CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.

This infection almost certainly means that the infected web site has used pirated plugins from the, sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

Fox-IT has published a new blog item on this infection. Fox-IT has written two Python scripts that should be very good at finding these infections: and The first script scans a web site to find the infection, the second is used for scanning the web site's filesystem to find the infection. Please go to the above Fox-IT link to obtain these scripts and further instructions.

Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch.

I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.


We noticed that our advice in our paper wasn’t clear to everyone. Spamhaus received a lot of inquiries about what to do with affected servers or how to find them. For this reason we’ve added this section to explain this a bit better.


We have created two Python scripts to help administrators detect CryptoPHP:


Both scripts can be found on our GitHub repo: is for scanning the filesystem for the CryptoPHP backdoor files. It will find all “social*.png” files and determine if it’s malicious.
And script can scan a website to determine if the website is affected by CryptoPHP. This can be useful if you have multiple virtual hosts and don’t know which one is affected.


If CryptoPHP has been found we recommend the following steps:

  1. Remove the “include” of the backdoor. For example, find the script that contains: “<?php include(‘images/social.png’); ?>”. Note that this path can vary.
  2. Remove the backdoor (social*.png) itself by deleting it.
  3. Check your database to see if any extra administrator accounts were added and remove them
  4. Reset the credentials of your own CMS account and other administrators (they were most likely compromised)

The steps above should be sufficient to remove the impact CryptoPHP has had on your website. We do however recommend performing a complete reinstall of your CMS since the system integrity may have been compromised. An attacker may have gained system wide access for example.

For both security and legal reasons we would advise not to install this kind of pirated (nulled) content.

Monday, February 23, 2015

« Back