To Customer Support To Customer Support

Over 23,000 Web Server IP Addresses Connect to CryptoPHP Control Domains

  • 27 November 2014
  • 1 reply
  • 336 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
By Ionut Ilascu    26 Nov 2014
 
Backdoor spread by thousands of pirated themes and plugins for Joomla, WordPress and Drupal content management systems
 
Command and control (C&C) servers used by the operators of the CryptoPHP threat for popular content management systems (CMS) WordPress, Drupal and Joomla have been sinkholed and researchers observed connections from 23.693 unique IP addresses.
 
Information on the scale of the CryptoPHP operation was gathered by Fox IT in cooperation with Abuse.ch, Shadowserver and Spamhaus.
 

Most infections registered in the US

 
After sinkholing most of the active C&C servers, the researchers noticed a decrease in the amount of addresses contacting them. As such, following the initial statistics on November 22, less and less IPs initiated communication with the control domains, 16,786 being recorded on November 24.
 
Full Article

1 reply

Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
More information from Help Net Security.
 
Posted on 01.12.2014Over 23,000 websites set up with the help of Joomla, WordPress and Drupal content management systems have been compromised and used for illegal search engine optimization by an attacker who managed to social-engineer site administrators to install a backdoor on their servers.

Dubbed CryptoPHP because of its use of RSA Public Key cryptography for communication with its C&C servers, the backdoor has been included in pirated themes and plug-ins for the aforementioned CMSes, and linked for download on some two dozen specially crafted sites that openly offer pirated software and "nulled" scripts:


http://www.net-security.org/images/articles/psites-01122014.jpgFull Article

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.