Description of Issue
CryptoPHP is a threat that uses backdoored CMS (such as Joomla, WordPress, Drupal etc.) themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their websites.
It uses several hardcoded domains for communication with centralized servers for command and control (C&C) and uses RSA encryption to protect its communications with those servers. Some versions also have a backup ability to communicate over email if those domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on as well as perform several other functions on the attacker's behalf.
The main objective of CryptoPHP is to conduct blackhat SEO operations (cheating on search engine optimization) which improves the rank of sites controlled by the attackers, or their customers, which helps them look like a legitimate site or a legitimate SEO consultant.
Background of Issue
This type of website infection has been around, reportedly, since around September of 2013.
All platforms are affected.
The detection of the infection is relatively simple: Inside a nulled script there’s a little line of code that looks like this:
<?php include('assets/images/social.png'); ?>
Some might immediately recognize this as looking strange. This is a PHP function including a file that would contain PHP source code but it's including an image file. The image file it references is actually PHP code but it is obfuscated (scrambled but readable by the PHP interpreter).
Fox-IT (https://www.fox-it.com/) created a python script to help administrators detect and identify CryptoPHP related code. Python is required to run the scripts (preferably version 2.7). One can obtain and execute the scripts quite easily.
1. Download and make the script executable:
$ wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
$ chmod +x check_filesystem.py
2. To scan your whole system (it can take a while), run:
Or scan a specific directory, for example /home:
3. Files will either reported as suspicious or confirmed CryptoPHP shell as follows:
File matching patterns: ['*.png', '*.gif', '*.jpg', '*.bmp']
Recursively scanning directory: /
/home/www/social.png: CRYPTOPHP DETECTED! (version: 1.0)
/var/www/images/social.png: CRYPTOPHP DETECTED! (version: 1.0a)
/tmp/thumbs/admin/assets/images/thumb.png: CRYPTOPHP DETECTED! (version: 0.3x555)
You can use another script from Fox-IT to determine if your website is actually performing the Blackhat SEO. This is done by performing one request with a web-crawler user agent string and one without.
This script can be run remotely and does not have to be executed on the affected server.
1. Download and make the script executable:
$ wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_url.py
$ chmod +x check_url.py
2. To scan a host or url (or multiple) as the arguments, run:
./check_url.py --verbose www.fox-it.com http://192.168.0.10/index.php
Checking 'http://www.fox-it.com' ..: OK
* Normal request yielded 15 urls, Webcrawler request yielded 15 urls. (0 suspicous links)
Checking 'http://192.168.0.10/index.php' ..: CRYPTOPHP DETECTED
* Normal request yielded 1 urls, Webcrawler request yielded 5 urls. (4 suspicous links)
Or scan a list of hosts or urls, run it with --load:
./check_url.py --verbose --load=urls.txt
Recommendation for Resolution
- Check your server's users looking for newly created users on your system for SSH/FTP that should not exist
- Modify any affected usernames (generally the user(s) that own the files detected as infected)
- Edit out the shady php include() function from infected pages and remove any fake image files that contain CryptoPHP code
- Remove the pirated theme or plugin which contains the CryptoPHP infection.
- Change all passwords related to the compromised account and its website.
- Perform updates on any and all WordPress, Drupal and Joomla installations on the entire server (not just the reported site)
- Subscribe to security update announcement mailing lists for Wordpress, Drupal and Joomla or check for updates regularly to avoid further infections and vulnerabilities leading to exploitation.