The host at this IP address is infected with the CryptPHP PHP malware.

by

in

Have anyone else got the same problem with cbl.abuseat.org??

Full message is here:

The host at this IP address is infected with the CryptPHP PHP malware.

CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.

Fox-IT: CryptoPHP - Analysis of a hidden threat inside popular content management systems
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

This was detected by a TCP connection from 1.1.1.1 on port 44874 going to IP address 192.42.116.41 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "carandfly.net".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name carandfly.net on any port with a network sniffer such as wireshark or by configuring the router to block and log such connections. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or carandfly.net. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2014-11-23 10:09:06 (GMT - this timestamp is believed accurate to within one second).

Note that in the description below, findbot can sometimes yield a lot of false positives. In this case, you are probably looking for references to "social.php", so grepping the output of findbot for "social.php", may work better.


Additionaly, they provide a tool findbot.pl that seems to find more false positives than real threats, so basically it’s a huge time waster.
Output grepping for social.php wasn’t a big help either (If You tried that, You would know what I mean :) )
As we want “blaclisting’ cause to be found ASAP, that script does it’s job pretty crappy. Client is not going to wait for a week till You cross out thousands of false positives.

Basically, the fastest way to find those “strange” social.png files was like that:

locate -0 social.png | xargs -0 grep 'error_reporting' -l

That’s superfast and simple. Locate gives all social.png files that exist on the system, and ‘grep’ lists only those files, that tries to turn of error reporting.


The most funny thing spam stuff turns off not to appear in logs, and as we know, that .png file should contain image and not the php code at all – that’s pretty good trigger for an initial vulnerability scan, isn’t it ? :)

If locate is missing on Your system, You may install it, or use the ‘find’ command instead. ‘Find’ would be much slower, but the result should be the same.

If You’ve noticed any other techniques, that would help to find his CryptPHP without lots of false positives, please share it in comments bellow;)

ADDITIONAL INFO:
Fox-it released script that compares social.png files against their database of hashes.
It works pretty nice:
https://github.com/fox-it/cryptophp/blob/master/scripts/check_filesystem.py

blacklist


Comments

2 responses to “The host at this IP address is infected with the CryptPHP PHP malware.”

  1. findbot.pl is a huge waste of time. Use Maldet, it has definitions for cryptphp

  2. maldet takes long time and huge waste of cpu resources. try find /home/*/public_html -type f -name social.png -exec md5sum {} \; and compare it with 16 versions of backdoor hashes https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf

Leave a Reply to Bob Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.