How to find CryptPHP PHP malware and remove it.

CryptPHP PHP malware has a become a nightmare for WordPress owners. Hacking millions of websites with it and getting web hosts listed in CBL effecting other web hosting accounts that did nothing wrong. It’s a vicious loop unfortunately that blacklists like CBL and Sorbs don’t care about using scrutiny or rational. Their philosophy is to just block everything if there is an issue despite websites being blocked that did nothing wrong. Hopefully someday blacklist will focus on the domains that cause issues not the IPs. That way good sites will not blocked for doing nothing wrong. Most IP people and the net know that Sorbs blocks million of good websites with no regard, I was chocked though to see CBL jump on the same list of block first ask later.

Anyways… to find the CryptPHP hack A.K.A. social.png hack. You need to run search command from root on your server.

This will find it:

for r in `locate social | grep png`; do file $r; done | grep PHP

But removing it will not fix the issue, if it’s on the site than the site has been hacked and needs to be removed. The only things that can be salvaged is the images and databases.

Here is a little information on having your WordPress Hacked

Test CGI Script

It’s really easy to test your CGI (or a perl script) by adding a test.cgi script with the permissions:  755

Just make sure there is no white space on the top or bottom of the file and the file only has exactly what’s show below. Make sure the name is test.cgi and put in your main folder. Then go to www.your-main-domain.com/test.cgi

#!/usr/bin/perl

# hello.pl -- my first perl script!

print "Content-type: text/html\n\n";

print <<"EOF";
<HTML>

<HEAD>
<TITLE>Hello, world!</TITLE>
</HEAD>

<BODY>
<H1>Hello, world!</H1>
</BODY>

</HTML>
EOF