CryptoPHP: Analysis of a hidden threat inside popular content management systems

33 thoughts on “CryptoPHP: Analysis of a hidden threat inside popular content management systems”

1. Please try and run the command below:
   find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; | grep “PHP script”

   It should find all CryptoPHP files. Let me know if it worked.

2. Would the hosting company be responsible for protecting against, cleaning out infections or the client who rents hosting from the company?

3. But since I only obtained themes and plugins from my server host, except for buts of code I wrote myself, how can I account for contracting it on my server. It seems unlikely a large and reputable host would purchase pirated versions for redistribution.

4. i`m sorry, can you explain this ?

5. Script check_url.py is not finding anything on the server and we are still getting blacklisted.

   Any ideas? maybe social.png is not social.png anymore?

6. check_url.py does not find anything on the server and I still getting blacklisted.

   Any ideas?

7. It was mentioned above that it was simply not enough to delete the file. That you needed to removed the installed CMS. Can someone comment whether this is the still the recommendation?

8. Just a note: we have found in one case the social.png backdoor directly in a joomla folder. The include of the backdoor was right into the index of the Joomla installation (at the bottom, after the closing PHP endtag). Don’t know how it appeared there though.

9. Hi Erik,

   We’ve just published an update with statistics as well as tools to scan locally as well as remotely for CryptoPHP. A plug-in for WordPress that detects CryptoPHP amongst others is already available, its called ‘WordFence’.

   Thanks for your comment!

10. Hi Bert,

    It is most likely that the website owner has installed multiple backdoored plug-ins and themes. Every one of these will be an active CryptoPHP backdoor.

11. Hi Caio,

    We do not advise you to block the sinkhole IP’s. This does stop you from being listed on Spamhaus and its CBL but the CryptoPHP infection’s are still there!

12. I am a technical guy at webhostinglahore.com, one of our deducated server get victimized by this malware, i just ran this command

    for r in `locate social | grep png`; do file $r; done | grep PHP

    Found 6 culprit websites with social.png as PHP script text despite images, simply removed those files and things are now under control.

    one may also check replacing png with jpg or other image formats.

13. Apologies I meant this one worked for me. As Andrei says, some malicious scripts had double extensions. So this command worked well in csh on FreeBSD

    find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; |grep “PHP script text”

14. This command worked for me. I identified the compromised site on our shared webhost.

15. how can i find the website that make this issue ???

    i have many server and i want to know that ?

16. I was having this same problem in several shared servers with more than 2,000 sites in each. to the solution realized the lock on the firewall of IPs below.

    192.42.116.41
    192.42.119.41

17. We also have a server with 100 sites. We have found multiple domains that have social.png on them. One has it 4 times in different directories. Can this travel within the server?

18. I have a solution this issue

19. contact me at khurram at ehostpk dot com

20. Well, it was an example. Anyone cand tweak it in any way that suits his or her needs. In my case, I was only interested in this result, hence the grep:

    /user/public_html/wp-content/themes/themename/images/file.png: PHP script text

    As I said before, I used this because there are other image extension files that have PHP malware code inside them.

21. I understand the find and grep commands. I was asking why are you using this particular string to grep for: “PHP script”. I guess it was just an example and we need to find ourselves some relevant string to grep for.

22. Hello,
    No problem. Let me try to explain, as this is actually a command line command, if that makes any sense. This is the first part before the pipeline:

    find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \;

    This finds all the .jpg, .png, .jpeg etc. extension files and executes the “file” command on each file found in the search. On a normal .png file, the result would be:

    /path/to/file/file.png : PNG image data, 28 x 28, 8-bit/color RGBA, non-interlaced

    But in our case with the CryptoPHP malware, the entry for social.png file would look something like this:

    /path/to/infected/file/social.png: PHP script text

    As a conclusion, the “grep” command lists only the PHP scripts found in the results of the “find” + “file” commands. My point was that if you’re trying to find social.png files that are malware, you should also look for other files that are PHP malware scripts inserted into image (.jpg, .png etc.).

    Please let me know if there is anything that’s not clear enough.

23. Thanks for the tip but why are you grepping for the string “PHP script”? Have you found this particular string in the hidden malware?

24. Hello,
    I have found image or picture files with multiple extensions other than the “social.png” that don’t necessarily have something to do with CryptoPHP malware, but nevertheless contain PHP malware code inside. If either way you’re doing a scan to find the malware code, then I suggest using the find + extensions + grep, like so:
    find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; | grep “PHP script”
    It’s not optimized or made in a script, but it gets the job done and finds other files named differently that are infected. If someone else has some improvements on the command, please post it.

