Trouble started brewing early Saturday morning when I started receiving “high server load” alerts from one server via my caveman’s notification system. Before I could even take a peek into the server, a stream of “excessive resource usage” alerts also started pouring in, all pointing to one website on this same server.

I initially thought the site in question, a sports website, was simply getting swarmed with real user traffic — it was weekend after all, and people have time to catch up on the various league fixtures — So I did zip — absolutely nothing — and just continued in my slumber and folding of the arms.

But when the high server load remained for an hour, I could see poverty coming after me like the robber — so I finally jumped out of bed to do something. Still thinking it was real user traffic, my first line of defense was to turn on Cloudflare and configure Cloudflare’s Page Rules with long expire time — which would create full-page caches and serve them directly to visitors, totally leaving the server to continue its usual sabbatical.

When this didn’t solve the problem I gave up all hopes of a blissful Saturday, fired a session to the server, and started looking deeper. My initial analysis made me suspect this abnormal traffic to be an inside job: that some rogue script on the server was causing this, something no caching or CDN can fix. This suspicion was deepened when I started seeing similar activity on other websites on the same server, and finally confirmed when other virtual machines joined in the fun.

I’ll spare you the golly details of what happened and only tell you the results: it turned out several of my clients’ servers were infected with some malware called CryptoPHP.

What Is CryptoPHP?

Here is a direct quote from Fox-IT, the Delft, Netherlands-based security firm that brought this malware to light in November of last year:

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

After being installed on a webserver the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

Integration into popular content management systems like WordPress, Drupal and Joomla
Public key encryption for communication between the compromised server and the command and control (C2) server
An extensive infrastructure in terms of C2 domains and IP’s
Backup mechanisms in place against C2 domain takedowns in the form of email communication
Manual control of the backdoor besides the C2 communication
Remote updating of the list of C2 servers
Ability to update itself

FOX-IT release a full CryptoPHP whitepaper at the time of the discovery, which has even more beef:

“While investigating the ‘nulledstylez.com’ website we found that every pirated plug-in, theme and extension contained the same backdoor. While making a mirror of all the content published on the website we found some ZIP files with a similar comment as the one from the initial incident but referring to a different domain. This website ‘dailynulled.com’ was similar to the ‘nulledstylez.com’ one in that it also published pirated themes and plug-ins for WordPress, Joomla and Drupal. All these websites publish similar content, these plug-ins are available from multiple websites. Which are managed by the same actors. All content provided by these websites is backdoored with CryptoPHP.”

So how did CryptoPHP get on my clients’ servers?

That’s easily explained. As mentioned above, the CryptoPHP malware is hidden in pirated commercial themes and plugins which are offered for free download at these so-called “nulled” sites, so it’s easy to conclude that someone — my own clients or my clients’ clients — uploaded one or more of these backdoored themes or plugins to the server. And after scanning and detecting the specific backdoored themes and plugins, it was easy to know fore sure who these people were.

So there you have it: how a bunch of thieves, cheesy clients, ne’er-do-wells and CryptoPHP conspired in a grand way to ruin what could have been a perfect weekend for me and little Elvis.