Are your cPanel/WHM or Plesk servers infected with CryptoPHP?
CryptoPHP is a well developed backdoor malware that is spread through themes for popular CMS like WordPress, Joomla and Drupal, etc. It runs a bot in your server, and allows remote control for the attacker controlling the botnet. The attacker can then use your server for a slew of malicious activity like spammnig, DDoS, blackhat SEO, etc. This could lead to your web servers to be blacklisted by DNSBLs / RBLs, and thereby loss of service reputation.
The threat was first published over 10 days back, but we see web servers still getting affected by this malware. Engineers at our Proactive Server Management Service mitigated this threat early on using multiple layers of protection. Here we go over the basics of detecting and mitigating this threat.
Hire Bobcares Linux Server Administrators
Get super reliable servers and delighted customers
Finding and removing malware
There are at least 16 versions of this malware, and they are masqueraded as image files in the CMS folders. So, the most sure-fire way we used to find the malware was to scan for all the image files in user folders (using a find command), and checking to see if any of them is a PHP script (using a file command). Additionally, malware detection tools like ClamAV, Maldet or CXS with latest signature updates were also used to confirm we removed all backdoors.
Scans were also done to confirm there were no un-authorized accounts, or cron tasks created in the server.
Are you not sure if your servers are infected? We can help!
Preventing CryptoPHP infection
The next step we took in securing the servers was to harden the Web Application Firewall (like mod_security) and server firewall (like CSF) to block malware upload, and to block connections through non-standard ports.
To block malware upload, the WAF was integrated with antivirus like ClamAV which used its signature database to scan for any variation of the malware. Anti-virus modules were also integrated into the FTP servers to scan all uploaded files. This effectively put an end to all CryptoPHP uploads.
Server firewall was audited to confirm non-standard ports were not open to allow botnet masters to control any process in the server.
Finally, special monitoring scripts were installed to look for long running processes, and report it to us. Any web process lasting for more than a few seconds are likely to be malicious.
Foot note: With vulnerabilities and threats being reported almost on a daily basis, constant vigil is the only way to ensure reliable services. With the Proactive Server Management service, we keep your servers automatically secured against zero-day exploits.