CryptoPHP is a type of malware that, unfortunately, a lot of web hosts are suffering from. It’s one of the most recent “types” of malwares to be discovered, and it works by sending a veritable “spam flood”. Open sources are particularly vulnerable, such as Drupal, Joomla and WordPress. Sadly, in an era where more and more website owners and small businesses are flexing their skills at web design with platforms such as WordPress, hackers are taking advantage of that open source “entry”, too. However, even if a website owner chooses to design a site themselves, they still need a web hosting company to actually get their site live—and who you choose can help defend you from malware (or not).
You’re most likely to “find” CryptoPHP in image files, with “social.png” being the most common—but bear in mind that it can have basically any name. There’s no official reason why social.png is the current file name of choice, but it’s likely because “social” is something that appeals to website owners. It makes them think Facebook, Twitter, more followers and the term “social” is generally seen as a positive. However, it’s a good reminder to always know who’s behind a file and where it comes from before downloading.
Files can be diagnosed by attempting to open it in an image viewer. Can’t be displayed? That’s a huge red flag. With CryptoPHP, hackers are saving files in an image format and then upload it to a server (likely a shared one from an unsuspecting web hosting company). Next, they “ping” websites just like yours via that image file and send infected small emails to potential victims. This move can lead to IP blacklisting.
According to Fox IT Security, “We’ve identified thousands of backdoored plug-ins and themes which contained 16 versions of CryptoPHP…their first ever version went live on the 25th of September 2013 which was the version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014. We cannot determine the exact number of affected websites, but we estimate that at least a few thousand websites are compromised by CryptoPHP.”
What to Do
The purpose of CryptoPHP seems to be infecting websites with black hat SEO (search engine optimization) tricks solely to wreak havoc. A page might be inundated with spammy links, but they seem to be randomized—not directly chosen or installed in order to drive traffic to such sites. Keep in mind that SEO penalties from the likes of Google can be incredibly difficult to recover from, and in severe cases websites might be removed from the search index entirely.
So far, there are three possible methods for removing CryptoPHP from a server, and it’s something your web host needs to take care of. The first is a free tool, Norton Power Eraser, which is a favorite of server administrators. There’s no installation necessary, so web hosts can just download and run it. Another option is collecting a social.png list from the server and see if they’re editable (easy termination). Finally, hosts can use Config Server Explorer (CFS) to find social.png file names, get their path link, and edit/delete it.
Most importantly, if a server is actually infected with CryptoPHO, the account needs to be killed and recreated from the ground up. Removing the file alone won’t get rid of the infection. If you suspect your web host is victim to CryptoPHP, call them immediately—this is where ensuring you got a company with great customer service is crucial.