25. First of all: a big thumbs up for your excellent and thorough analysis of this new backdoor. I am currently writing a blogpost for my website to inform WordPress users about this threat and to advise them how to behave regarding themes and plugins with regards to this new threat. This may likely not be the last instance of this social engineering technique we will see, so what I am trying to do is make normal users aware of some do’s and don’ts when installing themes and plugins on their WordPress sites.

    Scanners are of course useful and necessary and scanning should ideally kick in automatically the moment a plugin or theme is being installed on a WordPress install. I don’t know if such a scanner already exists, otherwise this would be a nice software project (Virus Scanning Plugin And Theme Loader). Or perhaps this should be a core function developed by the WordPress team.

    Another approach would be to publish a list of infected plugins and themes. In the executive summary of your paper you state “We’ve identified thousands of
    backdoored plugins and themes which contained 16 versions of CryptoPHP as of the 12th of November 2014”. Is there a list of these plugins and themes somewhere online where users can be pointed to, and if so will it be maintained and actualised on a regular basis?

    Finally, an offline scanner would be handy too, so people could install themes and plugins by downloading them first, scan and then when they passed the scan install them through the WordPress install-by-upload system. This too would require change of user behaviour and such is as we all know no guarantee for succes. If this threat can be mitigated by technical means that would be the preferred solution.

    Once again: thanks a lot for your thorough work!

    Erik de Vries
    wpwebbouw.nl

26. hey here is recent update from CBL team

    Please see our updated lookup page for your IP.

    There are a number of scanners that can be used on web servers to try to find malicious PHP and Perl scripts, such as rkhunter etc.

    With the assistance of others, we’ve written a simple perl script called findbot.pl that searches for such things as r57shell, cryptphp etc. It will search your system can find potentially dangerous scripts.

    As it’s very simple-minded you will have to carefully inspect the files it finds to verify whether what it finds is malicious or not. Be aware of the file types – finding executable code fragments within “.png” or “.jpg” files is clearly demonstrates that the file is malicious.

    In order to use findbot.pl, you will need Perl installed.

    Install perl if necessary
    Download findbot.pl
    Follow the instructions at the beginning of the findbot.pl file

27. hi thanks for your solution i tried to run find -L / -type f -name ‘social.png’ -exec file {} + but it generate some loop error so i use ‘find’ all social.png its around 10 files out of it 6 was realy image file rest 4 was php script file i removed and suspend accounts (2 were affected) now should i consider my server does not have CryptoPHP ?

    should i try unblock my server ?

28. In my brief experience with this new pest, grepping the entire /home (/home/*/public_html for cPanel servers) for is apparently reliable (though rather crude). But even better is to md5sum all social.png files on the server (find /home/*/public_html -type f -name social.png -exec md5sum {} \;) and compare it with the md5 hashes in the white paper. The matches are sure hits.

29. We recommend administrators to check for any social.png files on their servers. The following *NIX command will find all social.png files and output it’s file type:

    find -L / -type f -name ‘social.png’ -exec file {} +

    The output would look something like this if it’s a possible backdoor:

    /tmp/social.png: PHP script text

    We recommend checking the contents of the file if it’s a PHP script text instead of a PNG file. For this you need access to the server. If you do not have direct access to the server’s filesystem we suggest talking to the hoster of the servers to get these checks done.

    Cleaning CryptoPHP backdoors from existing CMS installations is something we do not advise. If you find a backdoored installation, we suggest you to perform a clean install with all new passwords. CryptoPHP inserts extra administrator accounts as well as configuration data into the CMS database. We have also found hat CryptoPHP can steal user credentials by injecting malicious javascript into the CMS login pages.

30. This is for a linux system and a little crude, but here’s how I found our culprit:

    for r in `locate social | grep png`; do file $r; done | grep PHP

    — Mike

31. Hi Fox,

    Can you suggest how can we detect instances of this CryptoPHP? Right now one of our servers with hundreds of different websites on it is listed by CBL (and subsequently by SpamHaus due to an alleged detection of this CryptoPHP) and we don’t even know where to start our search.

    Kind regards,
    Andy

32. analysis is fine but what is resolution? sever have over 200 site in wordpress and other cms how to check individual account even maldet(latest updated) do not show anything on it on server

33. Hi Team,

    Like to make sure do we have any scanning tool / scripts to cross verify whether my list of websites got infected by CryptoPHP. I Manage more than 2000 websites which uses the same CMS, hence the manual cross verifying is highly impossible and time consuming. Hence need an expert advise on the same

    Thanks —