Never mind Ghost, WhatsApp’s broken privacy, or all the bugs surfacing in Windows 8. One of the most enduring security threats on the modern web is something known as CryptoPHP. This nasty little piece of work installs a backdoor onto content management systems by way of an infected theme or plugin; these addons are usually pirated copies of the real ones.
An attacker can then use a connected platform to gain administrative access to the compromised site. This allows them to do … pretty much anything, actually. Worse still, this is one of the most versatile security exploits we’ve seen in a while – it can self-update, makes use of strong encryption, has an application infrastructure that rivals some businesses, and includes a number of backup mechanisms that make it a distressingly insidious presence on the web.
According to statistics released by FOX-IT – the security firm that first reported on CryptoPHP – the vulnerability had infected more than 23,000 sites as of November 26, 2014. It was originally created back in September 2013.
Now, since FOX-IT revealed the vulnerability, we’ve seen all the original mirrors taken down. That doesn’t mean it’s entirely gone, however. Until content management systems find a way to eliminate the flaw that CrytoPHP exploits, it’s not going anywhere.
As such, it’s best that you figure out how you’re going to defend yourself against it sooner rather than later.
The Best Defense Is Due Diligence
The good news here is that protecting yourself from CryptoPHP isn’t actually all that difficult. You just need to make sure that any plugins or themes you install onto your site are obtained directly from the original developer – and make sure that developer’s a legitimate one. Oh, and I suppose it also needs to be said that, moral and ethical considerations aside, don’t pirate your themes and plugins.
That’s … pretty much all there is to say. Download only from known developers and reliable repositories, don’t steal plugins and themes, read up on software before you install it, and always be wary of anything that’s available free of charge. Simple enough, right?
Getting Rid Of A CryptoPHP Infection
In the event that you’re already infected (or think you are), things get a little trickier. There’s a set of scripts here that should allow you to determine if your site is clean or not, but there’s no guarantee that whoever developed CryptoPHP won’t find a way to harden the exploit against those tools.
For that reason, I’m going to offer up an alternative means of detecting (and removing) a CryptoPHP infection. Most commonly, the script that makes the exploit work can be found in an image of some kind – usually one with a very common name. Thus, the first thing you should do if you suspect an infection is check every image on your installation – if you come across one that can’t be opened in an image viewer (but can be opened in a document editor), you might be infected.
As for actually removing CryptoPHP, FOX-IT has a four-step process that you can follow:
- Remove the “include” of the backdoor. For example, find the script that contains: “< ?php include(‘images/social.png’); ? >”. Note that this path can vary.
- Remove the backdoor (social*.png) itself by deleting it.
- Check your database to see if any extra administrator accounts were added and remove them
- Reset the credentials of your own CMS account and other administrators (they were most likely compromised.
CryptoPHP might not be as severe as some of the security vulnerabilities that’ve surfaced this year, but that doesn’t mean it isn’t a threat. If you’re careless in what themes and plugins you install, you could very well wind up with a compromised website. Stay alert, however, and you should be absolutely fine – vigilance is by and large the best defense against this malware.