How to find CryptPHP PHP malware and remove it.

CryptPHP PHP malware has a become a nightmare for WordPress owners. Hacking millions of websites with it and getting web hosts listed in CBL effecting other web hosting accounts that did nothing wrong. It’s a vicious loop unfortunately¬†that blacklists like CBL and Sorbs don’t care about using scrutiny or rational. Their philosophy¬†is to just block everything if there is an issue despite websites being blocked that did nothing wrong. Hopefully someday blacklist will focus on the domains that cause issues not the IPs. That way good sites will not blocked for doing nothing wrong. Most IP people and the net know that Sorbs blocks million of good websites with no regard, I was chocked though to see CBL jump on the same list of block first ask later.

Anyways… to find the CryptPHP hack A.K.A. social.png hack. You need to run search command from root on your server.

This will find it:

for r in `locate social | grep png`; do file $r; done | grep PHP

But removing it will not fix the issue, if it’s on the site than the site has been hacked and needs to be removed. The only things that can be salvaged is the images and databases.

Here is a little information on having your WordPress Hacked