Wordpress Nulled ScriptsWorldpress Nulled Scripts
Wordprocessor Security: CryptoPHP Infection & Nulled Scripts
Fox IT, the IT services provider from the Netherlands, has published a whitepaper about the growth of a perceived vulnerability they call CryptoPHP. Fox IT offers a very technically advanced cryptophphph white papers covering attacking points for WordPress, Joomla and Drupal. It' s something known as " Nulled Scripts". A Nulled script is a bit of text such as a WordPress plug-in or a WordPress topic whose copy protect has been deleted.
Most non-GPL plug-ins and theme are shipped with a unique generated GPL license that allows you to get free updates or free functionality. Invalid scripts will have these protection measures deleted so that they work for free. A lot of pages offer nulled (PHP) scripts as well as nulled WordPress plugs and topics.
Fox IT boys have seen an alerting rise in intentionally compromised, nulled scripts. It' s not new that many "free" WordPress plug-ins and scripts can contain some malware if they are not downloadable from a certified resource such as WordPress.org, Theme Forest, WooThemes or the like. That particular infestation is more insidious than earlier types of Malware in that it encodes information before it is sent back to the commands and controlservers.
It' pretty simple for an experienced PHP programmer to detect the infestation. include('assets/images/social.png'); any programmer will look at it and immediately be distrustful - why is an picture taken in the PHP scripts? includes () is used to load PHP scripts from outside. You suspected that social.png is not really a picture and you are right.
It is a PHP source cloaked as an images filename. Even this evil little skript can bypass recognition because many times many Malware scanners (and plugins) don't examine images. WordFence is used as our go-to-security plug-in for all WordPress pages. Latest release of the plug-in scans included () instructions automaticly for unsuspicious images and there is also an optional feature to scroll images as PHP-coded.
How's the malware scripts? IT Fox found that the script inserted dubious, spamming and nasty hyperlinks into the contents of your website. Please note that this vulnerability does not only concern WordPress. This whitepaper shows how to authenticate the scripts so you can review all your WordPress deployments today.
Please urgently review all your websites now. Don't ever get "free" topics or plug-ins from unknown/unproven websites and eventually sharing them with your buddies and co-workers to make the web a safer place. To make your WordPress website safer, please see our review of best practices for WordPress security.