The CryptoPHP Infection – A Story About Getting Paid Themes and Plugins for Free

php2
A few of our email servers went wild sending spam this weekend. After quickly fixing the spam issue, we started the longer process of identifying the cause for the spam. It turned out to be the CryptoPHP infection (check out the official whitepaper), activated through a few WordPress themes and plugins.

What is CryptoPHP infection?

The CryptoPHP infection was detected a long time ago, but seems to have been more frequently exploited over the last few months. Hackers who use that method to exploit websites, take paid WordPress, Joomla and Drupal themes and extensions, remove the code blocks that verify a certain extension/theme is licensed, and then distribute them for free. Such versions of extensions/themes are called nulled scripts.

The modified themes/extensions usually contain malicious code that provides full access to the infected sites to the hacker. Inside a nulled theme/extension there is a line of code that looks similar to this:

<?php include('assets/images/social.png'); ?>

Most PHP developers will immediately notice that this code block looks strange. The PHP directive includes a file, which should contain PHP code. However, in this case the file is an image and it contains malicious code, which is usually obfuscated. The malicious code is used for various purposes like black-hat SEO attacks and other, such as on our servers, sending spam.

What we did?

First, we scanned our servers to identify how many sites were infected and we limited the access to the nulled scripts. This means that such malicious files will not run as expected on our servers and hackers will not be able to use them to access sites hosted on our infrastructure.
Second, we are in the process of applying a server-wide protection to make sure any future attempts like the CryptoPHP infection are prevented.

What You should do?

As we cannot establish the full scope of the damages that the infection might have incurred, we sent an email to all infected users asking them to do two things:

  1. Check the list of users to their applications for admins they do not recognize and delete them. The admin user has full access to your site and if that user is not created by you for a trusted person, it is most probably created by the hacker.
  2. Run an audit of your websites for possible backdoors left by the hackers, which means - look for unknown files that are not supposed to be on your account.
    We also strongly recommend you never to download free extensions and themes that are supposed to be paid. No matter what type of software you download, make sure you do it from a reputable source.

We also encourage you to share the information about this vulnerability and why using free themes that are supposed to be paid is not a good idea. This will help create awareness and protect more websites from the infection.

Enterprise Cloud Solutions Architect

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

8 Comments

  1. Reply November 27, 2014 / 04:06 ionutSiteGround Team

    if we removed the " " line and scaned the files/script with Wordfence , and the results is ( no viruses or malware) ,

    there will be ok?

    thank you in advance
    Ionut

    • Reply November 28, 2014 / 00:49 HristoSiteGround Team

      If you remove it completely from all infected files you should be fine. However, a full security audit is recommended when such issue is detected because you don't know what else they have inserted in your code.

  2. Reply November 29, 2014 / 06:32 NormanSiteGround Team

    A story about getting paid themes and plugins for free.

    You found the right title, hahaha 🙂

  3. Reply December 5, 2014 / 13:10 Lynn AllenSiteGround Team

    I don't know if our issue was related to this, as we were using the Fanwood theme, downloaded from WordPress.org. But today I was unable to log in, and in looking at the WordPress code, I found a "new" admin had logged in a week ago...someone I have never heard of. I wonder if that was the hacker. I am glad you all found and squashed this, even though it made me unable to log in to the site. I removed that WordPress installation and made a new one.

    Should I do a full security audit anyway?

    • Reply December 6, 2014 / 13:08 HristoSiteGround Team

      If you've completely wiped out everything you had in your public_html folder then you won't need to do it but if you've removed only the app I would recommend you to do a security audit just to be sure there isn't any leftovers. If there isn't any valuable data in your account, you can post a ticket in your Help Desk and request your account to be re-created. This way you will get it as if you've signed up today 🙂

  4. Reply December 12, 2014 / 02:10 GrahamSiteGround Team

    I'd bought a theme from a premium ThemeForest developer for $63 for my site.

    It got hit, so it's not just nulled themes and plugins.

    All updates are done twice weekly.

    The developer swears it's not the theme but other users have the same issue on her forum.

    Had to rebuild the site with another theme.

    BTW Daniel - What scanner / protection do you suggest? WordFence, Sucuri etc. don't catch malicious php and going through code line by line on 50 sites......(NO, I don't use nulled themes)

    Thanks

    • Reply December 15, 2014 / 06:43 Daniel KanchevSiteGround Team

      Hi Graham,

      Every attack is unique and probably your site has been affected by another popular WP vulnerability. If your site is hosted on one of our servers please post a support ticket and we'll check the case in details. Also make sure that all of your plugins are updated.

  5. Reply January 17, 2015 / 23:13 DaveSiteGround Team

    @ Graham I've been using 'ZB Block' (search on google for "ZB Block") on my WP sites for the past 18 months and it stops pretty much all the garbage at the front gate. It's a free gpl and I swear by it! In the past I've used Wordfence etc etc but nothing stacks up to this baby. It's easy to install. Additional IP sig files block countries such as ch,ru,ro,ua,in etc etc. In addition its saved me a heap of bandwidth and protected me against comment spammers and scrapers too.

Reply

* (Required)