘TnKJQivLdI92CHM5VDumySeVWinv2yfL’. The infection type is: Browser-based crypto currency miner..

    The file is the header.php – I can see the coinhive links/code – but am not sure where from and where to delete it. Or can wordfence help with this? My client is having a new site built by someone else so doesn’t want the pro version at this point in time. But can the free version help?

    OR if I paste the code in the header here – can someone let me know which part I can delete?

    I’ve already deleted a file wordfence flagged up. I’ve taken backups all the way…

    Thanks for any help in advance….

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi doulou,
    As you have mentioned “header.php” file, I assume this file is included in one of the themes directories, if this was the case, then you can simply replace this file with a fresh copy downloaded directly from the theme author website. (make sure both files are of the same theme version).

    Thanks.

    Thread Starter doulou

    (@doulou)

    Thanks for getting back to me. It’s a really old theme, I can’t find any reference to it anywhere… I’ve now guessed at which is the malware text in the header and removed it – wordfence has verified this in its scan.

    The problem I have now is that it’s still very slow as there is a lot of conflicting scripts – caused by old plugins which are not even on wordpress any more.

    I’ll see if I can identify these – I’ll try deactivating plugins to see where the problem is. Maybe there’s a plugin I can use to help mend the scripts – I’ll see – I’m not great with script!

    Anyway thanks for the suggestion and help…

    Thread Starter doulou

    (@doulou)

    Fixed it – I’d missed out deleting all the malware – this was there – <script src=’https://json.stringengines.com/pson.js?n=1&#8242; type=’text/javascript’> – have now deleted it and the site has sped up no end! Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Coinhive code in header.php’ is closed to new replies.