How to clear/remove CryptoPHP PHP malware from server

CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.

Fox IT has a very in-depth whitepaper available

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the list of C2 servers
  • Ability to update itself

From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP malware.

Need professional security scan and CryptoPHP malware removal Service? We can do for $30/one time. Contact our sales team for details.

How to detect and clean/remove CryptoPHP malware?

It seems attacker is injecting malware using social.png file.

Here is a simple command that can really find all such files and print first 80 characters from this file just to confirm it’s content

find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

You need to delete those files and examine such user account, Because just deleting this file will not actually solve anything.

Also you can run following command

find -L /home -type f -name '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/crypto.txt

This will check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts.

Also I’d suggest to run maldet or clamav scan on your server to find out the CryptoPHP PHP malware.

Make sure to update both clamav and maldet prior to scanning.

maldet -u

Now submit IP removal request on CBL.

Updated: August 25, 2015 — 3:49 pm

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright SolveHostBD © 2016, All Rights Reserved.