We have terrific news again: BitNinja is able to directly fight against CryptoPHP malware. But what is this backdoor? And what does it do with your servers? Find out from our blog.

What is CryptoPHP?

CryptoPHP is a backdoor used for spamming and illegal search engine optimization (blackhat SEO) actions. This script provides remote control to servers for hackers, who can control them through command-and-control (CnC) server communication, mail communication or manual control.

How it works

After being installed, it provides access to the web server and hackers become able to implement rogue code (a code that constitutes a virus) and inject malicious content into the hosted websites. Mostly, infected servers act like a botnet: they connect to CnC servers using an encrypted channel and listen for commands.
Unlike most php backdoors, CryptoPHP use pirated plug-ins and themes for WordPress, Joomla and Drupal to get installed. This way they don’t need to search and exploit vulnerabilities, but to wait for webmasters to download and install these, having the CryptoPHP backdoor embedded into them.
The capabilities of cryptoPHP are very dynamic:

• Integration to CMSs like WordPress, Joomla, Drupal
• Ability to update itself
• Remote updating of the list of CnC servers
• Manual control of the backdoor besides CnC server communication
• Public key encryption for communication
• Setting up an extensive infrastructure in terms of CnC server domains and IP’s
• Backup mechanisms in place against CnC server takedowns in the form of email communication

How to detect its presence

The first symptom of all, that CryptoPHP communicates with external servers, requiring multiple external requests.
It’s also suspicious, if your WordPress is slow to load, especially at the first pageview. You can also see error messages in your server logs, due to possible failed requests. Reports from your ISP or security softwares, indicating that someone is making calls to exec or eval, can also be telltale signs.
 

Extra BitNinja server protection

We constantly monitor the command and control servers of CryptoPHP malware and prevent protected servers from connecting to them, so the malware can’t communicate with the command center, and this way does nothing. Your and your customers’ servers are protected by BitNinja, so you don’t have to deal with this headache anymore.