The CryptoPHP backdoor & what you need to know

Researchers at Fox-IT released a white paper regarding an increasing threat to content management systems they’ve named CryptoPHP.

What is the CryptoPHP Backdoor?

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the list of C2 servers
  • Ability to update itself

What We’ve Done For Our Customers

GreenGeeks is always working to ensure maximum security for our customers.  Here’s what we’ve done since learning about the CryptoPHP backdoor.

  1. Checked all clients data. Affected clients were notified and we’re working with them to resolve. Only 0.001% sites on our network were affected.
  2. Added advanced real-time security rules to protect against new instances.
  3. Updated GGS real-time malware scanning tool to find out affected data more quickly
  4. Updated the list of known holes to check servers periodically.

What You Can Do to Protect Against These Kinds of Infections

  1. Download & use plug-in’s that are from reputable & verified sources.
  2. Ensure the latest versions of plugins & core CMS code is up to date.
  3. Download security scanning tools such as iThemes Security or WordFence

SSL 3.0 Poodle Vulnerability

SSL v3 Vulnerability

Google reported in a blog post today the discovery of a security vulnerability with SSL version 3.0. Our engineers were notified of this vulnerability before the announcement was made public and have made the necessary changes to disable access to SSL 3.0 on our core infrastructure.

Unlike the HeartBleed vulnerability, most of our users will not be impacted from this change. However, those that are using outdated web browsers (Internet Explorer 6 for example) will be unable to connect securely to our control panel and website.

If you’re using an outdated web browser, simply download the updated versions or download newer clients such as Mozilla Firefox or Google Chrome. These browsers utilize an enhanced security protocol known as TLS, which has the ability to automatically update keeping you secure in the future.

SSL Version 3.0 will be disabled on Firefox on November 25, but you do not have to wait for this to be released. You can download a plugin that will allow you to set the minimum SSL version. If you’re using Internet Explorer, simply go to Settings -> Internet Options -> Advanced Tab -> Uncheck SSLv3 under Security.

Our system engineers are working to disable SSL version 3.0 across all of our servers. This will be done in segments to ensure there is no impact your websites.

You can learn more about this issue by reading Google’s report

As always, you’re more than welcome to contact our support if you have any questions and/or concerns.