Besides being illegal, using pirated software is risky business because they can be infected with backdoors, Trojan horses, spyware, and keystroke-capturing software. Those who use pirated themes and plugins for the WordPress, Joomla, and Drupal content management systems are at risk of infection with CryptoPHP. At present, over 23,000 web servers are infected with this backdoor.
CryptoPHP infects the server that hosts websites using WordPress, Joomla, and Drupal. It injects content onto the victim’s site for the purposes of blackhat search engine optimization. This means that your website is altered in order to support the blackhat’s scheme of manipulating search engine results. The server that hosts your site is also incorporated into a large botnet of other compromised webservers. The botnet of infected servers are coordinated via a number of command and control servers that use public key encryption for communication.
CryptoPHP has the ability to update itself and there are over 16 different versions infecting thousands of websites. It uses the website’s content management system (CMS) in order to function. It also compromises the database of your CMS to store its information.
CryptoPHP does not exploit weaknesses and security holes in content management systems. Instead, it employs social engineering to trick website administrators into using infected pirated versions of premium themes and plugins. The pirated themes and plugins are given away for free at third party websites. Those tempted to bypass paying for these premium scripts are its victims.
The Dutch security firm Fox-IT has made two Python scripts available on GitHub that can be used to detect and identify CryptoPHP. Additional instructions on removing the malware are provided on their blog. They have also written a whitepaper on CryptoPHP here. They recommend a complete reinstall of your content management system since its integrity could have been compromised.
If you don’t use pirated themes or plugins then your websites aren’t likely to be infected. One symptom of infection is that your database will have extra administrator accounts installed on them.
For more information on content management system security, don’t hesitate to contact us.
Photo Source / Desaturated from original
Photo by devdsp