CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

After being installed on a webserver the backdoor has several options of being controlled which include
command and control server communication, mail communication as well as manual control.
cryptophp-whitepaper-foxsrt-v4
How To Detect And Clean CryptoPHP Malware?

Anti virus can help to find  this embedded malware like clamav and maldet , rather than using the find command, or something similar.

But , Make sure to update both clamav and maldet prior to scanning:

update clamav and maldet :

freshclam
maldet -d
maldet -u

Here is a  find command that can really find all such files and pring first 80 characters from this file just to confirm it’s content.

find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {}  \; -print

Or

find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {}  \; -print

It is also important to examine such user account, and not just to delete this file, because just deleting this file will not actually solve anything.

You can also run another commend :

find -L /home -type f -name ‘*.png’ -print0 | xargs -0 file | grep “PHP script” > /some/file

This can check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts.

Originally posted on May 9, 2015 @ 9:35 pm

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.