CryptoPHP – Hidden Threat Inside the Popular CMS’s

CryptoPHP is a threat that uses back-doored popular CMS as Joomla, WordPress and Drupal themes and plugins to compromise web servers. This turns out to be a global phenomenon, which was discovered by experts in the Netherlands through a compromised Joomla plugin on a customer’s site. The plugin had been downloaded from a legitimate-looking site that offers a list of free, compromised themes and plugins.

The whole report by the Dutch company, which diagnosed and publicized the CryptoPHP malware can be found @ CryptoPHP Report

The Initial Accident

Some months ago one of the Dutch researchers found a server from a customer generating some suspicious traffic. A web-server hosting a CMS started to perform HTTP POST requests to a foreign server.

Why would this server suddenly start posting this? Server Analysis inspected the traffic generated before this POST closely, but nothing stood out. Normally with these kinds of incidents it comes down to a web-server being vulnerable and exploited via a range of exploitation possibilities. This did not seem to be the case for this incident.

Upon further inspection, analysis revealed the only action that occurred before the HTTP POST request was the install of a plug-in onto a Joomla instance by the administrator of the website. Analysis confirmed that the login was legitimate and it wasn’t a case of stolen credentials. We extracted the plug-in out of the network data and analyzed it to confirm if this was causing the strange HTTP POST requests. It seemed that the Joomla plug-in, installed by the administrator, was back-doored.

The researchers were unable to find a name for this threat. The backdoor uses RSA Public Key cryptography for communication hence, they have named it CryptoPHP.

CryptoPHP Analysis

An in-depth analysis was performed to determine exactly what this threat was. After the analysis, researchers were unable to find a name for this threat. The backdoor uses RSA Public Key cryptography for communication hence, they have named it CryptoPHP.

ANALYSED JOOMLA CMS PLUGIN

Analyse included the Joomla plug-in extracted from the network stream; it was named ‘JSecure’. It is a plug-in meant to improve the security of authorization on a Joomla instance, developed by ‘Joomla Service Provider’, a company specialized in the development of Joomla plug-ins.

THE ZIP FILE CONTAINED THE FOLLOWING COMMENT:

Downloaded from nulledstylez.com.

The best online place for nulled scripts!!

Direct downloads no bullshit.

This comment told us the plug-in was not downloaded from a legitimate source. It didn’t come from the original publisher (Joomla Service Provider) but rather from a third party website claiming to be ‘the’ place for ‘nulled’ scripts. The concept of nulled scripts is similar to pirated software; stripped of any licensing checks, in short this is piracy.

Inspecting the ‘jsecure.php’ file it proved a small snippet which immediately told about what was going on:

The image was being included as if it were a PHP script. Opening up the ‘social.png’ file confirmed we had found the backdoor; as it contained a big blob of obfuscated PHP code.

What is the CryptoPHP malware all about?

By downloading and installing pirated CMS themes and plugins on their own sites, users also install the CryptoPHP backdoor, which empowers attackers to exercise remote control over their sites.

The CryptoPHP malware can inject infected content into the compromised sites and even update itself.

However, the main purpose of the malware is to conduct blackhat SEO operations. Experts have detected links and text injected into the compromised pages with the sole purpose of tricking crawlers into giving the hacker sites backlink credit and a pagerank.

Experts have identified thousands of plugins that have been backdoored using CryptoPHP, including both WordPress and Joomla plugins and themes and Drupal themes.

The exact number of websites affected by CryptoPHP has not been determined yet. However, specialists have reasons to believe that they are at least a few thousand.

WHAT SHOULD I DO TO MAKE SURE I AM NOT AFFECTED?

If you have ever installed pirated or untrusted WordPress/Joomla/Drupal plugins/themes/templates, you are potentially susceptible to a CryptoPHP attack. This is why, you need to take immediate measures and check your sites for files named ‘social.png’. If the file is a PHP script instead of a PNG file, you are probably backdoored.

The best way to protect yourself from the CryptoPHP malware is by making sure you download CMS themes/plugins from from trusted developers’ sites and popular marketplaces.

How to Secure your CMS with 2u2 Web Hosting Server?

Unfortunately, a few CMS sites on our platform became the target of CryptoPHP hackers as well. Upon locating the attack, our admins made a thorough investigation of the affected sites and found out that they all contain files like ‘social.png’, ‘social0.png’, or ‘social1.png’, etc. in their code, which are actually PHP scripts instead of PNG files.

They have managed to clean all infected sites of the malware. However, they cannot guarantee that CMS users will not be compromised again if downloading a pirated CMS theme or plugin from the web.

This is why, you need to take immediate measures and check your sites for files named ‘social.png’. If the file is a PHP script instead of a PNG file, you are probably backdoored.

Also, if you realize that you are infected, you can resolve the problem temporarily by activating the Outgoing Connections Firewall from your Web Hosting Control Panel.

The backdoored sites are trying to make outgoing connections to certain IPs, so this will help you pause the attack until you find a way to resolve the problem.

Once again: The best way to protect yourself from the CryptoPHP malware is by making sure you download CMS themes/plugins from from trusted developers’ sites and popular marketplaces. Stay safe in the full potential with trusted sources.