How to remove CryptoPHP malware – Scan Now

What is CryptoPHP?

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

This malware can be controled via a remote server or email. This is a well written piece of code, it can have ,

Auto integrate into most of the CMS like joomla, wordpress , drupal ,etc,.
It is encrypted key based communication between the affected server and control server
Backup and failover mechanisam incase of shut down
Remote manual management , auto update ,etc,.
Thousands of servers and websites affected by this malware. Our clients servers with proactive management are already scanned and protected from this threat . It looks like the inspection limit is increasing.

If you have some shell experience , please use the following methods for identifying the malware

1) Quick check for social*.png files ,

find /home/ -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

if you see any files from the above result , then you must delete those files immediately,

2) Check all png file ,

find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt

Now check all the files listed in /root/cryptoinfected.txt and remove it

3) Check all other files,

You must need to check all other files too , because it is not only infected by png fines and jpeg files,

4) Use clamav or maldetect,

You may please update your clamav database and maldetect database . After that run a scan , this will detect the mallware

freshclam
maldetect -U

EDIT : Further investigation found that this malware seems to be attached via email attachments too, so you may need to scan the server email accounts too.

cPremote version 7.11 released

A new version of cpremote ,version 7.11, released with the following bug updat or features ,

Bug fix : Restored databases were not showing in cpanel account.

This issue was related with recent change in the cpanel dbmap scripts . We modified cpremote with the respected patch. Upgrading cpremote to version 7.11 will fix this issues.

cPanel 11.46 Now in CURRENT Tier

Officially cPanel, Inc. released cPanel & WHM software version 11.46, which is now available to end users (but in the CURRENT tier-Tested and verified, but may not contain all proposed functionality of a release.). The highlights are:

New features:

  • Single Sign On for default email account
  • ModSecurity™ Tools and Configuration
  • MySQL backups include triggers and events
  • New Tweak Settings options
  • UI Includes system
  • Mass edit for TTL added

Notable System improvements

  • Paper Lantern
  •  Improved upgrade logic
  •  Binary improvements
  •  Changes to the x3 theme’s dynamicui.conf file
  •  Apache SpamAssassin upgrade
  •  Updated re2c RPM
  •  Unprivileged and unmanaged database and database username renames
  •  Updated Perl environments and modules
  •  Check for custom modules
  •  Removed buildperl binary
  •  Updated Security Advisor warnings
  •  Streaming transfers use rsync
  •  New styling for WHM News
  •  Notifications for the cpanel.config file
  •  Deprecated killacct script, new removeacct CLI script
  •  Added record types for the Advanced DNS Zone Editor
  •  Localization of x3 for 29 languages
  •  Dovecot and Courier IPv6 capabilities
  •  Package name display behavior

Removed items

  •  Interchange
  •  Removed ModSecurity Plugin interface
  •  Deprecation of LANG system
  •  Removed variables from /var/cpanel/cpanel.config
  •  Deprecated scripts
  •  Removed scripts

Reference :

11.46 Release Notes

An overview of the latest features and benefits is also available at http://releases.cpanel.net