SECURITY : CryptoPHP threat - popular CMS endangered.
Thursday, 27th November, 2014
12:17pm
Important Security Advice for Wordpress, Joomla and Drupal Web Sites
A new threat for popular content management systems, mainly WordPress, Joomla, and Drupal has recently become increasingly common, with thousands of websites already being infected. The threat in question is referred to as CryptoPHP, and is a backdoor, which is unknowingly installed by website administrators into their CMS systems, via social engeneering.
CryptoPHP is a threat that uses backdoor-ed Joomla, WordPress and Drupal themes and plug-ins to compromise web-servers on a large scale. By publishing pirated themes and plug-ins free for anyone to use, instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their accounts.
The main source are the so-called ˇnulled˘ themes and plugins, which basically means pirated CMS components.
The CryptoPHP actors provide access to ˇnulled˘ themes and plugins for these CMS solutions, free of charge, but modify them beforehand, including malicious code into the ˇsocial.png˘ file, which is then included into the PHP code of the plugin via the ˇinclude˘ directive. Full integration occurs during the theme˘s or plugin˘s installation.
The backdoor in question is quite sophisticated and multifunctional, allowing for full integration into an existing CMS installation, encrypted communication with command and control hosting accounts / servers, email communication, allows for remote manual control.
The consequences of this attack are as follows: apart not only by our company but by basically any company that provides hosting for these CMS solutions. The main issue is that several RBLs, including such established authorities as CBL or SpamHaus, blacklist the servers communicating with the CryptoPHP actors˘ C2 servers, negatively impacting email delivery from the blacklisted machines, or making the delivery downright impossible due to the block.
In addition, the infected installations present a threat to the server security. Due to this, we have taken several measures to address the issue at hand, rendenring the backdor components on all our shared and Reseller servers inoperable, and blocked the known IP subnets.
While these measures have shown themselves to be effective, this doesn˘t actually address the problem of already infected installations. Due to this, we urge anyone using one of these CMS solutions (WordPress, Joomla or Drupal) to audit their installations for possible infection.
What you can do:
1) Check for possible infection in all plugins and themes. Details on how to do so, for each of the CMS solutions, can be found in the report by Fox IT Security Research Team >> seehttps://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
2) Remove any and all ˇnulled˘ themes or plugins used in the installations.
3) Find and Remove "social.png" file inside your CMS installation
4) Update your Wordpress, joomla , Drupal installation to latest stable version ( Warning : Please check CMS developer's documentation / Advice for upgrade instruction )
