I have cPanel and all my websites got infected with coinhive malware.

I searched through all files for coinhive keyword, ran multiple scanners, and even bought cPanel antivirus. Ran database search also.

I found couple malware files but nothing resolved it.

Here's sucuri scan - .rs

Where it can be located? I think it's some base64 or eval function but can't find it.

Any help is appreciated!

I have cPanel and all my websites got infected with coinhive malware.

I searched through all files for coinhive keyword, ran multiple scanners, and even bought cPanel antivirus. Ran database search also.

I found couple malware files but nothing resolved it.

Here's sucuri scan - https://sitecheck.sucuri/results/appleservis.rs

Where it can be located? I think it's some base64 or eval function but can't find it.

Any help is appreciated!

• virus

Share Improve this question asked Sep 7, 2019 at 12:24 DavidDavid 8722 silver badges1515 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You need to look for unusual files in your server. And that means to look at all files, even though the datestamp might not be changed. Like the htaccess files, files with double extensions, all index.* files.

Look at them with an editor that wraps long lines. Some malware likes to put lots of extra spaces on one line so that a quick look via an editor doesn't see the bad code.

Look for folder names that shouldn't be there. Like "sgi", which was an indicator on one site I had to clean up.

Look for any file with encoded data strings. Those are probably bad. Since it is your site, you should be familiar with what the 'good' files are. But look inside all files with an editor that wraps text.

And change all credentials to everything: users, FTP, email, databases, etc. Strong passwords, of course. Reinstall all code files (WordPress, plugins, themes) from known good sources.

And if you have multiple domains on your hosting account, look through them all, not just the domain that you think got attacked. If they attacked you through the main site, then all subdomains (add-on domains) are probably hacked also. (That happened on a site I had to clean up - not just the main domain, but all add-on domains had similar hacked files.)

Good luck.