Why Using Nulled Scripts Is A Dumb Idea

In a recent blog post, I talked about how CryptoPHP, a backdoor malware bundled with nulled CMS plugins and themes, got on my servers and how I wasted an entire weekend cleaning up the mess.

Bad Idea

While sending out a notification email to the clients whose servers were infected, I discovered that, way back in November 2014, I sent out an alert to all clients about this very malware. And before the recent CryptoPHP infection, I had spent innumerable hours detecting and cleaning up various rogue PHP code hidden in nulled scripts installed used by some of these clients of mine (or their clients); and after each clean-up I’d send out a strong warning about the ethical, legal and security implications of using nulled scripts.

For those who need a refresher on the terminology, nulled scripts (or nulled code) are commercial web applications that are offered for free download at various pirate websites. These nulled scripts have been modified to remove the protection implemented by the original developer so the script can work anywhere without a license key.

Even though there may be pirate websites out there that provide nulled scripts with no strings attached (so to speak), these “clean” nulled scripts are the exception rather than the norm. In most cases these nulled scripts are more than the original scripts minus their protection: more often than not malware are also hidden inside the scripts. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the actors behind these nulled scripts are social engineering unethical site administrators into installing the included backdoor on their server.

These backdoors (hidden malware code) are then used by the ne’er-do-wells behind them to command the websites and servers where the backdoors are installed to perform various nefarious and illegal activities such as email spam, unethical (aka backhat) SEO, or denial of service attacks. Increasingly, massive numbers of these infected websites and servers are drawn together by criminals into massive “botnets” and commanded to undertake largescale attacks.

If you think about it, why would anyone go through the trouble of acquiring hundreds or even thousands of these commercial scripts, setting up and maintaining a website, and uploading these themes for you to download for free? Are they merely anti-capitalists, or simply altruistic? No, and no. I’d wager that 99% of the time they do so because they hide their own malware in these downloads, so they can use sites that install them for various nefarious deeds.

So if the ethical and legal walls haven’t stopped you from stealing other people’s works (which is how I see using pirated software of any kind) in the past, here is hoping the serious security risks mentioned here will. As for my own clients (and their clients), none of these have stopped them from using nulled scripts, themes and plugins in the past and I’m not holding my breath this time.

How to Detect and Remove CryptoPHP From Your Webserver

CryptoPHP is a backdoor malware hidden in pirated commercial themes and plugins for popular content management systems (like Joomla, WordPress and Drupal) which are offered for free download at so-called “nulled” sites. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the ne’er-do-well behind CryptoPHP is social engineering unethical site administrators into installing the included backdoor on their server.

How to Detect and Remove CryptoPHP

Having been installed on a webserver CryptoPHP is then (currently) used for illegal search engine optimization, also known as Blackhat SEO. What’s more scary though is the extensive communication and C2 (command and control) infrastructure built into this malware which allows the actors to remotely control all instances of CryptoPHP and compromised servers, making it easy to use the infected servers for any purpose the actors so wish (send spam, distributed denial of service attacks, etc).

Detecting CryptoPHP infection is relatively simple. Inside a nulled theme or plugin there’s a little line of code that looks like this:

[code language=”php”]<?php include(‘assets/images/social.png’); ?>[/code]

If you’re a PHP developer you will immediately recognize this as looking strange: here we have a PHP directive to include an external file containing PHP source code, but the file is actually an image. Hmmm. But inside this image file is actual PHP and the code is obfuscated (hidden through scrambling) to try and hide the fact that it’s malicious. Clever, isn’t it?

How to Scan Your Server for CryptoPHP Infection(s)

FOX-IT, the Delft, Netherlands-based security firm that brought this malware to light in November of 2014, has built a free Python script to detect CryptoPHP. Once detected, you can then manually remove the offending file(s).

As this is a Python script, you need to have Python on your server to run it (duh!). So to check your server for possible CryptoPHP infection, login to the server, confirm that you have Python, and download FOX-IT’s CryptoPHP detection script with your favourite download tool. I’m using wget here:

[code language=”bash”]$ wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py[/code]

Next, make the script executable:

[code language=”bash”]chmod +x check_filesystem.py[/code]

And that’s it: now you’re ready to scan your file system to detect CryptoPHP. To scan your whole system (it can take a while), run this command:

[code language=”bash”]./check_filesystem.py[/code]

Or you could scan a specific directory. On properly configured cPanel/WHM servers it might be enough to just scan /home (or wherever cPanel users’ files are stored). Run this command to scan /home:

[code language=”bash”]./check_filesystem.py /home[/code]

