What is the CryptoPHP Backdoor?
Recently we have located a few websites infected with CryptoPHP, a backdoor security threat that has affected over 23,000 websites worldwide. CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plugins to compromise websites. This was first discovered by experts in the Netherlands through a compromised Joomla plugin on a customer’s website. The Netherlands based security company, Fox-IT, had published a detailed White Paper on CryptoPHP on November 20, 2014.The CryptoPHP Backdoor is a small snippet of malicious code that allows hackers to create a backdoor into your website, empowering them to take control of your site. CryptoPHP malware can inject infected content into the compromised sites and even update itself. It can be controlled manually by hackers or via email and C&C communications.
Now, lets try to understand how hackers take advantage of this CryptoPHP backdoor.
Hackers buy paid WordPress, Joomla and Drupal themes/extensions. They then remove code within the extension that verifies if the extension/theme is licensed or not. Not just that, they also proceed to insert malicious code into the extensions and thereafter distribute them for free to unsuspecting victims.
These now compromised themes/extensions contain the required malicious code that allows hackers with backdoor access to the infected sites. Below is an example of the CryptoPHP injection code where a small snippet of malicious code is injected into a .png file:
<?php include(‘assets/images/social.png’); ?>
Getting Rid of a CryptoPHP Infection
In the event that you suspect you may be affected by the CryptoPHP backdoor (or you already are), it can get a bit tricky. The team at Fox-IT have created and published a set of scripts on GitHub which will allows you to scan your site for signs on infection, but there is no guarantee that the developers of the CryptoPHP Backdoor won’t find a way to become undetectable against these tools.
Typically the script that makes the exploit work can be found in images – usually with a very common name. If you suspect you are infected, you should check every image in your site. If you come across an image that cannot be opened in an image viewer, but can be opened in a document viewer, you may very well be infected.
As for actually removing CryptoPHP, Fox-IT has a four-step procedure for you to follow:
- Remove the “include” of the backdoor. For example, find the script that contains: “< ?php include(‘images/social.png’); ? >”. Note that this path can vary.
- Remove the backdoor (social*.png) itself by deleting it.
- Check your database to see if any extra administrator accounts were added and remove them
- Reset the credentials of your own CMS account and other administrators (they were most likely compromised.)
Tips to Prevent CryptoPHP Backoor
It is essential that you keep your WordPress, Joomla and Drupal installations up-to-date, along with all extensions you may have. If you’re careless in what themes/extensions you install, you could very well end up with an infected site. Stay alert and vigilant!
- Never download any free extensions, plugins and themes that need to be paid for. Also, never download anything from any unreliable source.
- Remove old themes or plugins that you do not use.
- Scan your webspace regularly using good antivirus to ensure that the things are secure.
- Keep your CMS updated with the latest versions of WordPress, Joomla and Drupal.
If you need any help in updating your website or checking the legitimacy of your extensions, just remember that we are here to help. You may contact our friendly Technical Support team and we will happily assist you in this task.