How to remove CryptoPHP malware
CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale.the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server. Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use
In this article, we are going to find and remove CryptoPHP malware. From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP malware.
Please use the following methods for identifying the CryptoPHP malware.
Login to your server and check for social*.png files using below command.
#find /home -type f -iname 'social*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt
Now check all the files listed in /root/cryptoinfected.txt and remove it
2) On cPanel server you can use below Python script to find out the the CryptoPHP malware
1) Download and execute script
#cd /usr/local/src/ #wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py #chmod +x check_filesystem.py #./check_filesystem.py /home/*/public_html
The above script will scan all users home directory and show the infected files.You can check and remove it.