by Dennis Fisher November 20, 2014 , 10:54 am
Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013.
The incident came to light through an investigation by researchers at Fox-IT in the Netherlands, who discovered it after noticing a compromised Joomla plug-in on a customer’s site. After a little investigation, they discovered that the plug-in had been downloaded from a site that offers a list of pirated themes and plug-ins.
“It didn’t come from the original publisher (Joomla Service Provider) but rather from a third party website claiming to be ‘the’ place for ‘nulled’ scripts. The concept of nulled scripts is similar to pirated software; stripped of any licensing checks, in short this is piracy,” Fox-IT said in a detailed research paper on the attack.
Full Article
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
Userlevel 7
+54
Userlevel 7
+54
Monday, November 24, 2014 Swati Khandelwal
EXCERPT.
Other capabilities of the CryptoPHP backdoor include:
Miscreants are using CryptoPHP backdoor on compromised Web sites and Web servers for illegal Search Engine Optimization (SEO), which is also known as Black Hat SEO, researchers said in its report. It is because the compromised websites link to the websites of the attackers appear higher in search engine results. Full Article
EXCERPT.
Other capabilities of the CryptoPHP backdoor include:
- Integration into popular content management systems like WordPress, Drupal and Joomla
- Public key encryption for communication between the compromised server and the command and control (C2) server
- An extensive infrastructure in terms of C2 domains and IP’s
- Backup mechanisms in place against C2 domain takedowns in the form of email communication
- Manual control of the backdoor besides the C2 communication
- Remote updating of the list of C2 servers
- Ability to update itself
Miscreants are using CryptoPHP backdoor on compromised Web sites and Web servers for illegal Search Engine Optimization (SEO), which is also known as Black Hat SEO, researchers said in its report. It is because the compromised websites link to the websites of the attackers appear higher in search engine results. Full Article
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.