On 2 domains we got had the cryptophp maleware installed.
We find it with this command
find -L / -type f -name 'social.png' | xargs file
Has ASL a rule for this????
http://blog.fox-it.com/2014/11/18/crypt ... /#comments
We host a lot wordpress site and not every user pays there template.... they search on google and download the nasty templates
Greetz
cryptophp
-
copernic2006
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
Re: cryptophp
Same here, found on three domains (2 wordpress and 1 joomla)DarkF@der wrote:On 2 domains we got had the cryptophp maleware installed.
We find it with this command
find -L / -type f -name 'social.png' | xargs file
Has ASL a rule for this????
http://blog.fox-it.com/2014/11/18/crypt ... /#comments
We host a lot wordpress site and not every user pays there template.... they search on google and download the nasty templates
Greetz
Re: cryptophp
Beter use this command:
Code: Select all
find /var/www/vhosts \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; > scan.out
grep "PHP script text" /root/scan.outRe: cryptophp
Or use clamdscan to catch other malware as well. This oneliner uses nice and ionice[1] to reduce CPU and disk I/O load.
[1] If you don't have ionice, you can install it from the CentOS base repo with "yum install util-linux-ng".
Code: Select all
/bin/nice -n 19 /usr/bin/ionice -c2 -n7 clamdscan -i /var/www/vhosts /tmp /var/tmp --log=/root/clamdscan-report.txtLemonbit Internet Dedicated Server Management
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: cryptophp
Was it installed because the user installed a nulled script? Thats the only vector we've seen so far, if you have a different vector please let us know.On 2 domains we got had the cryptophp maleware installed.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: cryptophp
mikeshinn wrote:Was it installed because the user installed a nulled script? Thats the only vector we've seen so far, if you have a different vector please let us know.On 2 domains we got had the cryptophp maleware installed.
thanka for the reply, yeah the user installed these nulled templates or script.
Some peeps don't like to pay!
Re: cryptophp
How do they install these themes/scripts? If it is FTP, shouldn't ASL detect it via the FTP clamav integration?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: cryptophp
i think it's through FTP or wordpress dashboard, i don't know..faris wrote:How do they install these themes/scripts? If it is FTP, shouldn't ASL detect it via the FTP clamav integration?
Re: cryptophp
There are cryptophp definitions in the ASL ClamAV database, so it should definitely be detected and blocked if uploaded through FTP.faris wrote:How do they install these themes/scripts? If it is FTP, shouldn't ASL detect it via the FTP clamav integration?
Lemonbit Internet Dedicated Server Management
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: cryptophp
The user themselves uploads the backdoored nulled scripts. We have not seen any cases where an attacker has done this, its all been caused by the user downloading pirated versions of paid themes and extensions that the bad guys backdoored, and then uploading them.How do they install these themes/scripts?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: cryptophp
Any advice re: cleaning or removal if found via asl malware scan?
They say that good intentions, pave the road to hell;
If a thing is not worth doing, it's not worth doing well.
If a thing is not worth doing, it's not worth doing well.
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: cryptophp
If you mean cryptophp, you cant really "clean" this. Sure you could remove the backdoors from the pirated web applications, but since its only found in backdoored pirated web applications just get the web application from the actual vendor and replace the pirated copies and youre good to do.
Because if you find cryptophp on your system its there because the customer installed a pirated copy of a web application (theme, extension, etc.) from a malicious website that deliberated put the backdoors in the pirated web application. Theres no attack, the customer installed it, so if the customer keeps downloading pirated software then this problem will continue to happen. My advice would be to discuss the fact that the source of the pirated software is malicious with the customer, ask them to delete all copies of it and to download that software from the actual vendor source.
Remember, this "malware" was put there by your user, after they download this software from a website that advertises you can get paid software for free. And the operators of those websites put those backdoors there to take advantage of people that dont want to pay for that software.
So, the bad guyys will just change the backdoors to something else and if your customer keeps downloading this backdoored software from the source this will keep happening. So yes, you can remove the backdoors, but you should expect the backdoors to show up again, including new unknown ones if the customer keeps installing web applications from these sources. Equally, I absoutely would NOT ever trust this software. Even if you remove the backdoors you should assume its got all kinds of other malicious stuff in it. Someones deliberately modified these applications to do malicious things, none of it should be trusted. Delete it and replace it with a trusted source.
This is really a supply chain issue, easily solved by making sure the customer gets the software from the actual vendor.
Because if you find cryptophp on your system its there because the customer installed a pirated copy of a web application (theme, extension, etc.) from a malicious website that deliberated put the backdoors in the pirated web application. Theres no attack, the customer installed it, so if the customer keeps downloading pirated software then this problem will continue to happen. My advice would be to discuss the fact that the source of the pirated software is malicious with the customer, ask them to delete all copies of it and to download that software from the actual vendor source.
Remember, this "malware" was put there by your user, after they download this software from a website that advertises you can get paid software for free. And the operators of those websites put those backdoors there to take advantage of people that dont want to pay for that software.
So, the bad guyys will just change the backdoors to something else and if your customer keeps downloading this backdoored software from the source this will keep happening. So yes, you can remove the backdoors, but you should expect the backdoors to show up again, including new unknown ones if the customer keeps installing web applications from these sources. Equally, I absoutely would NOT ever trust this software. Even if you remove the backdoors you should assume its got all kinds of other malicious stuff in it. Someones deliberately modified these applications to do malicious things, none of it should be trusted. Delete it and replace it with a trusted source.
This is really a supply chain issue, easily solved by making sure the customer gets the software from the actual vendor.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone