Greg Gurev at MySherpa sent me an email about a backdoor program that has been proliferating on Drupal, Joomla and WordPress CMS systems this month. MySherpa is a very popular managed IT firm in Wilmington Delaware and Greg is very aware of what’s up with the industry. Needless to say when I get a virus warning from him I look into it. Sure enough everyone is talking about it and many have been infected.
Upon further research it appears the backdoor installs itself into CMS sites via pirated versions of paid themes and plugins. I don’t venture down that road so the red flag in my brain lowered a bit. As I continued to read I learned that a company called Fox-IT in the Netherlands was the company that discovered the vulnerability. They wrote an in depth white paper about the hack. Below is what I extracted from the 50 page document.
Its All About Black Hat SEO Strategy
The software is a backdoor because it creates an opening for a third party server to add content to your site. The reason is to inject links and content to websites into your site pages. This is then read by Google as a back link which gives that site receiving the link better rank. There are also some instances of folks being redirected to a Justin Bieber youtube video which I believe is a fate worse then death. So to boil it down, this backdoor allows a third party to manipulate your content so another website can receive higher rank on Google. It’s the ultimate black hat SEO play.
How To Check WordPress For Cryptophp
Removing Cryptophp is fairly simple. What you do is copy your entire site to your computer and search it for a specific shortcode.
Do the following;
- Create A New Duplicator Package: If you don’t have the duplicator plugin I highly recommend it. Its the fastest way to get a copy of all WordPress site files on your local computer. Here’s a video tutorial on how to use it if you’re not familiar with it.
- Download And Uncompress Your Duplicator Package: The end result is to have a copy of all your site files on your hard drive.
- Search for the following include call in your site files. “<?php include(‘images/social.png’); ?> The search program I use is called Easy Find.
If your search finds the PHP call, it’s time to remove the offending template file or plugin. If the call resides in your theme, you’re going to have to use another (rebuild your site) or buy the actual theme. If you’ve pirated themes or plugins and got infected, well that’s a shame. Remember, the hackers are fueled by greed and love to prey on low level pirates. Stay clear of that activity and you won’t have trouble.