A large proportion of websites are built on a CMS rather than raw HTML. Three of the most common are WordPress,
Distributed through pirated themes and plugins, CryptoPHP’s spread is thanks to the light-fingeredness of site admins. It was first detected in 2013 and is still actively spreading. The capabilities of the “well-developed” backdoor include remote control of an infected server, and Blackhat SEO — a form of illegal search engine optimization.
We found the following list of 20 websites being used to distribute the CryptoPHP backdoor:anythingforwp.comawesome4wp.combestnulledscripts.comdailynulled.comfreeforwp.comfreemiumscripts.comgetnulledscripts.comizplace.commightywordpress.comnulledirectory.comnulledlistings.comnullednet.comnulledstylez.comnulledwp.comnullit.nettopnulledownload.comwebsitesdesignaffordable.comwp-nulled.comyoctotemplates.comThe following websites host theactual plug-in and theme files used for direct download:bulkyfiles.comlinkzquickz.com
Fox-It warns that thousands of websites have been compromised by CryptoPHP. The threat is so named because it uses RSA Public Key cryptography to protect communication with servers. A number of sources have been associated with the spread of the backdoor, which is nulledstylez.com, but numerous other sites dealing in pirated plugins and themes that are involved — including freemiumscripts.com, wp-nulled.com and mightywordpress.com.
Each of the downloads was flagged by the site providing it as being clean from viruses, but Fox-It points out that the versions made available for download differed in that they had been verified as clean by VirusTotal. Upon examining the contents of the pirated downloads, files with different timestamps to the rest were found to include the backdoor hidden in PHP code.
While there is little to stop CryptoPHP infecting other CMSs, WordPress, Joomla and Drupal are the main targets due to their popularity. The backdoor installation varies from platform to platform, but in the case of WordPress an extra administrator account is added so that access can be maintained even if the backdoor itself is removed.
Tracing the activity of CryptoPHP seems to lead back to a Moldavian IP address — specifically in the state Chisinau. Control centers have been identified in the US, Poland, Germany and Netherlands, and Fox-It has produced a white paper that details how to detect the presence of the backdoor.
When it comes to hosting your radio station online, two popular options stand out in…
GoSSDHosting.com GoSSDHosting.com is excited to announce its Black Friday Sale 2023! London Windows VPS Hosting - BLACK…
GoSSDHosting, a leading name in the web hosting industry, is thrilled to announce the launch…
GoSSDHosting is happy to announce that we are offering VPS Hosting that works in Turkmenistan…
Dear Clients, Our updated Super Alpha Reseller Hosting interface is now live for all super…
Did you know that over 40% of all online stores are powered by WooCommerce? It’s…