If you own or manage a web server, you need to know about a recent vulnerability identified by the Dutch security firm, Fox-IT. This vulnerability involves embedding malicious software into add-ons for popular content management systems such as WordPress, Joomla, and Drupal.
This exploit is referred to as a backdoor vulnerability, which is a method of obtaining access to a computer system or network while remaining undetected. The specific backdoor exploit, called CryptoPHP, is malicious code embedded by a hacker into a theme or plug-in for the content management systems mentioned above.
Unlike other backdoor hacks against websites, CryptoPHP does not take advantage of an existing vulnerability. Instead, the hackers spread their pirated version of themes and plug-ins and wait for someone to download and install them onto their own website.
The hackers using CryptoPHP were also crafty in how they spread their malicious code. In order to achieve the widest distribution, the hackers discovered a way to hijack search engine rankings and push their web pages to the top. By doing this, the hackers increase the chances of someone downloading and installing a copy of their pirated software, as opposed to the safe, commercial plug-in or theme. Once installed, the CryptoPHP begins to carry out its dirty work.
After the malicious software is downloaded and installed, the CryptoPHP backdoor then makes the web server act as a botnet. A botnet, which is a combination of the words robot and network, connects programs with other programs performing similar functions. In this case, the CryptoPHP connects to servers operated by the hackers and waits for a command. The hackers can now execute commands on the user’s web server to connect to other machines and install malicious software or steal private and sensitive data. Keep in mind, all this is happening in the background, undetected by the user.
Research conducted by Fox-IT showed almost 24,000 unique IP addresses attempted to connect to the hackers’ servers. Thankfully, the Dutch government had taken control of the known CryptoPHP servers to collect these statistics, so the web servers associated with the IP addresses were safe. However, the number of web servers affected is not known, although it is likely higher than 24,000 because some of the IP addresses were associated with known web hosting servers, which host other web servers.
Other statistics collected by the Dutch government showed the top 5 countries affected by CryptPHP were the United States, Germany, France, the Netherlands, and Turkey.
The CryptoPHP attackers have taken down the websites hosting the malicious plug-in and theme software. However, there is evidence they are using different websites to host their pirated code. There is also evidence the hackers are attempting to use a new version of the backdoor exploit.
If you have recently installed a content management plug-in or theme, and want to make sure your web servers are safe, you can take action. Fox-IT published two scripts for webmasters to scan their systems for the CryptoPHP software. There are also instructions on how to remove the code on the website, although the best way to remove the software, unfortunately, is to perform a fresh reinstall of an infected system to ensure you have a “clean” system. To download the scripts or read through the information on how to remove CryptoPHP.
We definitely recommend you take action to protect your web servers, especially if you have installed a new plug-in or theme for your web content management system. Also, be cautious when downloading any software and make sure you use updated anti-virus and malware protection software.