CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise web hosting accounts on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on your hosting account.

 After being installed on a hosting account the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

 Integration into popular content management systems like WordPress, Drupal and Joomla

• Public key encryption for communication between the compromised server and the command and control (C2) server
• An extensive infrastructure in terms of C2 domains and IP’s
• Backup mechanisms in place against C2 domain takedowns in the form of email communication
• Manual control of the backdoor besides the C2 communication
• Ability to update itself

 You can find complete details about CryptoPHP threat  here.

 FOX-IT, (Company discover this issue) identified thousands of backdoored plug-ins and themes which contained 16 versions of CryptoPHP as of the 12th of November 2014. Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014. We cannot determine the exact number of affected websites but we estimate that, at least a few thousand websites are compromised by CryptoPHP.

 For last few days some of our server IPs are hitting on blacklists and while investigations we found this has caused by the CryptoPHP threat. Most of those are out-dated Joomla/WordPress web sites which has used pirated themes or plug-ins which were downloaded from illegal sites.

 Those hidden files in your accounts come in various format such as ‘jpg,png’ ect, so far during our scans we found some of those were located in Joomla/WordPress sites as ‘/images/social.png’,  this is just an example and there may be lot of other ways those files getting in to your hosting accounts.

 Due to nature of the file type it’s really hard to detect compromised web sites and we are keep on getting blacklist. 

 Therefor we need following actions from your end.

1. If you are using Joomla/WordPress or any other CMS, make sure it’s up to date to latest version.  
2. Make sure you install templetes/plug-ins only downloaded from original distribution ( vendor sites)
3. If you have installed paid themes which you downloaded illegally, ("nulled" (pirated) software) please delete those themes and inform us as soon as possible to scan your account.
4. If you have install paid themes, please have proof those theme were paid and you have rights to use

 If we found ?

•  If we found your web site has files which were compromised using above  CryptoPHP threat, we reserve rights to suspend your account immediately.  
•  If those site has used paid themes, you need to provide us proof those theme were paid and you have rights to use in order to activate your accounts back.  Therefor if you have used illegal theme or plugins, please delete those and inform us your account details in order to prevent account suspension.

 If you are using only email facility from us and you are getting return messages from us due to this blacklist, please inform us, we have separate environment setup for customers who are not using CMS web sites to have your services un- uninterrupted.

This is a massive problem in hosting industry identified recently and we are apologies for any inconveniences  caused to you.  we are working on preventing this as much as we can.

If you have any question regarding this, please feel free to contact us by emailing support@lankahost.net