Posts tagged: Wordpress

Nov 25 2014

CryptoPHP – Backdoor in Thousands of CMS Plugins and Themes Used to Hijack Web Servers

CryptoPHP BackdoorSecurity researchers have discovered thousands of backdoored plugins and themes for the popular content management systems (CMS) that could be used by attackers to compromise web servers on a large scale.

The Netherlands based security firm Fox IT has published a whitepaper revealing a new Backdoor named “CryptoPHP”. Security researchers have uncovered malicious plugins and themes for WordPress, Joomla and Drupal. However, there is a slight relief for Drupal users, as only themes are found to be infected from CryptoPHP backdoor.

In order to victimize site administrators, miscreants makes use of a simple social engineering trick. They often lured site admins to download pirated versions of commercial CMS plugins and themes for free. Once downloaded, the malicious theme or plugin included backdoor installed on the admins’ server.

By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server“, Fox IT said in its analysis on the attack.

Once installed on a web server, the backdoor can be controlled by cyber criminals using various options such as command and control server (C&C) communication, email communication and manual control as well.

Other capabilities of the CryptoPHP backdoor include:

  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the list of C2 servers
  • Ability to update itself

Miscreants are using CryptoPHP backdoor on compromised Web sites and Web servers for illegal Search Engine Optimization (SEO), which is also known as Black Hat SEO, researchers said in its report. It is because the compromised websites link to the websites of the attackers appear higher in search engine results.

Black Hat SEO is a group of techniques and tactics that focus on maximizing search engine results with non-human interaction with the pages, thus violating search engine guidelines. These include keyword stuffing, invisible text, doorway pages, adding unrelated keywords to the page content or page swapping.

The security company has discovered 16 variants of CryptoPHP Backdoor on thousands of of backdoored plugins and themes as of 12th November 2014. First version of the backdoor was appeared on the 25th of September 2013. The exact number of websites affected by the backdoor is undetermined, but the company estimates that at least a few thousand websites or possibly more are compromised.

Apr 14 2011

WordPress Hacked, Source Code Stolen

Wordpress AutomatticServers belonging to Automattic, which makes the popular WordPress blogging software, say that their servers were hacked and that the company’s source code is believed to have been “exposed and copied,” according to a company blog post Wednesday.

The post, by Matt Mullenweg, Automattic’s co-founder, said that the company had a “low-level (root) break-in to several of our servers.” Whi While the company doesn’t know the exact target of the hackers, “potentially anything on those servers could have been revealed.”

Mullenweg said the company was operating under the assumption that its source code was copied and, while much of it is open source, the copied data did contain “bits of our and our partners’ code” that are sensitive.

Automattic has taken “comprehensive steps to prevent an incident like this from occurring again,” but Mullenweg declined to speculate on whether the hundreds of thousands of blog operators that use WordPress need to be concerned about security vulnerabilities. He encouraged blog owners to make sure they are using strong passwords to secure their WordPress installations, and to refrain from reusing passwords – generic “good housekeeping” advice that wasn’t specific to the breach.

This isn’t the first time Automattic has found itself in the crosshairs. In March, the company was the target of a large denial of service attack. WordPress installations hosted on infrastructure managed by Network Solutions were also the target of attacks in April, 2010 that redirected thousands of WordPress blogs to malware-laden drive by download Web sites.