WeWatchYourWebsite

"so you don't have to!"

By

“you need to pay for this crypt” infection

We’ve been seeing a lot of this lately, infected websites that have the wording,

you need to pay for this crypt

over and over a few times across the top of the webpages.

This is usually accompanied by some script tags that try to infect the visitor with the Blackhole Kit. (The Blackhole Kit is an exploit used by hackers to try and infect the visitor’s browser with a variety of viruses, trojans and other malware)

On WordPress websites we’ve seen this in the index.php files all over the website. It’s an indication that your website has been infected and needs to be cleaned and hardened.

You can begin by removing the malscript immediately preceeding this text. You can look in the wp-content/index.php which is normally about 30 bytes. With anything malicious in there it will be much larger in file size.

Then, make certain that your WordPress is updated and all plugins too.

We’ve also been seeing many WordPress sites infected due to hackers logging into their wp-admin.

Why?

Because there are still many people who believe that having admin as a user and admin as a password is acceptable. Too many people believe that, “Hackers only want the bigger, more heavily visited websites. They won’t bother with mine.”

People. Hackers want all websites. The amount of “low-hanging fruit” needs to be drastically reduced – or better yet, eliminated.

Change your passwords immediately. Make them strong. Make them at least 10 characters and use upper case, lower case, numbers and some punctuation. Take some phrase and convert to a combination of the above.

Take for instance the movie Oceans 11. That can be converted into:

0c3@n$_elEv3N_+h3_MoV1E

Yes, it’s more difficult to remember. But what’s worse? Remembering your password, or having your website constantly infected?

If you need help cleaning up from an infection, please email me at traef@wewatchyourwebsite.com.

Thank you.

2 Responses to “you need to pay for this crypt” infection

  1. Kabir says:

    My website has no word press still I am seeing the message. what can i do?

  2. Rodrigo Graça says:

    In my case the website is not wordpress (neither other CMS), is custom built, so this hack is not for wordpress sites, is a vulnerability in some service…. ftp? apache? Do you know more info about this?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>