The CryptoPHP backdoor is not a new threat in the security genre, but it has created significant buzz over the last few months. A recent survey reported that CryptoPHP backdoor has affected more than 23000 websites worldwide. Netherlands based security company Fox-IT had published a detailed white paper on CryptoPHP on November 20, 2014.
Actually, CryptoPHP backdoor is a small snippet of malicious code that allows hackers to create backdoor in a web server. Hackers can use this backdoor to inject malicious code and execute it. Once the code is deployed on a web server, it can be controlled manually, or via email and C&C communications.
Now, let us see how hackers use CryptoPHP exploitation.
Hackers just buy paid WordPress, Joomla and Drupal extensions. Then, they remove the code blocks that verify whether a certain extension/theme is licensed or not. Not only that, they also insert malicious code in extensions and thereafter redistribute them for free.
These modified themes/extensions contain malicious code that allows hackers with a backdoor access to the infected websites.
Below is an example of the CryptoPHP injection code where small snippet of malicious code is injected in to .png file:
<?php include(‘assets/images/social.png’); ?>
How To Fix CryptoPHP hack?
- Before you consider any of the fixes, we suggest you to immediately contact your host to quarantine your website files, so that they may not be accessible publicly.
- Download your website copy in a local system and make it offline on the server.
- List down your application users for back-end access. If you do not recognize any back-end users, just delete them.
- List down the extensions, plugins and themes you have installed.
- Scan your website with updated anti-virus software for possible backdoors left by the hackers. Delete the threats, if you find any of them.
- Uninstall all the themes, plugins and extensions one by one.
- If you notice any unsupported and unknown files in the installation of files, then remove them.
- Search strings like “<?php include(‘assets/images/social.png’); ?>” in code files. If you find code files containing such php directives, quarantine them.
- Download and install all plugins you have been using and make sure you download them directly from the developers’ website.
- Upload your website copy to the web server again.
Tips to prevent CryptoPHP hack
- Never download any free extensions, plugins and themes that need to be paid for. Also, never download anything from any unreliable source.
- Remove old themes or plugins that you do not use.
- Scan your webspace regularly using good antivirus to ensure that the things are secure.
- Keep your CMS updated with the latest versions of WordPress, Joomla and Drupal.