From https://github.com/fox-it/cryptophp/tree/master/scripts
fox-it made the following Python scripts to help administrators to detect and identify CryptoPHP. The scripts will require Python (preferably 2.7) to run.
RAW: https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
Install:
cd /usr/local/src
wget --no-check-certificate https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
chmod +x check_filesystem.py
./check_filesystem.py /home
Example Usage:
./check_filesystem.py --help
Usage: check_filesystem.py [options] directory|file [directory2|file2] [..]
Options:
-h, --help show this help message and exit
-n, --no-color no color output [default: False]
-p PATTERNS, --patterns=PATTERNS
scan only files matching the patterns (comma
seperated) [default: *.png,*.gif,*.jpg,*.bmp]
To scan your whole system (it can take a while), run:
./check_filesystem.py
Or scan a specific directory, for example /home:
./check_filesystem.py /home
Files will either reported as suspicious or confirmed CryptoPHP shell as follows:
File matching patterns: ['*.png', '*.gif', '*.jpg', '*.bmp']
Recursively scanning directory: /
/home/www/social.png: CRYPTOPHP DETECTED! (version: 1.0)
/var/www/images/social.png: CRYPTOPHP DETECTED! (version: 1.0a)
/tmp/thumbs/admin/assets/images/thumb.png: CRYPTOPHP DETECTED! (version: 0.3x555)
The pattern for file matching can be changed using the –patterns. For example to scan all files you could specify:
$ ./check_filesystem.py --patterns '*.*' /home
File matching patterns: ['*']
Recursively scanning directory: /home
