After moving WordPress site to live server my client reported me another day that hosting provider has blocked his site and saying that it’s infected with CryptoPHP malware. Hosting provider guys has setup an .htaccess protection and mailed client to prevent further damage. They sent a link describing this malware.
After I have scanned whole site through security plugins like Wordfence, Sucuri Security, and All in one WP Security. and increased protection. To know more on this malware read further.
What is cryptoPHP malware ?
It’s a malicious file which backdoors your CMS like Joomla, WordPress, Drupal sites. This comes from nulled plugins/extensions mostly. If you are a PHP developer then you will find a block code that looks strange. It includes similar code as below to php files.
cryptoPHP malware infected file
One can easily find that png files should not be in include function.
What it does ?
As I have noted on infected site, that It has created 2 new users named ‘system’ and ‘system1’. After analyzing social.png (main malicious script) I found that this script sends curl requests to malicious server also and processes some execution. At the end of the post I am attaching part of this script.
How to remove ?
- Scan your site with security plugin/extensions, like listed above.
- Then you can manually scan files for malicious code in files. Look below embedded git to see how this code looks like.
- Check your site installation folder for weird looking file name and code.
Read more CryptoPHP malware | White paper
Sample code
Full source sample code can be found here.