Bobcares
Client Area
Emergency Support
Latest | PHP MySQL extension missing | Server Management

How to remove CryptoPHP malware

by | Mar 19, 2022

Wondering how to remove CryptoPHP malware? We can help you.

As part of our Server Management Services, we assist our customers with similar queries.

Today, let us see how our Support techs resolve this.

How to remove CryptoPHP malware?

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale.

By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them.

Basically, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

This malware can be controled via a remote server or email.

  • Auto integrate into most of the CMS like joomla, wordpress , drupal ,etc,.
  • It is encrypted key based communication between the affected server and control server
  • Backup and failover mechanisam incase of shut down
  • Remote manual management , auto update ,etc,.
    Thousands of servers and websites affected by this malware. Our clients servers with proactive management are already scanned and
  • protected from this threat . It looks like the inspection limit is increasing.

Today, let us see the methods followed by our Support Techs for identifying the malware

1. Firstly, quick check for social*.png files

find /home/ -type f -iname “social*.png” -exec grep -E -o ‘php.{0,80}’ {} \; -print

if you see any files from the above result , then you must delete those files immediately,

2. Then, check all png file

find /home -type f -iname ‘*.png’ -print0 | xargs -0 file | grep “PHP script” > /root/cryptoinfected.txt

Now check all the files listed in /root/cryptoinfected.txt and remove it

3. Next, check all other files,

You must need to check all other files too , because it is not only infected by png fines and jpeg files,

4. Finally, use clamav or maldetect

You may please update your clamav database and maldetect database . After that run a scan , this will detect the mallware

freshclam
maldetect -U

EDIT : Further investigation found that this malware seems to be attached via email attachme

[Stuck in between? We are glad to assist you]

Conclusion

In short, today we saw steps followed by our Support Techs to remove CryptoPHP malware.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Related posts:

  1. Drupal 8 MongoDB – How we configure and fix common errors
  2. Here’s how to fix – drupal error generating image
  3. Enforcing server security using hardware firewall
  4. The trick to integrating Drupal with Solr

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. Drupal 8 MongoDB – How we configure and fix common errors
  2. Here’s how to fix – drupal error generating image
  3. Enforcing server security using hardware firewall
  4. The trick to integrating Drupal with Solr

Never again lose customers to poor
server speed! Let us help you.

GET STARTED