CryptoPHP Infection & Nulled Scripts


New Security Threat - CryptoPHP Infection & Nulled Scripts

Find out more about the latest security threat. Nulled Scripts & CryptoPHP Infection and how it affects Content Management Systems such as WordPress

Dutch IT company Fox IT have released a white paper describing a hidden threat that exists inside popular content management systems called "CryptoPHP." While this threat has been around for a while, there has recently been a massive increase in the number of infections.

The white paper is very complicated, so probably only interesting if you are more technically minded.  We have summarized the threat below.

What are Nulled Scripts?

Nulled Scripts are when a piece of code has its copy protection removed.  An example of this is a Pro WordPress theme or plugin that may have a serial key which when entered will give access to the plugin theme, paid features or just entitle you to the free upgrades.

Nulled scripts are essentially the same piece of software, but with the copy protection removed.  Of course, this is illegal, but you will find many places that will advertise free or downloadable software, such as torrent websites.  You will quite often find a vast library of free Premium WordPress themes and plugins, but as you will see below, there is no way of knowing whether other more malicious changes have been made to these files.

One such change that is becoming more and more popular is the CryptoPHP Infection.

What is a CryptoPHP Infection?

This is the deliberate infection of nulled scripts.  It most commonly occurs in "Free" Premium WordPress Themes or Plugins, offered by dubious websites to people wanting to pirate something that would otherwise cost money, for free.

For this reason, it is important that you should only download themes or plugins from recognizable or verified sources such as, Theme ForestWooThemes just to name a few examples.

What makes CryptoPHP so dangerous is that it encrypts the malicious code, so it is not readily apparent, unless of course, you are specifically looking for it.

An example of such an infection is a line of code similar to:


The include function is used to include other PHP scripts, so what makes this so suspicious is that an image is being included.  You certainly wouldn't include an image like this in a PHP script.

If you looked closer at the image file, you would find that it is some PHP code disguised as an image file and as such many malware scanning programs or plugins do not check image files.

obfuscated malicious PHP code

In the image above, you can see the obfuscated malicious PHP code.

While we have only mentioned WordPress related examples, the infection can be contained in any PHP script.  So websites running Joomla, or Drupal among others, may similarly be affected.

What does it do?

The Fox IT white paper found that the CryptoPHP Infection caused the insertion of spam and malicious website links into the infected websites content.  This can significantly affect your Google Ranking over time, but is primarily designed with Black Hat SEO in mind ... i.e. using links from your website to artificially increase the ranking of other websites.

Quite often the scripts can be quite clever at masking themselves, so even if you do not think that you are infected it is still worth doing a scan (see below).

How to fix your website if it is infected?

As we mentioned above, many malware scanning websites or plugins do not specifically check for this type of infection. For this reason, we recommend using Sucuri as your website scanner of choice, as not only do they scan the "include()"  statements but they scan the image files as well.  To double check this we contacted Sucuri, who had this to say:

Best Host News:

Hi, does your scanner detect for CryptoPHP infections, either by scanning the include statements or scanning image files directly?

Warren B.:

Hey there. Yes. It can detect all kinds of infections, and our tech can clean all of them.

Furthermore, if you do find you are infected, they can clean up any infection as well from just $99 for a whole year of cover. This means not only will they clean up the initial infection, but if it reoccurs (or any other infection occurs) within the year, they will clean that up as well at no extra cost.

Choose a host that takes Security Seriously

Another thing we would recommend if you are concerned about your website being hacked is to choose a host that focuses on website security.  SiteGround, for instance, took a proactive approach to the white paper that was released and scanned their servers looking for all the websites that were infected by CryptoPHP and limited access to the nulled scripts.  SiteGround are then applying a server-wide protection to ensure that any future CryptoPHP infections are prevented.

You can read more about SiteGround and why they are our top recommended host here.  You can also get up to 70 percent off your first invoice at SiteGround here

Related categories
60% Off with our top user-rated host: SiteGround
Need a fast, reliable hosting provider?
60% Off with our top user-rated host: SiteGround