CryptoPHP is a threat that uses backdoored Joomla, wordpress and Drupal plugins or themes to compromise the servers. After being installed on a webserver the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.
Last week we had a customer where his sever IP is periodically blacklisted. He was in a trouble that his IP is being black listed several times after delisting. He was unable to find a proper reason for this. CBL reported his IP is black listed due to CryptoPHP. Several spam mails are being sent from his IP address in an interval. We were able to help him by finding the infected files.
How to find the CryptoPHP infected filesWe have different methods to find the infected files. The idea behind this is to find a file called
social.png which is widely used by the attackers. From the extension this should be an image file. If it is infected by the CrptoPHP it will be a PHP file. So he is the culprit (hiding his identity).
1. we can use the find command to search for the infected file.
find -L / -type f -name ‘social.png’ -exec file {} + If you find something like
social.png: PHP script text he is the culprit. The web account containing this file is infected. Using find command will have some delay.
2. We can use the locate command to find the infected file. This is little bit faster than the find command
for r in `locate social | grep png`; do file $r; done | grep PHPfiles returned by this command are infected and the web accounts containing the files.
3. Using the Linux malware detect: Yes the malware detect is able to detect the cryptoPHP infected files. Please make sure that you update the maldet before initiate the scan. This process will be very slow as every file definition and signatures will be checked against the malware database. So we recommend to use the method1 or method 2 and then scan the account that contains the infected files.
For cPanel servers use :
http://admin-ahead.com/cPanel-Plugins/admin-ahead-linux-malware-detect-cpanel-whm-plugin.htmlFor Plesk servers use:
http://admin-ahead.com/plesk-extensions/Admin-Ahead-Linux-Malware-Detect-Manager.htmlHow to clean this CryptoPHP infected files.Simply removing the infected files are not advised. There will be a plugin or theme that uses this file and may recreate the file.
CryptoPHP inserts extra administrator accounts as well as configuration data into the CMS database.It has been also found hat CryptoPHP can steal user credentials by injecting malicious java-script into the CMS login pages.
It is not as simple as we are thinking. Malware detect is able to clean the infected files. To make a complete clean you have to wipe the account that contains the infected files and then need to rebuild it from scratch using new credentials.
Source: https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