However you run the script, it will scan your files and either report a suspicious or confirmed CryptoPHP shell. Here is a sample output after scanning /home on one of my clients’ cPanel webservers:

File matching patterns: [‘.png’, ‘.gif’, ‘.jpg’, ‘.bmp’]
Recursively scanning directory: /home/
[code language=”bash”]/home/XXXXX/public_html/ellon/wp-content/themes/XXXXX/images/social.png: CRYPTOPHP DETECTED! (version: 0.3)
/home/XXXXX/public_html/excel/wp-content/themes/XXXXX/images/social.png: POSSIBLE CRYPTOPHP! (version: 1.1)
/home/XXXXX/public_html/excel/wp-content/themes/XXXXX/images/social.png: POSSIBLE CRYPTOPHP! (version: 1.1)
/home/XXXXX/public_html/wp-content/themes/XXXXX/images/social.png: CRYPTOPHP DETECTED! (version: 0.3)
/home/XXXXX/public_html/wp-content/plugins/XXXXX/images/social.png: POSSIBLE CRYPTOPHP! (version: 1.1)
/home/XXXXX/public_html/wp-content/themes/XXXXX/images/social.png: CRYPTOPHP DETECTED! (version: 0.3)[/code]

Online CryptoPHP Scanner

What if you suspect CryptoPHP activity but don’t have shell access, or can’t access there server where you are? CryptoPHP is not new: in fact its been around since 2013, but was brought to the world’s attention in November of 2014. So chances are your favorite CMS security tool (you use one, right?) already has CryptoPHP scanner and remover built in. For WordPress users, Wordfence will do this for you.

If you don’t have such a security tool or your tool of choice doesn’t detect CryptoPHP, there’s still hope for you: use the website scan.cryptophp.com to check if your site is infected with this malware. Be forewarned though: this online scanner doesn’t do such an awesome job of scanning your site. I gave it the root of a domain with a KNOWN CryptoPHP infection, and it didn’t detect it. That’s because WordPress is installed in a sub-directory, and the scanner couldn’t crawl the entire domain to detect the infection. But it detected it when I entered the actual sub-directory where WordPress is installed.

Found CryptoPHP on your server? The best action is to perform a complete re-install of the CMS, since other backdoors may have been left in other part of the the CMS installation. If a complete re-install is not feasible immediately, at least remove the offending plugin or theme.

Also, check your database to see if any extra administrator accounts were added and remove them. Really do login to your database management application and check the appropriate user tables, as the hackers could hide the extra administrator account in the CMS’s dashboard.

Finally, reset the credentials of your own CMS account and other administrators (they were most likely compromised) as well as your database and control panel accounts, as an attacker may have gained system wide access.

And how do you prevent this kind of infection in the first place? If you’re a web host providing shared hosting service, there’s really not much you can do to prevent your users from uploading nulled scripts. But for you wannabe web developers and designers who upload such scripts, for security, legal and ethical reasons PLEASE STOP installing any kind of pirated (nulled) content.

How a Bunch of Thieves, Cheesy Clients, Ne’er-do-wells and CryptoPHP Ruined My Weekend

Instead of fussing with my woman, toiling for my kids, or just roaming about the heavens all day like the lucky old sun, I spent most of the past weekend working like the devil day and night to keep several of my clients’ web servers online and my phone line calm.

How a Bunch of Thieves, Cheesy Clients, Ne'er-do-wells and CrytoPHP Ruined My Weekend

Trouble started brewing early Saturday morning when I started receiving “high server load” alerts from one server via my caveman’s notification system. Before I could even take a peek into the server, a stream of “excessive resource usage” alerts also started pouring in, all pointing to one website on this same server. I initially thought the site in question, a sports website, was simply getting swarmed with real user traffic — it was weekend after all, and people have time to catch up on the various league fixtures — So I did zip — absolutely nothing — and just continued in my slumber and folding of the arms.

But when the high server load remained for an hour, I could see poverty coming after me like the robber — so I finally jumped out of bed to do something. Still thinking it was real user traffic, my first line of defense was to turn on Cloudflare and configure Cloudflare’s Page Rules with long expire time — which would create full-page caches and serve them directly to vistors, totally leaving the server to continue its usual sabbatical.

When this didn’t solve the problem I gave up all hopes of a blissful Saturday, fired a session to the server, and started looking deeper. My initial analysis made me suspect this abnormal traffic to be an inside job: that some rogue script on the server was causing this, something no caching or CDN can fix. This suspicion was deepened when I started seeing similar activity on other websites on the same server, and finally confirmed when other virtual machines joined in the fun.

I’ll spare you the golly details of what happened and only tell you the results: it turned out several of my clients’ servers were infected with some malware called CryptoPHP.

