Hacking News

CryptoPHP – Backdoor CMS Plugins & Themes Used to Hijack Web Servers

CryptoPHP – Backdoor CMS Plugins & Themes Used to Hijack Web Servers

Security geeks have founded in a research thousands of backdoored themes & plugins for the most popular (CMS) content management systems that could be used by notorious hackers to hack web servers on a large extent.

A whitepaper released by security firm Fox-IT based in Neitherland revelved that a new Backdoor named “CryptoPHP.” Researchers have founded malicious themes and plugins for WordPress, Drupal and Joomla. However, there is a little relief for those using Drupal, as only the drupal themes are found to be infected from Malcious CryptoPHP backdoor.

To make website admins victim, attacker makes use of a simple social engineering tricks. They often tempt website admins to install pirated commercial CMS plugins and themes for no cost. Once they download the pirated malicious theme or infected plugin which included backdoor installed on the admins server.

“By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server,”
Security Firm Fox-IT said in its analysis on the attack.

Once the backdoor installed on a web server, it can be controlled by notorious hackers using various options such as command and control server (C&C) communication, email communication and manual control as well.

Other capabilities of the CryptoPHP backdoor are :

  • An extensive infrastructure in terms of C2 domains and IP’s
  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Remote updating of the list of C2 servers
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Manual control of the backdoor besides the C2 communication
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Ability to update itself

Cyber Criminals are using CryptoPHP backdoor on hacked Web sites and Web servers for illegal activities like Search Engine Optimization (SEO), which is also known as Black Hat SEO, researchers said in its report. It is because the hacked websites links to the websites of the hackers appear higher in search engine rankings.

Black hat SEO is a technique that focus on maximizing search engine results with non-human interaction with the pages, thus violating google’s search engine guidelines. These activity includes keyword stuffing, invisible text, doorway pages,page swapping, adding unrelated keywords to the page content.

The security firm has discovered 16 variants of CryptoPHP Backdoor on thousands of infected plugins and themes as of 12th November 2014. The First version of the CryptoPhp backdoor was found on the 25th of September 2013. The exact number of websites & servers affected by the CryptoPhp backdoor is undetermined, but the security firm estimates that at least a few thousand websites are compromised with CryptoPhp Malware.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top

Subscribe For Latest Updates

Signup for our newsletter and get notified when we publish new articles for free!