Bitcoin minner detected

Hi

Any tools/tips to detect and remove a trojan (bitcoin miner) ?

  • Predrag Dubajic
    • Support

    Hi Jacques,

    I see that you have Defender installed on the site that is selected for this ticket, did you already tried running File Scan in Defender and did it report any malicious code?

    Also, can you tell me where do you see the report that your site has a bitcoin miner?

    Would you mind allowing support access so we can have a closer look at Defender results and see what would be the best approach here?

    To enable support access you can follow this guide here:

    https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-5

    Best regards,

    Predrag

  • Adam Czajczyk
    • Support Gorilla

    Hello Jacques

    Defender Pro will detect either known malware or suspicious functions (so functions that either definitely do not belong to given file or they are similar enough to structures used in known malware) as well as files that seem to not belong to WordPress installation.

    It won’t tell you that it’s the bitcoin miner but will identify infection.

    I just checked your site and I see there’s been Defender’s file scan already run and it found quite a lot of “suspicious functions” and “unknown files”. I checked some of them (you can expand each reported item there to check more details) and the site is seriously infected without any doubt.

    Taking the scale into account, I wouldn’t even recommend any “manual cleaning” of it. Instead it would be best to restore most recent backup from before any infection was noticed. Then site should be scanned again to make sure that there’s nothing there. If the scan is successful without any reports (apart from files such as e.g. google verification file which will be detected as unknown but should be harmless), then at least this should be done:

    0) clear all caches on site and server

    1) update everything (WP core, theme, plugins) to most recent versions

    2) delete all the themes and plugins that you are not using and not going to use in any foreseeable future

    3) download fresh WP install package in the same version as WP on site (so after update it’ll be the newest one) and use it to overwrite /wp-includes and /wp-admin folders of your site install

    4) review all user accounts and remove any that you either don’t use or know are not used and those that seem to look suspicious to you

    5) change all possible passwords, including “server-side” passwords such as e.g. FTP

    6) if there are any additional FTP/SSH accounts on server that you’re not using – remove them

    7) apply Defender’s security tweaks

    8) consider setting up CloudFlare for the site (free plan will suffice) as this will not only help with performance but also add quite a significant additional security layer to the site.

    Best regards,

    Adam

  • Jacques
    • WPMU DEV Initiate

    Hello Adam

    Thanks for the follow-up.

    Regarding the main threat (bitcoin miner) we just discover that the NINJA FORMS used to collect incoming questions were out of date and infected. So after complete removal there’s no fake notification pop up (so far).

    I’ll go through your process to clean up the site.

    One question : we already have wpmu CDN active on the website, can we add cloudflare also ?

    Thx

    Jacques

  • Adam Czajczyk
    • Support Gorilla

    Hi Jacques

    Thanks for letting me know that you identified the main source of infection. It’s, unfortunately, quite common that some out of date plugin is the “gate” through which malicious code gets in. That’s why it’s so important to keep everything up to date :slight_smile:

    As for CDN – yes, you can use CloudFlare with it. There are two CDNs available with our plugins – one is in Hummingbird (a WPMU DEV CDN) and one in Smush – but they are working in a bit different way. They are only used to store optimized JS/CSS assets in case of the former and optimized images in case of latter.

    In a very simplified way, you could say that they work kind of “under the hood” of the site while CloudFlare works “in front of the site”. They all can be used together (though I would strongly recommend keeping Rocket Loader tool in CloudFlare disabled if you are using Hummingbird’s Asset Optimization).

    Best regards,

    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.