CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.
Picture : foxitsecurity.files.wordpress.com
How To Detect And Clean CryptoPHP Malware?
Anti virus can help to find this embedded malware like clamav and maldet , rather than using the find command, or something similar.
But , Make sure to update both clamav and maldet prior to scanning:
update clamav and maldet :
freshclam
maldet -d
maldet -u
Here is a find command that can really find all such files and pring first 80 characters from this file just to confirm it’s content.
find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print
Or
find /home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print
It is also important to examine such user account, and not just to delete this file, because just deleting this file will not actually solve anything.
You can also run another commend :
find -L /home -type f -name ‘*.png’ -print0 | xargs -0 file | grep “PHP script” > /some/file
This can check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts.