CryptoPHP – stop it with BitNinja

Boglarka Angalet

We have terrific news again: BitNinja is able to directly fight against CryptoPHP malware. But what is this backdoor? And what does it do with your servers? Find out from our blog.

What is CryptoPHP?

CryptoPHP is a backdoor used for spamming and illegal search engine optimization (blackhat SEO) actions. This script provides remote control to servers for hackers, who can control them through command-and-control (CnC) server communication, mail communication or manual control.

 

How it works

After being installed, it provides access to the web server and hackers become able to implement rogue code (a code that constitutes a virus) and inject malicious content into the hosted websites. Mostly, infected servers act like a botnet: they connect to CnC servers using an encrypted channel and listen for commands.

Unlike most php backdoors, CryptoPHP use pirated plug-ins and themes for WordPress, Joomla and Drupal to get installed. This way they don’t need to search and exploit vulnerabilities, but to wait for webmasters to download and install these, having the CryptoPHP backdoor embedded into them.

 

The capabilities of cryptoPHP are very dynamic:

  • Integration to CMSs like WordPress, Joomla, Drupal
  • Ability to update itself
  • Remote updating of the list of CnC servers
  • Manual control of the backdoor besides CnC server communication
  • Public key encryption for communication
  • Setting up an extensive infrastructure in terms of CnC server domains and IP’s
  • Backup mechanisms in place against CnC server takedowns in the form of email communication

 

How to detect its presence

The first symptom of all, that CryptoPHP communicates with external servers, requiring multiple external requests.

It’s also suspicious, if your WordPress is slow to load, especially at the first pageview. You can also see error messages in your server logs, due to possible failed requests. Reports from your ISP or security softwares, indicating that someone is making calls to exec or eval, can also be telltale signs.

 

Extra BitNinja server protection

We constantly monitor the command and control servers of CryptoPHP malware and prevent protected servers from connecting to them, so the malware can’t communicate with the command center, and this way does nothing. Your and your customers’ servers are protected by BitNinja, so you don’t have to deal with this headache anymore.

Share your ideas with us about this article

Previous posts

Save the date for HostingCon Europe
After BitNinja’s success at HostingCon Global, we decided to visit the ’little brother’ of this event, HostingCon Europe. Let’s meet in Amsterdam on September 22-23! (Don’t forget about the early bird discount, available until 5th September.) Also coming to the event? Write us an email and meet us there, let’s have a coffee together.
BitNinja WHM plugin
Do you think using BitNinja can be easier than now? Yes, it can!   We are happy to announce that WHM integration for BitNinja is alive. If you are a user of this WebHost Manager, monitoring BitNinja will be much easier for you with our new plugin. WHM plugin Sometimes you can feel that BitNinja’s complex and detailed dashboard is not needed in hurried everyday life. And at the same time, managing your server is much easier by WHM than using a console. That’s why we developed a plugin for you with some awesome functions and easy installation.   Installation...