CryptoPHP is a backdoor malware hidden in pirated commercial themes and plugins for popular content management systems (like Joomla, WordPress and Drupal) which are offered for free download at so-called “nulled” sites. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the ne’er-do-well behind CryptoPHP is social engineering unethical site administrators into installing the included backdoor on their server.

Having been installed on a webserver CryptoPHP is then (currently) used for illegal search engine optimization, also known as Blackhat SEO. What’s more scary though is the extensive communication and C2 (command and control) infrastructure built into this malware which allows the actors to remotely control all instances of CryptoPHP and compromised servers, making it easy to use the infected servers for any purpose the actors so wish (send spam, distributed denial of service attacks, etc).

Detecting CryptoPHP infection is relatively simple. Inside a nulled theme or plugin there’s a little line of code that looks like this:

<?php include(‘assets/images/social.png’); ?>

If you’re a PHP developer you will immediately recognize this as looking strange: here we have a PHP directive to include an external file containing PHP source code, but the file is actually an image. Hmmm. But inside this image file is actual PHP and the code is obfuscated (hidden through scrambling) to try and hide the fact that it’s malicious. Clever, isn’t it?

How to Scan Your Server for CryptoPHP Infection(s)

FOX-IT, the Delft, Netherlands-based security firm that brought this malware to light in November of 2014, has built a free Python script to detect CryptoPHP. Once detected, you can then manually remove the offending file(s).

As this is a Python script, you need to have Python on your server to run it (duh!). So to check your server for possible CryptoPHP infection, login to the server, confirm that you have Python, and download FOX-IT’s CryptoPHP detection script with your favourite download tool. I’m using wget here:

$ wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py

Next, make the script executable:

$ chmod +x check_filesystem.py

And that’s it: now you’re ready to scan your file system to detect CryptoPHP. To scan your whole system (it can take a while), run this command:

$ ./check_filesystem.py

Or you could scan a specific directory. On properly configured cPanel/WHM servers it might be enough to just scan /home (or wherever cPanel users’ files are stored). Run this command to scan /home:

$ ./check_filesystem.py /home

However you run the script, it will scan your files and either report a suspicious or confirmed CryptoPHP shell. Here is a sample output after scanning /home on one of my clients’ cPanel webservers:

File matching patterns: [‘.png’, ‘.gif’, ‘.jpg’, ‘.bmp’]
Recursively scanning directory: /home/

/home/XXXXX/public_html/ellon/wp-content/themes/XXXXX/images/social.png: CRYPTOPHP DETECTED! (version: 0.3)
/home/XXXXX/public_html/excel/wp-content/themes/XXXXX/images/social.png: POSSIBLE CRYPTOPHP! (version: 1.1)
/home/XXXXX/public_html/excel/wp-content/themes/XXXXX/images/social.png: POSSIBLE CRYPTOPHP! (version: 1.1)
/home/XXXXX/public_html/wp-content/themes/XXXXX/images/social.png: CRYPTOPHP DETECTED! (version: 0.3)
/home/XXXXX/public_html/wp-content/plugins/XXXXX/images/social.png: POSSIBLE CRYPTOPHP! (version: 1.1)
/home/XXXXX/public_html/wp-content/themes/XXXXX/images/social.png: CRYPTOPHP DETECTED! (version: 0.3)

Online CryptoPHP Scanner

What if you suspect CryptoPHP activity but don’t have shell access, or can’t access there server where you are? CryptoPHP is not new: in fact its been around since 2013, but was brought to the world’s attention in November of 2014. So chances are your favorite CMS security tool (you use one, right?) already has CryptoPHP scanner and remover built in. For WordPress users, Wordfence will do this for you.

If you don’t have such a security tool or your tool of choice doesn’t detect CryptoPHP, there’s still hope for you: use the website scan.cryptophp.com to check if your site is infected with this malware. Be forewarned though: this online scanner doesn’t do such an awesome job of scanning your site. I gave it the root of a domain with a KNOWN CryptoPHP infection, and it didn’t detect it. That’s because WordPress is installed in a sub-directory, and the scanner couldn’t crawl the entire domain to detect the infection. But it detected it when I entered the actual sub-directory where WordPress is installed.

Found CryptoPHP on your server? The best action is to perform a complete re-install of the CMS, since other backdoors may have been left in other part of the the CMS installation. If a complete re-install is not feasible immediately, at least remove the offending plugin or theme.

Also, check your database to see if any extra administrator accounts were added and remove them. Really do login to your database management application and check the appropriate user tables, as the hackers could hide the extra administrator account in the CMS’s dashboard.

Finally, reset the credentials of your own CMS account and other administrators (they were most likely compromised) as well as your database and control panel accounts, as an attacker may have gained system wide access.

And how do you prevent this kind of infection in the first place? If you’re a web host providing shared hosting service, there’s really not much you can do to prevent your users from uploading nulled scripts. But for you wannabe web developers and designers who upload such scripts, for security, legal and ethical reasons PLEASE STOP installing any kind of pirated (nulled) content.