How to remove CryptoPHP malware – Scan Now
- Category : Linux Helpline (Easy Guide)
- Posted on : Mar 26, 2019
- Views : 1,599
- By : Hagen V.
What is CryptoPHP?
CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.
This malware can be controled via a remote server or email. This is a well written piece of code, it can have ,
Auto integrate into most of the CMS like joomla, wordpress , drupal ,etc,.
It is encrypted key based communication between the affected server and control server
Backup and failover mechanisam incase of shut down
Remote manual management , auto update ,etc,.
Thousands of servers and websites affected by this malware. Our clients servers with proactive management are already scanned and protected from this threat . It looks like the inspection limit is increasing.
If you have some shell experience , please use the following methods for identifying the malware
1) Quick check for social*.png files ,
find /home/ -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} ; -print
if you see any files from the above result , then you must delete those files immediately,
2) Check all png file ,
find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt
Now check all the files listed in /root/cryptoinfected.txt and remove it
3) Check all other files,
You must need to check all other files too , because it is not only infected by png fines and jpeg files,
4) Use clamav or maldetect,
You may please update your clamav database and maldetect database . After that run a scan , this will detect the mallware
freshclam maldetect -U
EDIT : Further investigation found that this malware seems to be attached via email attachments too, so you may need to scan the server email accounts too.
Categories
Subscribe Now
10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!Archive Calendar
Sat | Sun | Mon | Tue | Wed | Thu | Fri |
---|---|---|---|---|---|---|
1 | ||||||
2 | 3 | 4 | 5 | 6 | 7 | 8 |
9 | 10 | 11 | 12 | 13 | 14 | 15 |
16 | 17 | 18 | 19 | 20 | 21 | 22 |
23 | 24 | 25 | 26 | 27 | 28 | 29 |
30 |
Recent Articles
-
Posted on : Jul 25
-
Posted on : Jul 07
-
Posted on : Apr 07
-
Posted on : Mar 19
Optimized my.cnf configuration for MySQL 8 (on cPanel/WHM servers)
Tags
- layer 7
- tweak
- kill
- process
- sql
- Knowledge
- vpn
- seo vpn
- wireguard
- webmail
- ddos mitigation
- attack
- ddos
- DMARC
- server load
- Development
- nginx
- php-fpm
- cheap vpn
- Hosting Security
- xampp
- Plesk
- cpulimit
- VPS Hosting
- smtp
- smtp relay
- exim
- Comparison
- cpu
- WHM
- mariadb
- encryption
- sysstat
- optimize
- Link Building
- apache
- centos
- Small Business
- VPS
- Error
- SSD Hosting
- Networking
- optimization
- DNS
- mysql
- ubuntu
- Linux