In late 2014, a new hosting exploit was found called CryptoPHP. This exploit is a very serious exploit, and in this article, we will discuss how you can protect your account from it, and what happens if you get CryptoPHP.
CryptoPHP is one of the worst exploits that can plague a hosting account. It is designed to do serious damage, and it is virtually impossible to recover from.
Thankfully, there is really only one way that the CryptoPHP Exploit gets into your account at this time, and that is through the use of cracked, or nulled plugins or themes on popular content management systems, like Wordpress.
So, in essence - NEVER USED CRACKED OR NULLED SOFTWARE IN YOUR HOSTING ACCOUNT.
CryptoPHP does the following to an exploited account:
- creates multiple Admin users, so hackers can have access to the site at any time, and can install any software they want.
- creates multiple 'backdoor' portals, giving the hackers access to your account even if the admin users are removed
- opens direct streams of communication to the hackers, allowing them to use your account for illegal purposes, including:
- sending illegal spam
- porn sites
- phishing, fake bank account sites, etc.
- essentially any illegal activities that they want to do with your account.
If you have been infected with CryptoPHP:
If we find that your account has been infected with CryptoPHP, we will have to suspend the account immediately, and will NOT be able to unsuspend the account at any time in the future.
Once an account is infected with CryptoPHP, we cannot allow it to run on the shared servers ever again, because of the illegal actions that can take place with an exploited site.
Can my account be cleaned?
Unfortunately, no. With the nature of the exploit and because of the many 'backdoor' exploits that are placed in the system, it cannot be cleaned by simply removing the 'bad files' we find, because the exploit gives the hackers full access to your account, they can simply re-install any exploits that they want to, at any time.
The ONLY course of action is to completely wipe out the account, and create a fresh, new account using NOTHING from the old account. This means that you cannot restore ANY backups of the sites that you may have of the current sites, and no content can be moved into the new hosting account.
Essentially, the exploit will cause you to completely lose all of the sites and work inside your cPanel account.
The Only Option:
If you believe you have backups that were taken before the account was compromised, we can allow you to restore those backups ON A VPS SYSTEM ONLY. We will not allow any backups to be restored on a shared hosting server as any exploit or illegal activity can cause damage to the server reputation, and to all hosting accounts on that shared server.
You MUST purchase a VPS or Cloud system from us, and from there, you can restore your backups.
We WILL NOT transfer over your infected account from the shared server to the VPS as it has been found to be exploited.
It's unfortunate that we have to take the steps lined out in this Article, but this exploit is very serious, and it has to be treated as such.
Remember, DON'T USE CRACKED OR NULLED THEMES, PLUGINS OR SOFTWARE IN YOUR ACCOUNT AT ANY TIME.
For more technical information on the CryptoPHP exploit, please see this whitepaper from the folks at Fox IT Security:
https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf