How to clear/remove CryptoPHP PHP malware

CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.

Fox IT has a very in-depth whitepaper available https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the list of C2 servers
  • Ability to update itself

From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP malware.

Need professional security scan and CryptoPHP malware removal Service? We can do for $30/one time. Contact our sales team for detaitls.

How to detect and clean/remove CryptoPHP malware?

It seems attacker is injecting malware using social.png file.

Here is a simple command that can really find all such files and print first 80 characters from this file just to confirm it’s content

find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

You need to delete those files and examine such user account, Because just deleting this file will not actually solve anything.

Also you can run following command

find -L /home -type f -name '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/crypto.txt

This will check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts.

Also I’d suggest to run maldet or clamav scan on your server to find out the CryptoPHP PHP malware.

Make sure to update both clamav and maldet prior to scanning.

freshclam
maldet -u

Now submit IP removal request on CBL.

10 thoughts on “How to clear/remove CryptoPHP PHP malware”

  1. Hi,

    I got one of these on one of my WP sites.
    There is suprisingly little info on how to decontaminate the CryptoPHP SEO, all the posts are just getting excited about it. Your site is the first one that actually has any concrete info.
    Thank you for this.

    Question though. If the malware spreads through a compromised plug-in. Will this cleanup algorithm also close the back door in the module, or just remove symptoms?

    Reply
  2. Is it a custom clamav db that detects this? as my clamscan is not detecting it even with the unofficial signature databases.

    Of course I can manually detect via the find command but I want clamscan able to pick it up so I can block it on ftp upload so it doesnt get on the server in the first place.

    Reply
  3. This seems to be a big issue. Our servers are been blocked by CBL every week. And now we have been denied delisting for 48 hours. The last time we used a trial version of pyxsoft which helped and our IP was delisted. However after the trial ended we’re again listed in the Blacklist.

    Pyxsoft costs $100/year which I think is costly, however seeing the complaints porting from clients I believe will have to purchase the license,, Any other suggestion before I purchase this ??

    Reply
  4. I was infected on one of my testsites. I have deleted that testsite from the server along with the associated database. Should I be worried about other sites on the same server, does Crypto have the ability to infect those other sites?

    Sorry if that sounds stupid but I am clueless about these things…

    Reply

Leave a Comment