The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to scan for CryptPHP

Discussion in 'Security' started by gadalf, Nov 21, 2014.

  1. gadalf

    gadalf Well-Known Member

    Joined:
    Jun 8, 2014
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    I got an notification from mxtool that my ip has been added to a black list database.
    The reason they explain is:
    how can I scan which account has the problem?
     
  2. zye

    zye Well-Known Member

    Joined:
    Dec 6, 2002
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    i have the same issue - also looking for help to find the infected site

    infos about CryptoPHP
    /https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
     
  3. MH-Stefan

    MH-Stefan Member

    Joined:
    Dec 3, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Our solution so far was to search the entire /home folder for "social.png" and then manually view the content of each file. With multiple servers and hundreds of accounts, this process turned out to be very time-intensive.

    However, the most difficult part was to make the clients (especially resellers) understand the severity of the problem and that the removal of all files and databases is implicitly necessary. Most counterfeit plugins were installed several months ago, so backups were of course not available.

    I've sent the infected files to Maldet and requested Comodo to develop some WAF rules for this. Maybe someone knows how to get in touch directly with the Maldet developers so they add all MD5 hashes from the whitepaper to their signatures.

    We're now examining if Snort IDS works properly on CentOS 6 + cPanel. This would seem a more effective solution in addition to Maldet.
     
  4. gadalf

    gadalf Well-Known Member

    Joined:
    Jun 8, 2014
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Is it sure that if social.png exists on the server in that account we should look for the problem?
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You should at least open the file in a text editor. If it's readable (by a human, not talking file permissions) and not just garbage (i.e. image data) then it's almost certainly malicious.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To note, here is an example of a command for this:

    Code:
    find /home -type f -name social.png
    Thank you.
     
  7. hostilis.com

    hostilis.com BANNED

    Joined:
    Nov 27, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Install Pyxsoft Anti Malware & Security on WHM, it has a 7 days trial period. This will find CryptPHP and any other malware. I used it on trial mode with success.
     
  8. gadalf

    gadalf Well-Known Member

    Joined:
    Jun 8, 2014
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I run this command and checked all social.png files and all of them were pictures
     
  9. MH-Stefan

    MH-Stefan Member

    Joined:
    Dec 3, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Well, that's pretty obvious... Now you need to open all those images with a text editor (e.g. Notepad++) and see if there are any files that contain PHP code.

    If there are too many files, then you should scan your server with Pyxsoft, Maldet, ClamAV, etc.

    If you do find infected files, simply deleting them won't fix the problem. You should restore the respective account from a backup dated before the counterfeit plugin or theme was initially installed.

    Please read the full whitepaper /https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf to understand the root cause and clean-up procedure.
     
    #9 MH-Stefan, Nov 29, 2014
    Last edited: Nov 29, 2014
  10. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    maldet + clamav scanner should detect cryptophp malware :)
     
  11. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Here are the one script for the CryptPHP scanning, Please try now with this.

    Code:
    cd /usr/local/src
    wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
    chmod +x check_filesystem.py
    ./check_filesystem.py /home
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Thank you, that is extremely useful.

    The infections from this are quite deep; removing the known bad files and admin users still isn't enough most of the time. I've seen servers get re-listed at the CBL until the offending CMS was entirely removed and re-installed.
     
  13. iserversupport

    iserversupport Well-Known Member

    Joined:
    Nov 4, 2013
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Try this command

     
    #13 iserversupport, Dec 1, 2014
    Last edited: Dec 1, 2014
  14. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Configserver's CXS also will scan for this. I've found it very useful.
     
  15. JasMax

    JasMax Member

    Joined:
    Jan 26, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Find command will take time as well cause high load on the server I used command below and I think it is the easiest ways to catch CryptPHP

    To find infected files.

    Alter command and change extension of file if you wish.

    If you wish to find and delete infected files in one go then use command below.

    I recommend to scan infected accounts again with clamscan or maldet
     
  16. kamall

    kamall Active Member

    Joined:
    Mar 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bethune France
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello
    This cmd is working finely on centos6
    Code:
    find /home/*/public_html -type f -name social.png -exec md5sum {} \; 
    and this also
    Code:
    cd /usr/local/src
    wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
    chmod +x check_filesystem.py
    ./check_filesystem.py /home/*/public_html
    
     
Loading...

Share This Page