How to scan for CryptPHP
Hello,
I got an notification from mxtool that my ip has been added to a black list database.
The reason they explain is:
The host at this IP address is infected with the CryptPHP
how can I scan which account has the problem?
how can I scan which account has the problem?
-
i have the same issue - also looking for help to find the infected site infos about CryptoPHP /https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf 0 -
Our solution so far was to search the entire /home folder for "social.png" and then manually view the content of each file. With multiple servers and hundreds of accounts, this process turned out to be very time-intensive. However, the most difficult part was to make the clients (especially resellers) understand the severity of the problem and that the removal of all files and databases is implicitly necessary. Most counterfeit plugins were installed several months ago, so backups were of course not available. I've sent the infected files to Maldet and requested Comodo to develop some WAF rules for this. Maybe someone knows how to get in touch directly with the Maldet developers so they add all MD5 hashes from the whitepaper to their signatures. We're now examining if Snort IDS works properly on CentOS 6 + cPanel. This would seem a more effective solution in addition to Maldet. 0 -
]Our solution so far was to search the entire /home folder for "social.png" and then manually view the content of each file. With multiple servers and hundreds of accounts, this process turned out to be very time-intensive.
Is it sure that if social.png exists on the server in that account we should look for the problem?0 -
]Is it sure that if social.png exists on the server in that account we should look for the problem?
You should at least open the file in a text editor. If it's readable (by a human, not talking file permissions) and not just garbage (i.e. image data) then it's almost certainly malicious.0 -
]Our solution so far was to search the entire /home folder for "social.png" and then manually view the content of each file.
To note, here is an example of a command for this:find /home -type f -name social.png
Thank you.0 -
Install Pyxsoft Anti Malware & Security on WHM, it has a 7 days trial period. This will find CryptPHP and any other malware. I used it on trial mode with success. 0 -
]To note, here is an example of a command for this:
find /home -type f -name social.png
Thank you.
I run this command and checked all social.png files and all of them were pictures0 -
]I run this command and checked all social.png files and all of them were pictures
Well, that's pretty obvious... Now you need to open all those images with a text editor (e.g. Notepad++) and see if there are any files that contain PHP code. If there are too many files, then you should scan your server with Pyxsoft, Maldet, ClamAV, etc. If you do find infected files, simply deleting them won't fix the problem. You should restore the respective account from a backup dated before the counterfeit plugin or theme was initially installed. Please read the full whitepaper /https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf to understand the root cause and clean-up procedure.0 -
maldet + clamav scanner should detect cryptophp malware :) 0 -
Here are the one script for the CryptPHP scanning, Please try now with this. cd /usr/local/src wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py chmod +x check_filesystem.py ./check_filesystem.py /home0 -
]Here are the one script for the CryptPHP scanning, Please try now with this.
cd /usr/local/src wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py chmod +x check_filesystem.py ./check_filesystem.py /home
Thank you, that is extremely useful. The infections from this are quite deep; removing the known bad files and admin users still isn't enough most of the time. I've seen servers get re-listed at the CBL until the offending CMS was entirely removed and re-installed.0 -
Try this command find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; | grep "PHP script" 0 -
Configserver's CXS also will scan for this. I've found it very useful. 0 -
Find command will take time as well cause high load on the server I used command below and I think it is the easiest ways to catch CryptPHP To find infected files. locate -0 *.png | xargs -0 grep 'error_reporting' -l
Alter command and change extension of file if you wish. If you wish to find and delete infected files in one go then use command below. locate -0 *.png | xargs -0 grep 'error_reporting' -l| xargs rm -rfv
I recommend to scan infected accounts again with clamscan or maldet0 -
Hello This cmd is working finely on centos6 find /home/*/public_html -type f -name social.png -exec md5sum {} \;
and this alsocd /usr/local/src wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py chmod +x check_filesystem.py ./check_filesystem.py /home/*/public_html0
Please sign in to leave a comment.
Comments
15 comments