When it sounds too good to be true it probably is.
Many Nulled plugin distribution sites have been (identified by FOX IT) as providing plugins and themes containing CryptoPHP. Currently CryptoPHP is used to generate BlackHat SEO and is infecting many cms based sites, WordPress, Joomla, Drupal. Basically CryptoPHP inserts back links throughout a page, post or article on your site. The links are visible to search engine traffic but do not load for a regular visitor, thus hiding the infection and purpose but the dangers don’t stop there.
Here’s a simple description of how it loads: CryptoPHP uses a .png file embedded with php and loaded with an include () statement within a the infected file/files.
Learn more about the dangers of CryptoPHP
If you have ever used any nulled plugins or themes it would be a good idea to review the sites identified below:
- anythingforwp.com
- awesome4wp.com
- bestnulledscripts.com
- dailynulled.com
- freeforwp.com
- freemiumscripts.com
- getnulledscripts.com
- izplace.com
- mightywordpress.com
- nulledirectory.com
- nulledlistings.com
- nullednet.com
- nulledstylez.com
- nulledwp.com
- nullit.net
- topnulledownload.com
- websitesdesignaffordable.com
- wp-nulled.com
- yoctotemplates.com
Site admins are being tricked by these sites to install the infected plugins.
How to find out if your site is infected with CryptoPHP?
Do a search for the following line in your sites file:
<?php include(‘images/social.png’); ?>
If you need help removing or identifying CryptoPHP contact us or check out Wordfence As they have added detection for CryptoPHP, Wordfence will detect the ‘include’ directive above in your PHP source, so even if you haven’t enable image-file scanning, you will still catch all known variants of this infection provided you are running the newest version of Wordfence.
Be sure to read the full whitepaper here: https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
