After moving WordPress site to live server my client reported me another day that hosting provider has blocked his site and saying that it’s infected with CryptoPHP malware. Hosting provider guys has setup an .htaccess protection and mailed client to prevent further damage. They sent a link describing this malware.
What is cryptoPHP malware ?
It’s a malicious file which backdoors your CMS like Joomla, WordPress, Drupal sites. This comes from nulled plugins/extensions mostly. If you are a PHP developer then you will find a block code that looks strange. It includes similar code as below to php files.
One can easily find that png files should not be in include function.
What it does ?
As I have noted on infected site, that It has created 2 new users named ‘system’ and ‘system1’. After analyzing social.png (main malicious script) I found that this script sends curl requests to malicious server also and processes some execution. At the end of the post I am attaching part of this script.
How to remove ?
- Scan your site with security plugin/extensions, like listed above.
- Then you can manually scan files for malicious code in files. Look below embedded git to see how this code looks like.
- Check your site installation folder for weird looking file name and code.
Full source sample code can be found here.