Security advisory regarding WordPress, Drupal, and Joomla CMS

It has come to our attention that a malware dubbed “CryptoPHP” is being distributed through pirated themes and plugins for popular content management systems such as WordPress, Drupal, and Joomla.

The information available to us indicates that the author of this malware lures site administrators into installing the malware on their sites by publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them. The majority of pirated plugins are downloaded from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing “nulled” (pirated) software. However, installing the themes/plug-ins also installs a “backdoor” that allows the author control.

An in depth white paper on this backdoor is available here: https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf

A scan of our servers reveal several instances of the backdoor installed on a number of websites. If your website was found to be affected, it is currently suspended. Note: For a list of accounts affected and suspended, see this list: http://pastebin.com/mxfnb1kB. Please note that as per our Terms of Service available here: http://www.speedataweb.com/tos.php, it is your responsibility to keep your content management systems updated and secure. Any account which is found to be compromising the security and integrity of our servers will be suspended.

  • At this time, there is currently no sure/known way of totally cleaning or healing sites infected by this backdoor, as the backdoor directly integrates into the content management systems for the infected sites. See the white paper referenced above.
  • Simply removing the active malware vector alone does NOT remove the infection completely. Therefore we strongly recommend that you RE-INSTALL the sites using the latest versions of the CMS software, and avoid re-using any themes/plugins/components/modules previously used.

Should you have any questions or concerns, please don’t hesitate to contact us and we’d be happy to assist you.