A new threat has appeared in the world of PHP. WordPress, Joomla and Drupal users should be aware of this backdoor and we duly deliver some information and tips to help.
The CryptoPHP vulnerability consists of malicious PHP code, embedded in image files (most commonly with the .png file extension). Attackers take advantage of CryptoPHP for a somewhat “illegal” Search Engine Submission, also known as Black Hat SEO.
Here are the functionalities typical for the malicious code:
– the backdoor can update itself;
– it can create new usernames with administrative privileges. Most often they are named “System”, but in case such a username already exists, corrupt user profiles with other names may appear. This is done so the hacker can keep access to the website after the vulnerability is removed;
– Public Key encryption for communication between the compromised server and the remote command and control server;
– injected content into webpages – most notably text and links. These are used for the Black Hat SEO and to steal the page rankings of the site owner;
Version 1.0a is the latest version of the backdoor at the moment.
The malicious code is usually hidden in the so-called ‘nulled’ modules, themes or plugins of the above mentioned CMSs . These are scripts which are downloaded without licenses – in short, this is the equivalent of pirated software in web applications.
Checking for CryptoPHP in plugins and themes
In WordPress the backdoor can be detected by checking the main PHP script of the plugin. This usually is the script in the plugin directory that contains basic information at the beginning (Plug-in Name, Version, Author information etc.).
You can inspect the functions.php file of a theme to detect if it contains the vulnerability.
The compromised scripts contain the following block of code:
<?php include('images/social.png'); ?>
Similarly, CryptoPHP is contained in Joomla in the main files of themes and plugins. The same piece of PHP can be noticed at the end of these nulled scripts.
CryptoPHP functionality is more limited on Drupal territory, because it doesn’t work with its modules. Nevertheless, site owners using this powerful CMS can experience security breaches if they have installed any nulled Drupal themes.
The way CryptoPHP works
Servers which have users with injected CryptoPHP code connect to the command and control servers, operated by the attackers. They wait for commands in the form of encrypted messages.
As a result CryptoPHP is executed each time the website is visited.
Namely this encryption of the data that the script performs before having it sent on the remote command and control server, is the reason why this thread is called CryptoPHP.
What can you do?
-do not download and use nulled scripts on your CMS. If you have already installed such scripts without knowing what they may cause to your website , deactivate them and delete them immediately ;
– it is good to check all of your WordPress, Joomla and Drupal sites for suspicious files you haven’t put there yourself;
– if you find such infected scripts, change their .php extension to .txt or completely remove them;
What We’ve Done For Our Customers?
WebHostFace regularly performs scans on the servers for this vulnerability and similar breaches. Notifying our clients immediately about such activity on their accounts is one of our number one priorities when it comes to security. We checked all clients data. Affected clients were personally contacted and we worked with them to resolve the issue. Only 0.003% sites on our network were affected.
You can always contact us in case you find any malicious activity on your website. Our 24/7 support team will be glad to help you find out the source of the threat and remove it provided you find any difficulties detecting such files.