The host at this IP address is infected with the CryptPHP PHP malware.

Have anyone else got the same problem with

Full message is here:

Additionaly, they provide a tool that seems to find more false positives than real threats, so basically it’s a huge time waster.
Output grepping for social.php wasn’t a big help either (If You tried that, You would know what I mean :) )
As we want “blaclisting’ cause to be found ASAP, that script does it’s job pretty crappy. Client is not going to wait for a week till You cross out thousands of false positives.

Basically, the fastest way to find those “strange” social.png files was like that:

That’s superfast and simple. Locate gives all social.png files that exist on the system, and ‘grep’ lists only those files, that tries to turn of error reporting.

The most funny thing spam stuff turns off not to appear in logs, and as we know, that .png file should contain image and not the php code at all – that’s pretty good trigger for an initial vulnerability scan, isn’t it ? :)

If locate is missing on Your system, You may install it, or use the ‘find’ command instead. ‘Find’ would be much slower, but the result should be the same.

If You’ve noticed any other techniques, that would help to find his CryptPHP without lots of false positives, please share it in comments bellow;)

Fox-it released script that compares social.png files against their database of hashes.
It works pretty nice:



Leave a Reply