CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.
Fox IT has a very in-depth whitepaper available https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:
- Integration into popular content management systems like WordPress, Drupal and Joomla
- Public key encryption for communication between the compromised server and the command and control (C2) server
- An extensive infrastructure in terms of C2 domains and IP’s
- Backup mechanisms in place against C2 domain takedowns in the form of email communication
- Manual control of the backdoor besides the C2 communication
- Remote updating of the list of C2 servers
- Ability to update itself
From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP malware.
Need professional security scan and CryptoPHP malware removal Service? We can do for $30/one time. Contact our sales team for detaitls.
How to detect and clean/remove CryptoPHP malware?
It seems attacker is injecting malware using social.png file.
Here is a simple command that can really find all such files and print first 80 characters from this file just to confirm it’s content
find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print
You need to delete those files and examine such user account, Because just deleting this file will not actually solve anything.
Also you can run following command
find -L /home -type f -name '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/crypto.txt
This will check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts.
Also I’d suggest to run maldet or clamav scan on your server to find out the CryptoPHP PHP malware.
Make sure to update both clamav and maldet prior to scanning.
freshclam
maldet -u
Now submit IP removal request on CBL.
Hi,
I got one of these on one of my WP sites.
There is suprisingly little info on how to decontaminate the CryptoPHP SEO, all the posts are just getting excited about it. Your site is the first one that actually has any concrete info.
Thank you for this.
Question though. If the malware spreads through a compromised plug-in. Will this cleanup algorithm also close the back door in the module, or just remove symptoms?
You need to run maldet scan to remove backdoor completely.
Is it a custom clamav db that detects this? as my clamscan is not detecting it even with the unofficial signature databases.
Of course I can manually detect via the find command but I want clamscan able to pick it up so I can block it on ftp upload so it doesnt get on the server in the first place.
I didn’t check using custom clamav db. So I can’t confirm. You need to use official signature.
I’ve been running maldet for some time now, and it never picked it up, is it supposed to?
Did you update maldet before start scanning?
Hi
Thank you and how we can make a cron to scan daily and send report by mail is it possible
Regards
This seems to be a big issue. Our servers are been blocked by CBL every week. And now we have been denied delisting for 48 hours. The last time we used a trial version of pyxsoft which helped and our IP was delisted. However after the trial ended we’re again listed in the Blacklist.
Pyxsoft costs $100/year which I think is costly, however seeing the complaints porting from clients I believe will have to purchase the license,, Any other suggestion before I purchase this ??
You can try ConfigServer eXploit Scanner (cxs)
I was infected on one of my testsites. I have deleted that testsite from the server along with the associated database. Should I be worried about other sites on the same server, does Crypto have the ability to infect those other sites?
Sorry if that sounds stupid but I am clueless about these things…