Last Updated:

CryptoPHP Detection Script

Categories General Info


fox-it made the following Python scripts to help administrators to detect and identify CryptoPHP. The scripts will require Python (preferably 2.7) to run.


cd /usr/local/src
wget --no-check-certificate
chmod +x
./ /home

Example Usage:

./ --help
Usage: [options] directory|file [directory2|file2] [..]

-h, --help show this help message and exit
-n, --no-color no color output [default: False]
-p PATTERNS, --patterns=PATTERNS
scan only files matching the patterns (comma
seperated) [default: *.png,*.gif,*.jpg,*.bmp]

To scan your whole system (it can take a while), run:

Or scan a specific directory, for example /home:
./ /home

Files will either reported as suspicious or confirmed CryptoPHP shell as follows:

File matching patterns: ['*.png', '*.gif', '*.jpg', '*.bmp']
Recursively scanning directory: /
/home/www/social.png: CRYPTOPHP DETECTED! (version: 1.0)
/var/www/images/social.png: CRYPTOPHP DETECTED! (version: 1.0a)
/tmp/thumbs/admin/assets/images/thumb.png: CRYPTOPHP DETECTED! (version: 0.3x555)

The pattern for file matching can be changed using the –patterns. For example to scan all files you could specify:
$ ./ --patterns '*.*' /home
File matching patterns: ['*']
Recursively scanning directory: /home

Leave a Reply