How to find CryptPHP PHP malware and remove it.

CryptPHP PHP malware has a become a nightmare for WordPress owners. Hacking millions of websites with it and getting web hosts listed in CBL effecting other web hosting accounts that did nothing wrong. It’s a vicious loop unfortunately that blacklists like CBL and Sorbs don’t care about using scrutiny or rational. Their philosophy is to just block everything if there is an issue despite websites being blocked that did nothing wrong. Hopefully someday blacklist will focus on the domains that cause issues not the IPs. That way good sites will not blocked for doing nothing wrong. Most IP people and the net know that Sorbs blocks million of good websites with no regard, I was chocked though to see CBL jump on the same list of block first ask later.

Anyways… to find the CryptPHP hack A.K.A. social.png hack. You need to run search command from root on your server.

This will find it:

for r in `locate social | grep png`; do file $r; done | grep PHP

But removing it will not fix the issue, if it’s on the site than the site has been hacked and needs to be removed. The only things that can be salvaged is the images and databases.

Here is a little information on having your WordPress Hacked

How to remove error_log from all CPanel account and backups

Some scripts like WordPress and Joomla can leave a big error_log files that no one will ever look at. Try opening a 30mb log file with Word and see what happens. In most cases you can just remove this file with a simple command.

To remove all error_log files for CPanel accounts that are live use:

find /home/ -type f -name error_log -delete

To remove all error_log files from backups use:

find /backup/ -type f -name error_log -delete

This will take a while to complete because it will look through every file, it also runs pretty smooth so just sit back and let it work it’s magic.

 

Free space on a CPanel/WHM server with root access

Cleaning up and making space on /usr

1. Restart the httpd service. This might free a little space some times.

2. Check for Apache logs like error_log, access_log , suexec_log in /usr/local/apache/logs . These can either be cleared off or if you need the logs then you can take a zipped copy and keep it aside.

3. Same can be done for the files in cPanel logs (/usr/local/cpanel/logs) as well .

4. Domlogs – Get into the /usr/local/apache/domlogs/ directory. Run the following command :-

# ls -al -SR | head -10 —> It will list 10 files in the decreasing order according to their size

If the domlog file is too large for a domain then it is possible that awstats is not running . Check whether cpanellogd is running on the server using pstree . If not, restart it .
Else, it is possible that awstats for only that particular domain is not updating. Get into the directory /usr/local/cpanel/base and check if any file as ‘awstats.domainname.com.conf’ exists. If yes , delete that file.

Now, run /scripts/runweblogs for that user. It will update the awstats and automatically clear the domlogs file thereafter. Do not delete the domlogs file itself.

5. Remove old and unwanted backups of ‘apache’ that might have been taken long ago. Also, check for any other duplicate folders that can be removed safely.

6. Remove core files, if any . Normally, some core files (like core.1234) might be present in /usr/local/cpanel/whostmgr/docroot . Check for these and remove them.

7. Restart your server, the quota might be off for that partition and reboot will correct it. Keep in mind if there is a hard drive error this can leave the server offline while the system or admin tuns a FSDK.

Cleaning up and making space on /var

Cpanel and Linux leaves a lot of log files in /var
After several years these can add up, especially in the cpanel/bandwidth folder. So a couple quick folder moves and symlinks can clean things up. This is assuming you have a /backup partition and some room in it.

1. Moving the log folder

mv /var/log /backup/
ln -s /backup/log /var/log

2. Moving the cpanel bandwidth folder

mv /var/cpanel/bandwidth /backup/
ln -s /backup/bandwidth /var/cpanel/bandwidth

3. Also just removing some of the log files in the log folder can help you for a quick fix.

4. You can use this command to find any other large folders:

du -ax –max-depth 1 /var | sort -n | tail

5. In some cases you just need to clean your mail queue

/usr/sbin/exiqgrep -i | xargs /usr/sbin/exim -Mrm

Other server cleaning tips:

1. Delete cPanel File Manager temp files

When users upload files in File Manager within cPanel, File Manager creates a temp file that may or may not get removed upon upload. You can remove these files using this command:

rm -fv /home/*/tmp/Cpanel_*
2.  Remove cPanel update archives

Cpanel and EasyApache updates tend to leave behind files that you probably don’t need. The following can be deleted or moved to a backup server to free up a little bit of space:

/usr/local/apache.backup*

/home/cpeasyapache (actual name may vary depending on cpanel version)

3.  Clean up Yum files

Yum updates leave package cache files on the server. You can clean up all unneeded yum files by running:

yum clean all

4. Remove pure-ftp partials

When your users upload files to the server via FTP when your server runs pureFTP as an FTP daemon, the FTP server creates temporary files starting with .pureftpd-upload* that get renamed the the actual filename when the upload completes. If the upload doesn’t complete, these files are left on the server. You can find and delete these by running:

locate .pureftpd-upload | xargs rm -fv

How to remove Softacuous

/usr/local/cpanel/bin/unregister_cpanelplugin /usr/local/cpanel/whostmgr/docroot/cgi/softaculous/softaculous.cpanelplugin;

rm -rf /etc/cron.d/softaculous;

rm -rf /var/softaculous;

rm -rf /usr/local/cpanel/whostmgr/cgi/softaculous;

rm -rf /usr/local/cpanel/whostmgr/cgi/addon_softaculous.php;

rm -rf /usr/local/cpanel/whostmgr/cgi/addon_softaculous.cgi

rm -rf /usr/local/cpanel/base/frontend/x3/dynamicui/dynamicui_softicons.conf;

How to reduce or free space in /usr partition

1. Restart the httpd service. This might free a little space some times.

2. Check for apache logs like error_log, access_log , suexec_log in /usr/local/apache/logs . These can either be cleared off or if you need the logs then you can take a zipped copy and keep it aside.

3. Same can be done for the files in cPanel logs (/usr/local/cpanel/logs) as well .

4. Domlogs – Get into the /usr/local/apache/domlogs/ directory. Run the following command :-

# ls -al -SR | head -10 —> It will list 10 files in the decreasing order according to their size

If the domlog file is too large for a domain then it is possible that awstats is not running . Check whether cpanellogd is running on the server using pstree . If not, restart it .
Else, it is possible that awstats for only that particular domain is not updating. Get into the directory /usr/local/cpanel/base and check if any file as ‘awstats.domainname.com.conf’ exists. If yes , delete that file.

Now, run /scripts/runweblogs for that user. It will update the awstats and automatically clear the domlogs file thereafter. Do not delete the domlogs file itself.

5. Remove old and unwanted backups of ‘apache’ that might have been taken long ago. Also, check for any other duplicate folders that can be removed safely.

6. Remove core files, if any . Normally, some core files (like core.1234) might be present in /usr/local/cpanel/whostmgr/docroot . Check for these and remove them.

7. Restart your server, the quota might be off for that partition and reboot will correct it. Keep in mind if there is a harddrive error this can leave the server offline while the system or admin tuns a FSDK.

——

Also check how to find large files