CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.

Fox IT has a very in-depth whitepaper available https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

• Integration into popular content management systems like WordPress, Drupal and Joomla
• Public key encryption for communication between the compromised server and the command and control (C2) server
• An extensive infrastructure in terms of C2 domains and IP’s
• Backup mechanisms in place against C2 domain takedowns in the form of email communication
• Manual control of the backdoor besides the C2 communication
• Remote updating of the list of C2 servers
• Ability to update itself

From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP PHP malware.

How to detect and clean CryptoPHP PHP malware?

It seems attacker is injecting malware using social.png file.

Here is a simple command that can really find all such files and print first 80 characters from this file just to confirm it’s content

find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

You need to delete those files and examine such user account, Because just deleting this file will not actually solve anything.

Also you can run following command

find -L /home -type f -name '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/crypto.txt

This will check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts.

Also I’d suggest to run maldet or clamav scan on your server to find out the CryptoPHP PHP malware.

Make sure to update both clamav and maldet prior to scanning.

freshclam
maldet -u

Now submit IP removal request on CBL.