What Is CryptoPHP?

Here is a direct quote from Fox-IT, the Delft, Netherlands-based security firm that brought this malware to light in November of last year:

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

After being installed on a webserver the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the list of C2 servers
  • Ability to update itself

FOX-IT release a full CryptoPHP whitepaper at the time of the discovery, which has even more beef:

“While investigating the ‘nulledstylez.com’ website we found that every pirated plug-in, theme and extension contained the same backdoor. While making a mirror of all the content published on the website we found some ZIP files with a similar comment as the one from the initial incident but referring to a different domain. This website ‘dailynulled.com’ was similar to the ‘nulledstylez.com’ one in that it also published pirated themes and plug-ins for WordPress, Joomla and Drupal. All these websites publish similar content, these plug-ins are available from multiple websites. Which are managed by the same actors. All content provided by these websites is backdoored with CryptoPHP.”

So how did CryptoPHP get on my clients’ servers?

That’s easily explained. As mentioned above, the CryptoPHP malware is hidden in pirated commercial themes and plugins which are offered for free download at these so-called “nulled” sites, so it’s easy to conclude that someone — my own clients or my clients’ clients — uploaded one or more of these backdoored themes or plugins to the server. And after scanning and detecting the specific backdoored themes and plugins, it was easy to know fore sure who these people were.

So there you have it: how a bunch of thieves, cheesy clients, ne’er-do-wells and CryptoPHP conspired in a grand way to ruin what could have been a perfect weekend for me and little Elvis.

“CWNP Is Going Green,” Or Are They?

It’s quite funny when otherwise amazing companies insult their users’ intelligence and try to pull off stunts like Google recently did with the upcoming shutdown of SMS notification for free Google Calendar users, or make some dopey gimmicks in the name of going green and saving the environment.

I just logged into CWNP.com website to see the message screenshotted below:

CWNP Goes Green. Really?

Really? Wow! Now, I haven’t been through any of CWNP’s certifications, and I’ve no idea what’s included in this “certification kit”. And I could be wrong, but I’ll go on a limb to say that this is the package sent out to newly certified professionals, and that individuals holding current certifications can could request this kit any time, at no cost.

So far, so good. That is, until some bean counter crunched the numbers and somehow concluded that giving out these kits for free was destroying the environment. The environment! So the solution? Let folks pay for the kit instead, you know, to save the environment. And there you have it: CWNP.com’s grand plan for going green and saving the environment!

What’s the biggest outright lie, bizarre advice, or dopey gimmick in the guise of going green and saving the environment have you come across? Poor George would love to know.

A Trip Down My WordPress Memory Lane

George Appiah's Trip Down Memory Lane

Today, 15th of June, 2015 is exactly ten years since I discovered this little software called WordPress. Ten years is a long time, yet I remember the day ever so vividly — as if it were just a day ago — because of other incidents that were happening in my little life at the time.

At the time, I was working as a Cellular Network Planning & Optimization Engineer with Ghana Telecom (this was before the Vodafone theft takeover), during the reign of the Norwegians (Telekom Malaysia had just been kicked out, and Telenor of Norway had been brought in to manage the network), with managerial oversight over swapping the then ONEtouch GSM radio network in the five southernmost regions of Ghana — Greater Accra, Volta, Central, Western and Eastern — from Motorola to Alcatel.

But my discovery of WordPress had nothing to do with my day job though. Alongside my professional RF career, I’d been teaching myself website design, and had been building free websites for friends and local NGOs using Mambo CMS. (I’m not sure which I was worse at at the time: design or persuasion; maybe I was terribly bad at both — or perhaps I was too far ahead of the time — as I couldn’t convince a single local newspaper to accept a free website. Oscar Ugoh, are you still in Ghana, and is BusinessWeek Africa still alive?)

And then bam! The Mambo thing happened. Even as a rookie web developer, back in 2005, I could see trouble brewing ahead and I certainly couldn’t see any bright light at the end of the Mambo tunnel. So while people far wiser and smarter than me were busy re-organizing themselves to create a fork of Mambo (which became Joomla), I started looking for a new CMS I could count on to keep my pet projects running. In the process I discovered WordPress.

The Early Days

The first WordPress version I used was 1.5, code-named “Strayhorn” after American Jazz composer, pianist and lyricist Williams Thomas “Billy” Strayhorn. I don’t remember which domain I built this first WordPress website on, but it couldn’t have been this site because it was not until November 14th that I purchased my namesake domain name.

