How to Fix CryptoPHP Hack On Your Website

How to remove the CryptoPHP hack

Home Web Hosting Guides How to Fix CryptoPHP Hack On Your Website

What is cryptoPHP backdoor hack?

CryptoPHP is a malicious script hack that gives remote hackers access to your webserver to execute and inject harmful code.  It’s fairly new and has affected over 23,000 websites around the world.  The hack allows the intruder to use your web hosting space to send mass spam emails or even setup a scam phishing page.

CryptoPHP directly affects people using WordPress, Joomla and Drupal and the themes and plugins these popular scripts use.  Basically these hackers setup websites where people could download themes and plugins that people would normally have to pay for and offered them for free.  So anyone who downloaded a free theme or plugins for a theme or plugin that you would normally need to pay for was affected.

As an example, let’s say you use WordPress and found a really nice theme on a website.  You then downloaded it and installed it on your web hosting server.  Not realizing the theme you downloaded was actually a premium theme that you would have had to pay for and in the download they replace various files with malicious code.  Once you upload and install the theme in WordPress they instantly have access to your web server.

In general cryptoPHP is a small snippet of code injected in to .png files.  Below is an example of the cryptoPHP injection code.

<?php include('assets/images/social.png'); ?>

How To Fix CryptoPHP malware hack?

Unfortunately the fix is not that simple but I’ll mention a few options you have to clean the cryptoPHP hack from your server.

Option 1 (recommended fix)

Before considering any of the fixes my best suggestion is to ask your web host to quarantine your website files so they are not accessible publicly.  This way you can get in to your hosting account and still have access to your hacked files and have your emails and other functionality restored.  What you’ll want to do next is install a clean copy of the script you use such as WordPress, Joomla or Drupal.  Once you install your script your next step is to find the theme you were using but purchase it from the developer directly.  If you do a quick Google search for the script you used you should be able to find the developer who made the theme and purchase it.  Once purchased you can install the theme again on your script.

Next, you’ll want to connect the script to your database as your database which stores all of your websites data would not have been affected.  Once you connect your newly installed script to your database your website will be restored and will be back online.

The last step is to download and install any plugins you used and again be sure to download the plugins directly from the developers website.  If you were using a paid plugin then purchase it legitimately and install it.  That’s it, now you’ve re-installed your script and theme and plugins.  Purchasing themes and plugins not only ensures your website is secure but also contributes to the theme and plugin developers.

Option 2 (requires SSH access)

If you have a VPS or dedicated server then you can try to clean the cryptoPHP hack using a few shell commands but be warned that this is not the recommended solution.

The command below will search the /home directory for any social.png files and print them on the screen

find /home/ -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

If the search finds any results then those files are compromised and need to be deleted.

The command below will find all .png files which have PHP code in them and then put the results in a file called cryptoinfected.txt in your servers /root folder.

find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt

Open the txt file and delete the files that show up in this file as they are also compromised.

Next you’ll want to run a virus scan using ClamAV which is a free scanner for Linux.  If you use cPanel and WHM you can easily install ClamAV from the plugins section on the left menu in WHM.  Once installed you will see a ‘Virus Scanner’ icon inside the cPanel.  Run a scan on your home directory.

clam-av-install-whm

WHM screenshot for ClamAV plugin install page

 

Tips to keep your site secure from cryptoPHP

  • Always download your themes and plugins directly from the developer and if they are paid themes and plugins then purchase them.  Never download a theme or plugin for free if you know it is actually a paid product.
  • Keep your CMS updated to the latest version including WordPress, Joomla and Drupal
  • In you’re using a theme or plugin make sure you keep on top of any updates by the developers
  • Scan your webspace using ClamAV periodically to ensure things are secure.
  • Remove old themes or plugins you don’t use.

Fixing cryptoPHP is not simple and may require you to rebuild your website as outlined in Option 1 however this is best practice and will ensure your website is secure.  Your web host can only do so much and as a website owner you need to ensure you stay on top of the software you use on their servers.

Leave a Reply

About HRS

Welcome to HostReviewSite! We provide vital information about the latest and greatest web hosting providers. We're here to help you choose a reliable and quality web host with in-depth reviews of each host.

Unlike your typical hosting review site we focus on uptime, expert reviews, credibility and support. All web hosts listed on our site are reviewed by our experts and we've hand picked the best to make choosing your next host that much easier!

Most Recent Hosting Reviews

HostReviewSite - Best Hosting Reviews

best web hosting reviews



Check Out Our Web Hosting Guides Below

Check out our Web Hosting Guides to help you get started. Our guides are designed to help you find the best host for your website based on your reviews and feedback.