CryptoPHP a week later: more than 23.000 sites affected

On November 20th we published our report on CryptoPHP. Since publishing we have, together with other parties, been busy dealing with the affected servers and taking down the CryptoPHP infrastructure.

Sinkhole statistics

With the help of the NCSC, Abuse.ch, Shadowserver and Spamhaus we have been able to gather data about the scale of the operation ran by the CryptoPHP authors. Most C2 domains that were active at the time of publishing have been either sinkholed or taken down. From the sinkholed domains we’ve been able to gather statistics.

In total 23.693 unique IP addresses connected to the sinkholes. We are already seeing a decline in sinkhole connections, on the 22nd 20.305 connections were made, on the 23rd 18.994 and on the 24th it was already down to 16.786. These numbers are however not a clear indication, mostly because the servers connecting to our sinkholes were shared hosting with at least 1 or multiple backdoored websites. This means the actual affected websites will be higher. Unfortunately we are also unable to make statistics on whether the affected server is running WordPress, Joomla or Drupal. This information is encrypted using public key encryption as explained in the paper.

A geological map was generated from the sinkhole data, the image below gives an overview of the affected countries.

CryptoPHP Sinkhole Infection_Statistics

Updated information

Since publishing we’ve been keeping an eye on any new developments within CryptoPHP. On the 23rd most of the websites used to spread the backdoored plug-ins and themes went offline, unfortunately they were back up with a new setup a day later and are still active at the time of this publication.
A new version of the backdoor was pushed, although the version number wasn’t changed we did get a new filehash for the backdoor. The SHA1 hash for the file is ‘c4fe641e3410fb047004c9653c79124c32a66446’; the version number is still 1.0.
The updated hash was committed to the github repo with IOCs at:
https://www.github.com/fox-it/cryptophp/

Advice

We noticed that our advice in our paper wasn’t clear to everyone. Spamhaus received a lot of inquiries about what to do with affected servers or how to find them. For this reason we’ve added this section to explain this a bit better.

Detection

We have created two Python scripts to help administrators detect CryptoPHP:

  1. check_url.py
  2. check_filesystem.py

Both scripts can be found on our GitHub repo: https://www.github.com/fox-it/cryptophp/scripts/
check_filesystem.py is for scanning the filesystem for the CryptoPHP backdoor files. It will find all “social*.png” files and determine if it’s malicious.
And check_url.py script can scan a website to determine if the website is affected by CryptoPHP. This can be useful if you have multiple virtual hosts and don’t know which one is affected.

Removal

If CryptoPHP has been found we recommend the following steps:

  1. Remove the “include” of the backdoor. For example, find the script that contains: “<?php include(‘images/social.png’); ?>”. Note that this path can vary.
  2. Remove the backdoor (social*.png) itself by deleting it.
  3. Check your database to see if any extra administrator accounts were added and remove them
  4. Reset the credentials of your own CMS account and other administrators (they were most likely compromised)

The steps above should be sufficient to remove the impact CryptoPHP has had on your website. We do however recommend performing a complete reinstall of your CMS since the system integrity may have been compromised. An attacker may have gained system wide access for example.
For both security and legal reasons we would advise not to install this kind of pirated (nulled) content.

13 thoughts on “CryptoPHP a week later: more than 23.000 sites affected

  1. Things seems very much embarrassing now, i utilized all the techniques and scripts so far available to get rid of being black listed in CBL, even the latest script in the above post as

    root@server [~]# ./check_filesystem.py
    Recursively scanning directory: /
    root@server [~]#

    This script too could not find anything, i dont know what to do next with this black list, i cannot find and social.png in my server but server is being black listed again and again in CBL, having worst issues in sending emails.

    Any help on this?

    1. Hi,

      Could you send an email to srt@fox-it.com with some more information ?
      We could help locate the source of the blacklisting if you could provide us with the server IPs and/or vhosts that are blacklisted.

      Regards,
      -Yonathan

  2. Hi
    i tried check_url.py with this results:

    as standard user
    $ ./check_url.py http://www.example-domain.com
    File “./check_url.py”, line 117
    except HTTPError as e:
    ^
    SyntaxError: invalid syntax

    then as root:
    # ./check_url.py http://www.example-domain.com
    File “./check_url.py”, line 117
    except HTTPError as e:
    ^
    SyntaxError: invalid syntax

    software installed:
    OS: CentOS release 5.11
    Python 2.4.3

    there is any special requirement to get check_url.py functional?
    Thanks!

  3. Hello.
    Could you help me please?
    I have similar problem as Hasa Masi.
    I’m use both scripts and can’t find any problems with cryptophp. Today I’ve got a abuse mail with my IP address.
    Thanks.

  4. Update….

    1.- check_filesystem.py does not find anything on server.
    2.- check_url.py find a CryptoPHP positive in one of the server’s site.
    3.- ClamAV® Virus Scanner does not find anything on site infected.

    I contacted srt@fox-it.com asking them to modify the check_url.py file to be able to find or give a path where the infection is.

    The infected site acording to /check_url.py is not using anything related to social.png so I’m begining to think this is a false positive issue.

    Any comments are welcome.

    Tony.

  5. Hi, I was blacklisted about 10 days ago by CBL, claiming my site has the CryptoPHP malware. I had recently installed a new wordpress theme (which I had bought legitimately on ThemeForest), so I worried that maybe that had been infected somehow.

    I did the following:
    1) Ran check_filesystem.py on my public_html folder
    2) Ran check_url.py on all of the sites that I run.

    Neither turned up any infected files, so I thought maybe it was just an error and requested to be delisted. However, they just blacklisted me again, so something is wrong. I re-ran the scripts today and still they see nothing.

    Any advice you can offer would be appreciated!

  6. we have been listed http://cbl.abuseat.org/lookup.cgi?ip=69.175.48.34 since a while and we have carried all the possible methods according to our knowledge as below,

    1-checked all the computers/laptops and they are clean from viruses.
    2-checked the current website using the standard Cpanel search to find any of the mentioned files but didn’t find anything.
    3-the firewall doesn’t have any valid record for the port 25 nor even the destination IP address mentioned in http://cbl.abuseat.org/lookup.cgi?ip=69.175.48.34
    4-read lots of articles but with no luck as well.
    5-didnt know what to do with the above mentioned scripts.
    6-asked for the web hosting support to help detecting the root cause of such case but also with no luck.
    7-changed all emails passwords and CMS as well but also with no luck…

    we need any possible support please.

    thanks in advance.

    Best Regards

Leave a Reply