George Appiah's profile on WordPress.org

George Appiah’s profile on WordPress.org (I lost access to my first account and had to create a new one, hence the October 17th, 2005 date)

WordPress 1.5 had the simple administrator dashboard shown below. There were those who felt this simplicity was too limiting; but for me this simplicity was a welcome relief from the kludge of confusing menus and submenus that I was used to, coming from Mambo.

WordPress 1.5 Strayhorn

Memorable Themes

In my ten year journey with WordPress, I’ve used dozens of themes for my own websites and for the few client projects that I’ve had the privilege to work on. But two themes that have a permanent place in my rather limited memory are Kubrick by Michael Heilemann (of BinaryBonsai.com) and Trisexuality by Scott Jarkoff (aka Jarkolicious).

Kubrick was originally developed for WordPress 1.2, but became the default theme shipped with WordPress 1.5. If you have been around WordPress and blogging for a while, you’re probably familiar with the famous and ubiquitous blog design below. Huffington Post described Kubrick as “the Blog Theme That Changed the Internet”, and rightly so.

Kubrick Classic WordPress Theme

I can’t say for sure whether it’s the name, the colors or the rather unusual (at the time) layout that attracted me most to Trisexuality. But whatever the attraction, it was strong enough for me to have kept a non-default theme on GeorgeAppiah.com for nearly 5 months (a record for me!) and to still remember my fondness to the theme though I stopped using it nearly ten years ago.

Trisexuality WordPress Theme

Reflections

When I started using WordPress, I could neither code nor design well enough to save my own life (I still can’t, but I’m better now than I was back then, and I’ve become even better at hiding my shortcomings 🙂 ); and as I didn’t know enough about the software, I couldn’t even contribute in the areas of documentation and support. But WordPress was changing so rapidly at the time that every update broke nearly all the existing themes and plugins. So for each new version, we had to manually test individual themes and plugins and maintain plugin and theme compatibility lists – wiki pages showcasing which themes and plugins worked with the particular version of WordPress. This was the only area I could contribute, as I knew how to install WordPress and I had a lot of time on my hands.

Ten years on, I do regret that I haven’t made any meaningful contribution to WordPress, beyond using it for every website I build and telling everyone and their dogs (sometimes even their cats too!) to use it. And while I owe every line of PHP, HTML, CSS and JavaScript that I know to WordPress, I find it inexcusably appalling that, even though I use WordPress every single day, I haven’t committed myself to deep enough study so as to gain confidence in my WordPress and coding abilities.

Part of the reason for the above is my stubborn adherence to the original career path I charted for myself early on, and my refusal to follow any of the exciting forks in my career path that life has so forcefully and benevolently opened up to me (more on that in future posts).

So that’s my 10-year journey down the WordPress memory lane. I’m still at the fork in my career path, undecided as to which direction to turn. Depending on which direction I turn, I may have continue to be a passive user using WordPress for my own short-lived projects, or WordPress will become my bread and butter — at which point I’ll have no option but to learn to become a WordPress ninja and contribute in a meaningful way to this amazing community.

Why Is Google Shutting Down SMS Notifications for Free Calendar Users?

As an early adopter of web technologies, I’ve learnt to live with the disappearance of features, pivoting of products, and even complete shutdowns of websites and the companies behind them. It’s a fair price I pay for the opportunity to play with cutting-edge technologies and the shiniest of online toys, often for free, long before Mr. Joe and Ms. Jane even hear about them.

What’s not so cool with me is when these companies try to spin such shutdowns or removal of feature as a good thing for users. And that cut gets deeper when it comes from a company I love and trust. Take, for instance, this recent mail from Google:

Google Calendar SMS Notifications Shutdown Warning

So come June 27th, 2015, Google will shutdown SMS notifications for all free users of its online calendar service. That includes all Gmail users and grandfatherd Google Apps Free/Standard users. That part I’m used to and I can live with. But note Google’s spin on this: The world has changed. Who needs SMS notifications when apps can give you a richer experience?

Hmmm. Maybe that’s so. Yet, note the rather curious closer:

“This change will not affect Google Drive for Work, Google Apps for Work (paid edition), Education and Government customers.”

Yikes! Apparently paying Google Calendar users (yes, I know Education is free) are living in a cave or something and they’ve not seen the life-enriching experience of smartphones and apps yet. So, for these cave dwellers without smartphones, SMS notifications is still a vital feature. But for all you free riders, SMS is so-so yesterday so we’re shutting it down. Thus sayeth Google.

I smell BS here. I’ve no idea how much it costs Google to send all these notifications for millions of free Calendar users, but one can safely deduce from Google’s mail that it’s all about the Benjamins. Hey Google: if you’re going to shutdown a service that millions of us use everyday for the spondoolies, at least have the courage to admit so.