IMPORTANT ALERT - REGARDING CMS SITE MALWARE INFECTION

  • Friday, 26th December, 2014
  • 14:48pm
Please note that this is an important security alert regarding the on going global attack on CMS sites like wordpress, joomla, drupal etc.. This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.comdailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

A group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking the developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites which is then being backdoored with CryptoPHP. Also these vulnerable plugins and themes are having malicious PHP script files in the name of "SOCIAL.PNG". Coninuous spam mails and connections to spamming sites are getting generated from those domains. Due to which the mailing activity of the entire server is getting affected. Some of the vulnerable themes and plugins are,

/wp-content/plugins/ubermenu_v.2.4.0.3/
/wp-content/themes/grandcollege/

For more details about CryptoPHP malware please refer the below url,

https://threatpost.com/attackers-using-compromised-web-plug-ins-in-cryptophp-blackhat-seo-campaign/109505

IMMEDIATE ACTIONS SHOULD BE TAKEN:
================================

In order to get rid of this issue, we strongly advice you to remove the file "social.png" immediately.

NOTE: By removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be recreated from the scratch.

We advice you to take the complete backup of the domain. After which terminate the domain and then recreate it with new fresh files.

Kindly note that Unless these steps are taken, IT MIGHT AFFECT YOUR ENTIRE RESELLER ACCOUNT.

1. Upgrade your open source cms such as joomla,wordpress,whcms,drupal etc to lastest version
2. Remove unneccessary installations of joomla,wordpress,whmcs,drupal etc
3. Remove or upgrade vulenerable versions of plugins, themes, templates used in wordpress,joomla,whmcs,drupal etc
4. Check the file and folder permissions. See whether they are 644 for files and 755 for folders. If not, change them.
5. Reset your administartor password for joomla,wordpress,drupal,whmcs etc
6. Reset your cpanel and database login details.
7. Always use tough passwords like 3r48d*#R#T&3023r
8. Keep a backup of your domain in your local system for safety purpose
9. Do not download the joomla,wordpress, drupal plugins from third party website, STRICTLY use the plugins from the original publisher (EG: Joomla Service Provider)

Also refer the below url and take all the necessary actions at your end.

http://blog.fox-it.com/2014/11/26/cryptophp-a-week-later-more-than-23-000-sites-affected/

You can also refer the concern CMS forums for security tips.
« Back