A Scandinavian technology company, Fox IT, was one of the first discovers of a new threat to PHP based programs (such as WordPress, Drupal, Joomla, etc. )
The Fox IT CryptoPHP white paper is quite technical but we will summarize the issue for you here.
It is about something termed ‘Nulled Scripts’ and given another label too, CryptoPHP. This is perhaps a new term to most of our customers.
So what exactly are these so-called Nulled Scripts?
Nulled scripts are scraps of PHP code, which can be found on free or otherwise non-approved WordPress plugin sites or even in WordPress theme archives; which have had their copy-protection removed.
Various *pro* plugins and themes come with a serial number, or key, which enables paid features or provides access to download free upgrades.
Nulled scripts have such protections removed (so that it is become ‘free’).
There are many websites that are offering these nulled-scripts and also nulled WordPress plugins and theme installers.
They shouldn’t be used because of the following problem:
The programmers who published the white paper have witnessed a drastic increase in the availability of nulled/corrupted scripts.
Of course it is not “new” news that alot of “free” WordPress plugins might have this kind of malware embedded in it; if it was not downloaded from a trusted source such as WordPress.org, WooThemes, WooThemes, Theme Forest, Drupal.org Joomla.org, etc.
But this particular kind infection is more of a threat than previous malware because in it encrypts data before transmitting it back to its controlling servers; which of course can be located anywhere in the world.
Identifying the infection is rather simple though:
For example take this line of code: include('wpassets/images/someimage.png');
A web developer that could be reviewing the code should be suspicious of it because an ‘image’ is not supposed to be included this way into an PHP script.
This “ include() “ function call is supposed to be used for importing PHP code. So this has turned out to be be a way of injecting malware PHP code contained in a fake image file.
This devious technique isn’t readily detected by malware/virus scanners because most of the utilities out there currently don’t parse through binary image files.
We are recommending WordFence as our now default security plugin WordPress sites. If you are working in another CMS other than WordPress, then write us at support@(our company domain) and we will help you check or solve this issue. The latest no-charge version of Wordfence checks all include() functions for auspiciousness and then also scans image files for PHP scripts or bytecode.
So what does the CryptoPHP Null Script actually do??
CryptoPHP injects spamming loops and various kinds of website links, some even leading to other malicious infections, into your website’s content at various locations in random intervals.
Fox IT determined that the malware script injects spamming operations and malicious website links into your site’s content. attempting black-hat SEO – in order to get exposure for these website or as a general advertising technique.
Again, this PHP security issue not only affects WordPress, but any other popular CMS application or script such as Drupal or Joomla and dozens of others; basically any script that uses add-on modules or plugins to extend its functionality,
But you will only get into danger when you download from pirate sites, or free plugin sites. The modules and plug-ins on the primary CMS’s own website more than likely have already been tested safe to download.
The PDF document, Fox IT CryptoPHP white paper , details how to check all your WordPress or other application’s installation(s).
We recommend that you do check over all your sites for this now. And also stray away from downloading “free” themes or plugins from shady unverified sites and forums.
Also best to share this information with your acquaintances to make our internet a better place.
For WordPress or a list of all the great applications that we offer, please do see: 4GoodHosting’s WordPress Web Hosting .