What is CryptoPHP
CryptoPHP is a dangerous threat named by the Fox-IT’s security research team who detected it for the first time in the year of 2013. (Read recent news about cryptophp). According to them the threat uses the backdoor themes and plug-ins which uses in the CMS (content management system) to attack the web servers. This is so because today many of the web administrators are using CMS rather than the raw HTML for building their websites. The popular CMS like Word press, Joomla and Drupal are under the attack as they are using the pirated themes and plug-ins on their websites. Once if you have installed these backdoor malicious themes and plug-ins on your website, the malware can be controlled by the attackers by manually or via command and control (CC) and email communications. From there on-wards they will use your website for illegal search optimization, which is known as Blackhat SEO.
Recommend Post:-How To Detect And Remove WireLurker Malware From iPhone, iPadCryptoPHP carries several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions. Fox IT has a very in-depth whitepaper available Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:
*. Integration into popular content management systems like WordPress, Drupal and Joomla.
*. Public key encryption for communication between the compromised server and the command and control (C2) server.
*. An extensive infrastructure in terms of C2 domains and IP’s.
*. Backup mechanisms in place against C2 domain takedowns in the form of email communication.
*. Manual control of the backdoor besides the C2 communication.
*. Remote updating of the list of C2 servers.
*. Ability to update itself.
From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP PHP malware.
How to Detect and Clean CryptoPHP PHP Malware
It seems attacker is injecting malware using social.png file. Here is a simple command that can really find all such files and print first 80 characters from this file just to confirm it’s content.
find/home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print
You need to delete those files and examine such user account, Because just deleting this file will not actually solve anything. Also you can run following command.
find -L /home -type f -name '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/crypto.txt
This will check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts.
Also I’d suggest to run maldet or clamav scan on your server to find out the CryptoPHP PHP malware. Make sure to update both clamav and maldet prior to scanning.freshclam
maldet -u
Also submit IP removal request on CBL.
Important Tips:
*. Do not install web templates/themes from unknown website.
*. Before file installation, scan the whole document on well known website scanners like VirusTotal, Metascan Online and so on.
*. If you are a web developer, expand the whole file and look for unknown coding/characters. If unknown codes found, remove them in order to hit the code maker.
Love this article?Share it with your friends on Facebook