75.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

02-06-2015, 08:53 PM
Post: #1
Be carefull! CryptoPHP
Dear!
CryptoPHP: Analysis of a hidden threat inside popular content management systems

http://blog.fox-it.com/2014/11/18/crypto...t-systems/

regards,

crixxu
02-06-2015, 09:14 PM
Post: #2
RE:
Just scanned white paper from site.If you unpack a theme or plugin and run it through site such as virus total. Will this register infected files? Thanks and make it great, Prx
02-06-2015, 10:18 PM
Post: #3
RE:
i´m not shure but you can do a few steps to check it for yourself.

you must do this as root!

if you have some shell experience , you can use the following methods for identifying the malware.

1) Quick check for social*.png files ,

find /home -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print //replace "home" with your directory. eg. /var/www/public_html

if you see any files from the above result , then you must delete those files immediately,

2) Check all png file ,

find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt

Now check all the files listed in /root/cryptoinfected.txt and remove it
3) Check all other files,

You must need to check all other files too , because it is not only infected by png fines and jpeg files!

4) Use clamav or maldetect
02-06-2015, 10:35 PM
Post: #4
RE:
wordfence can detect
02-07-2015, 12:06 AM
Post: #5
RE:
Because of all the new info about 'cryptoPHP' lately, most antivirus apps should detect it with their latest updates.

My Norton detects it.

I'm sure if the creators give a d***, they will at least change the name of the social.png with the php script to something different and adapt the code.
44.gif
02-07-2015, 12:29 AM
Post: #6
RE:
(02-06-2015 10:18 PM)crixxu Wrote:  i´m not shure but you can do a few steps to check it for yourself.

you must do this as root!

if you have some shell experience , you can use the following methods for identifying the malware.

1) Quick check for social*.png files ,

find /home -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print //replace "home" with your directory. eg. /var/www/public_html

if you see any files from the above result , then you must delete those files immediately,

2) Check all png file ,

find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt

Now check all the files listed in /root/cryptoinfected.txt and remove it
3) Check all other files,

You must need to check all other files too , because it is not only infected by png fines and jpeg files!

4) Use clamav or maldetect
Great share, reps for you :-)
02-07-2015, 02:30 AM
Post: #7
RE:
@tlandn that´s very kind of you! thanks a lot!




85.gif