CRYPTO PHP ON WEBSERVERS
Over 23,000 Web Servers infected with CryptoPHP.
“Security for a website should be the top-most priority” @KatanaWebWorld
Over 23,000 sites using Drupal, Joomla, and WordPress have been infected with malware called CryptoPHP. According to this report by Fox-IT, a Dutch security firm, CryptoPHP is used for Black Hat Search Engine Optimization, to push malicious content higher in the search rankings.
The infection vector in this case is not exploited vulnerabilities, but rather pirated copies of valid plug-ins that have had the CryptoPHP backdoor inserted. The black hats wait for webmaster to download what appear to be valid plug-ins. Once compromised, the infected websites function as bot-nets, waiting for commands from command-and-control servers using encrypted channels, operated by the attackers.
The security firm Fox-IT took control of the command-and-control domains and directed them to their sites to gather statistics, in a process known as sinkholing.
The Impact of the Infection:
Top 5 Countries infected and percent of total
- US IP addresses infected 37% 37%
- German IP addresses infected 12% 12%
- French IP addresses infected 5% 5%
- Netherlands IP addresses infected 4% 4%
- Turkish IP addresses infected 3% 3%
Fox denoted the extent of the infection and its spread in this blog post: They report that, at a minimum, 23,693 IP addresses have the infection.
The Security researchers released Python scripts on Github to scan for the infection. See link here: They also posted removal instructions, but noted that it is best to reinstall the entire content management system, since it is know to have been compromised.
We are using the work by Fox to create procedures and tools to ensure your sites are safe. Call ItGresa if you would like a security scan.
How can I keep my business safe?
Not everyone has the skills or the time to protect yourself, your employees, or your business from hackers
ItGresa will do it for you!
Call us at 1 (470) 305-7223.