Skip to main content

How to scan for CryptPHP

gadalf
Hello, I got an notification from mxtool that my ip has been added to a black list database. The reason they explain is: The host at this IP address is infected with the CryptPHP
how can I scan which account has the problem?

Comments

15 comments

Date Votes
  • zye
    i have the same issue - also looking for help to find the infected site infos about CryptoPHP /https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
    0
  • MH-Stefan
    Our solution so far was to search the entire /home folder for "social.png" and then manually view the content of each file. With multiple servers and hundreds of accounts, this process turned out to be very time-intensive. However, the most difficult part was to make the clients (especially resellers) understand the severity of the problem and that the removal of all files and databases is implicitly necessary. Most counterfeit plugins were installed several months ago, so backups were of course not available. I've sent the infected files to Maldet and requested Comodo to develop some WAF rules for this. Maybe someone knows how to get in touch directly with the Maldet developers so they add all MD5 hashes from the whitepaper to their signatures. We're now examining if Snort IDS works properly on CentOS 6 + cPanel. This would seem a more effective solution in addition to Maldet.
    0
  • gadalf
    ]Our solution so far was to search the entire /home folder for "social.png" and then manually view the content of each file. With multiple servers and hundreds of accounts, this process turned out to be very time-intensive.

    Is it sure that if social.png exists on the server in that account we should look for the problem?
    0
  • quizknows
    ]Is it sure that if social.png exists on the server in that account we should look for the problem?

    You should at least open the file in a text editor. If it's readable (by a human, not talking file permissions) and not just garbage (i.e. image data) then it's almost certainly malicious.
    0
  • cPanelMichael
    ]Our solution so far was to search the entire /home folder for "social.png" and then manually view the content of each file.

    To note, here is an example of a command for this:
    find /home -type f -name social.png
    Thank you.
    0
  • hostilis.com
    Install Pyxsoft Anti Malware & Security on WHM, it has a 7 days trial period. This will find CryptPHP and any other malware. I used it on trial mode with success.
    0
  • gadalf
    ]To note, here is an example of a command for this:
    find /home -type f -name social.png
    Thank you.

    I run this command and checked all social.png files and all of them were pictures
    0
  • MH-Stefan
    ]I run this command and checked all social.png files and all of them were pictures

    Well, that's pretty obvious... Now you need to open all those images with a text editor (e.g. Notepad++) and see if there are any files that contain PHP code. If there are too many files, then you should scan your server with Pyxsoft, Maldet, ClamAV, etc. If you do find infected files, simply deleting them won't fix the problem. You should restore the respective account from a backup dated before the counterfeit plugin or theme was initially installed. Please read the full whitepaper /https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf to understand the root cause and clean-up procedure.
    0
  • eva2000
    maldet + clamav scanner should detect cryptophp malware :)
    0
  • 24x7server
    Here are the one script for the CryptPHP scanning, Please try now with this.
    cd /usr/local/src wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py chmod +x check_filesystem.py ./check_filesystem.py /home
    0
  • quizknows
    ]Here are the one script for the CryptPHP scanning, Please try now with this.
    cd /usr/local/src wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py chmod +x check_filesystem.py ./check_filesystem.py /home

    Thank you, that is extremely useful. The infections from this are quite deep; removing the known bad files and admin users still isn't enough most of the time. I've seen servers get re-listed at the CBL until the offending CMS was entirely removed and re-installed.
    0
  • iserversupport
    Try this command find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; | grep "PHP script"
    0
  • Serra
    Configserver's CXS also will scan for this. I've found it very useful.
    0
  • JasMax
    Find command will take time as well cause high load on the server I used command below and I think it is the easiest ways to catch CryptPHP To find infected files. locate -0 *.png | xargs -0 grep 'error_reporting' -l
    Alter command and change extension of file if you wish. If you wish to find and delete infected files in one go then use command below. locate -0 *.png | xargs -0 grep 'error_reporting' -l| xargs rm -rfv
    I recommend to scan infected accounts again with clamscan or maldet
    0
  • kamall
    Hello This cmd is working finely on centos6
    find /home/*/public_html -type f -name social.png -exec md5sum {} \;
    and this also
    cd /usr/local/src wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py chmod +x check_filesystem.py ./check_filesystem.py /home/*/public_html
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post