Backdoored CMS Plugins Used To Hack Web Servers

Security researchers have discovered thousands of backdoored plugins and themes for the popular content management systems (CMS) that could be used by attackers to compromise web servers on a large scale.

The Netherlands-based security firm Fox-IT has published a whitepaper revealing a new Backdoor named “CryptoPHP.” Security researchers have uncovered malicious plugins and themes for WordPress, Joomla and Drupal.However there is a slight relief for Drupal users that only themes are found to be infected from this backdoor. These backdoored plugins and themes are used to compromise web servers.

According to the report, the site administrators are often lured to download pirated themes and plugins without paying for them. This way the bad actors are social engineering a site admin into installation of the included backdoor on their server.The backdoor is designed to control with various options such as command and control server communication, mail communication and manual control.

“By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server,” Fox-IT said in its analysis on the attack.

Other capabilities of the CryptoPHP backdoor include:

• Integration into popular content management systems like WordPress, Drupal and Joomla
• Public key encryption for communication between the compromised server and the command and control (C2) server
• An extensive infrastructure in terms of C2 domains and IP’s
• Backup mechanisms in place against C2 domain takedowns in the form of email communication
• Manual control of the backdoor besides the C2 communication
• Remote updating of the list of C2 servers
• Ability to update itself

There have been thousands of backdoored plugins and themes which contain 16 variants of CryptoPHP Backdoor as of 12th November 2014. Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014. The exact number of websites affected due to this CryptoPHP Backdoor is undetermined , but the firm estimates that at least a few thousand websites are compromised.

A majority of the C&C servers used by the threat are located in the Netherlands (40%), Germany (40%), and the United States (18%).