23000+ Websites Affected by CryptoPHP Backdoor Threat

CryptoPHP Backdoor

What is CryptoPHP Backdoor?

The CryptoPHP backdoor is not a new threat in the security genre, but it has created significant buzz over the last few months. A recent survey reported that CryptoPHP backdoor has affected more than 23000 websites worldwide. Netherlands based security company Fox-IT had published a detailed white paper on CryptoPHP on November 20, 2014.

Actually, CryptoPHP backdoor is a small snippet of malicious code that allows hackers to create backdoor in a web server. Hackers can use this backdoor to inject malicious code and execute it. Once the code is deployed on a web server, it can be controlled manually, or via email and C&C communications.

Now, let us see how hackers use CryptoPHP exploitation.

Hackers just buy paid WordPress, Joomla and Drupal extensions. Then, they remove the code blocks that verify whether a certain extension/theme is licensed or not. Not only that, they also insert malicious code in extensions and thereafter redistribute them for free.

These modified themes/extensions contain malicious code that allows hackers with a backdoor access to the infected websites.

Below is an example of the CryptoPHP injection code where small snippet of malicious code is injected in to .png file:

<?php include(‘assets/images/social.png’); ?>

How To Fix CryptoPHP hack?

  1. Before you consider any of the fixes, we suggest you to immediately contact your host to quarantine your website files, so that they may not be accessible publicly.
  2. Download your website copy in a local system and make it offline on the server.
  3. List down your application users for back-end access. If you do not recognize any back-end users, just delete them.
  4. List down the extensions, plugins and themes you have installed.
  5. Scan your website with updated anti-virus software for possible backdoors left by the hackers. Delete the threats, if you find any of them.
  6. Uninstall all the themes, plugins and extensions one by one.
  7. If you notice any unsupported and unknown files in the installation of files, then remove them.
  8. Search strings like “<?php include(‘assets/images/social.png’); ?>” in code files. If you find code files containing such php directives, quarantine them.
  9. Download and install all plugins you have been using and make sure you download them directly from the developers’ website.
  10. Upload your website copy to the web server again.

Tips to prevent CryptoPHP hack

  1. Never download any free extensions, plugins and themes that need to be paid for. Also, never download anything from any unreliable source.
  2. Remove old themes or plugins that you do not use.
  3. Scan your webspace regularly using good antivirus to ensure that the things are secure.
  4. Keep your CMS updated with the latest versions of WordPress, Joomla and Drupal.
(Visited 490 times, 1 visits today)

Leave a Reply

AlphaOmega Captcha Classica  –  Enter Security Code

This site uses Akismet to reduce spam. Learn how your comment data is processed.