cPanel

CryptoPHP:

http://blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/

cxs can detect “CryptoPHP” for currently reported variants (and has done so for some time with then known variants).

A few things to note:

• As with all exploits, new variants are developed regularly so they will not always be detected
• Ensure that you have a daily cron job to update cxs
• cxs will not necessarily prevent an account being exploited as this “infection” is caused by clients installing illegal (“nulled”) applications that have already been exploited
• As with all exploits, regular full cxs scans have to be run to detect newly reported variants that may have previously evaded cxs Watch
• If you find new variants that are not detected by cxs, submit them to us in the normal manner (see the cxs –wttw [script] option in the documentation)

Changes:

• Modified new installs to better initially update to the latest fingerprints
• Ignore and Xtra files can now use an Include statement to include additional files. If cxswatch is running then it will also watch the included files for changes and reload if necessary
• Added new quarantine option –qignore [method] which used when restoring a file using –qrestore [file] will create an entry in –ignore [file] before restoring the file. See POD for more info
• Optimised fingerprint database to remove duplicates and old entries of no value reducing the size without reducing effectiveness
• Exploit fingerprint definitions database additions