A few of our email servers went wild sending spam this weekend. After quickly fixing the spam issue, we started the longer process of identifying the cause for the spam. It turned out to be the CryptoPHP infection (check out the official whitepaper), activated through a few WordPress themes and plugins.
What is CryptoPHP infection?
The CryptoPHP infection was detected a long time ago, but seems to have been more frequently exploited over the last few months. Hackers who use that method to exploit websites, take paid WordPress, Joomla and Drupal themes and extensions, remove the code blocks that verify a certain extension/theme is licensed, and then distribute them for free. Such versions of extensions/themes are called nulled scripts.
The modified themes/extensions usually contain malicious code that provides full access to the infected sites to the hacker. Inside a nulled theme/extension there is a line of code that looks similar to this:
<?php include('assets/images/social.png'); ?>
Most PHP developers will immediately notice that this code block looks strange. The PHP directive includes a file, which should contain PHP code. However, in this case the file is an image and it contains malicious code, which is usually obfuscated. The malicious code is used for various purposes like black-hat SEO attacks and other, such as on our servers, sending spam.
What we did?
First, we scanned our servers to identify how many sites were infected and we limited the access to the nulled scripts. This means that such malicious files will not run as expected on our servers and hackers will not be able to use them to access sites hosted on our infrastructure.
Second, we are in the process of applying a server-wide protection to make sure any future attempts like the CryptoPHP infection are prevented.
What You should do?
As we cannot establish the full scope of the damages that the infection might have incurred, we sent an email to all infected users asking them to do two things:
- Check the list of users to their applications for admins they do not recognize and delete them. The admin user has full access to your site and if that user is not created by you for a trusted person, it is most probably created by the hacker.
- Run an audit of your websites for possible backdoors left by the hackers, which means - look for unknown files that are not supposed to be on your account.
We also strongly recommend you never to download free extensions and themes that are supposed to be paid. No matter what type of software you download, make sure you do it from a reputable source.
We also encourage you to share the information about this vulnerability and why using free themes that are supposed to be paid is not a good idea. This will help create awareness and protect more websites from the infection.