5.gif
Best Blackhat Forum / Freebies / Software, Scripts, Plug-ins, Tools and Bots / Be carefull! CryptoPHP

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

New Reply
 
02-06-2015, 08:53 PM
Post: #1
crixxu Offline
<<BeCool>>
***
Posts: 106
Joined: Jul 2012

Reputation: 113
Be carefull! CryptoPHP
Dear!
CryptoPHP: Analysis of a hidden threat inside popular content management systems

http://blog.fox-it.com/2014/11/18/crypto...t-systems/

regards,

crixxu
find Quote
02-06-2015, 09:14 PM
Post: #2
Prx Offline
Super Active BBHF Member
*****
Posts: 6,622
Joined: Aug 2013

Reputation: 509
RE:
Just scanned white paper from site.If you unpack a theme or plugin and run it through site such as virus total. Will this register infected files? Thanks and make it great, Prx
find Quote
02-06-2015, 10:18 PM
Post: #3
crixxu Offline
<<BeCool>>
***
Posts: 106
Joined: Jul 2012

Reputation: 113
RE:
i´m not shure but you can do a few steps to check it for yourself.

you must do this as root!

if you have some shell experience , you can use the following methods for identifying the malware.

1) Quick check for social*.png files ,

find /home -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print //replace "home" with your directory. eg. /var/www/public_html

if you see any files from the above result , then you must delete those files immediately,

2) Check all png file ,

find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt

Now check all the files listed in /root/cryptoinfected.txt and remove it
3) Check all other files,

You must need to check all other files too , because it is not only infected by png fines and jpeg files!

4) Use clamav or maldetect
find Quote
02-06-2015, 10:35 PM
Post: #4
xiaofang Offline
Senior Member
**********
Posts: 711
Joined: Mar 2014

Reputation: 714
RE:
wordfence can detect
find Quote
02-07-2015, 12:06 AM
Post: #5
inspire9000 Offline
Member
***
Posts: 55
Joined: Sep 2014

Reputation: 27
RE:
Because of all the new info about 'cryptoPHP' lately, most antivirus apps should detect it with their latest updates.

My Norton detects it.

I'm sure if the creators give a d***, they will at least change the name of the social.png with the php script to something different and adapt the code.
72.gif
find Quote
02-07-2015, 12:29 AM
Post: #6
tlandn Offline
Super Active BBHF Member
*****
Posts: 5,723
Joined: Apr 2014

Reputation: 552
RE:
(02-06-2015 10:18 PM)crixxu Wrote:  i´m not shure but you can do a few steps to check it for yourself.

you must do this as root!

if you have some shell experience , you can use the following methods for identifying the malware.

1) Quick check for social*.png files ,

find /home -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print //replace "home" with your directory. eg. /var/www/public_html

if you see any files from the above result , then you must delete those files immediately,

2) Check all png file ,

find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt

Now check all the files listed in /root/cryptoinfected.txt and remove it
3) Check all other files,

You must need to check all other files too , because it is not only infected by png fines and jpeg files!

4) Use clamav or maldetect
Great share, reps for you :-)
find Quote
02-07-2015, 02:30 AM
Post: #7
crixxu Offline
<<BeCool>>
***
Posts: 106
Joined: Jul 2012

Reputation: 113
RE:
@tlandn that´s very kind of you! thanks a lot!
find Quote
New Reply
 




31.gif
Contact Us | BestBlackhatForum | Return to Top | Return to Content | Lite (Archive) Mode