Announcement

Collapse
No announcement yet.

IMPORTANT: CryptPHP PHP malware vulnerability afffecting Wordpress,Joomla, Drupal CMS.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IMPORTANT: CryptPHP PHP malware vulnerability afffecting Wordpress,Joomla, Drupal CMS.

    Dear customers,

    Please be aware of the following CryptPHP PHP malware vulnerability which is affecting Wordpress,Joomla, Drupal CMS applications security and causing the server IPs to be blacklisted in RBLS.

    CryptPHP is a malicious script considered as serious threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. It provides remote attackers with the ability to execute rogue code on Web servers and to inject malicious content into websites that are hosted on them.

    For more information about this threat please refer to below links.

    CryptoPHP: Analysis of a hidden threat inside popular content management systems | Fox-IT International blog

    CryptoPHP a week later: more than 23.000 sites affected | Fox-IT International blog

    https://foxitsecurity.files.wordpres...-foxsrt-v4.pdf


    We are in the process of creating detailed instructions as how efficiently we can scan and clean this malware on different distro's shared, VPS and dedicated servers. We will post all instructions soon in this thread it-self.


    Please go to the above Fox-IT links to obtain Python scripts that should be very good at finding these infections. You can also scan your servers with maldet malware tool which is able to detect the exact infected files.

    Customers that are unable to do this themselves or need our assistance are requested to submit a ticket as soon as possible so our technicians will scan your servers and will remove/disable infected files for you.
    Regards,
    Kieran A.
    Cloud Administrator
    Skype :: Kieran.Alen | eUKhost

  • #2
    Re: IMPORTANT: CryptPHP PHP malware vulnerability afffecting Wordpress,Joomla, Drupal CMS.

    Hello,

    We can use either maldetect malware or the Python script provided by fox-it to find out cryptophp infection.

    Most of the servers hosted with us have maldetect malware installed already so you just need to run scan accordingly. If you don't find it installed the do so with below instructions.

    # To install maldetect malware tool run below commands.

    cd /usr/src/
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz -O /usr/src/maldetect-current.tar.gz
    tar -xzf maldetect-current.tar.gz
    cd maldetect-*
    sh install.sh
    /usr/local/sbin/maldet -d
    /usr/local/sbin/maldet -u
    # Then turn ON quar_hits option from /usr/local/maldetect/conf.maldet file.
    #Ie. The default quarantine action for malware hits.

    #Then run maldetect scan for your account. For example on the cPanel servers we will run below command.

    maldet -a /home/?/public_html/
    For more advanced features and detailed instructions of maldet usage, please refer to below link.
    https://www.rfxn.com/appdocs/README.maldetect


    Fox-it has made 2 python scripts available to scan domain(s) and file(s) from local/remote locations.
    To scan domain for cryptophp vulnerability, download check_url.py python script to /root/ folder.


    # Then set execute permission.

    chmod +x check_url.py

    #Then collect a list of all domains in a file. For example on the cPanel servers we will use below command.
    cat /etc/userdomains | cut -d":" -f1 > /home/domains.list

    #Then execute the python script : check_url.py to find whether domains are infected with CRYPTOPHP threat or not. Please note that it does scan by performing HTTP requests so you can scan any remote domain thats not resolving from the same server.

    ./check_url.py --load=/home/domains.list | grep DETECTED
    # The infected one and POSSIBLE infection will be reported as below.

    ===================
    [34/1444] Checking 'http://domain.tld' ..: POSSIBLE CRYPTOPHP DETECTED
    [256/1444] Checking 'http://domain2.tld' : CRYPTOPHP DETECTED
    ===================
    # To scan file for CRYPTOPHP infection, download check_filesystem.py script and execute it as suggested below.

    wget https://raw.githubusercontent.com/fo..._filesystem.py
    chmod +x check_filesystem.py
    ./check_filesystem.py /path/to/file
    For more advanced features and detailed instructions, please refer to below link.

    https://github.com/fox-it/cryptophp/tree/master/scripts
    Regards,
    Kieran A.
    Cloud Administrator
    Skype :: Kieran.Alen | eUKhost

    Comment

    Working...
    X