Hack? Please help me, don't know what to do

Yes Helptourists… It appears your site may have been hacked.

We had this same problem on one of our client sites on June 30th, 2014. What appeared to be malicious code was added to the top of every php file within the client root directory on our live server. I would like to reiterate: this code was even added to .php files that were outside of the WordPress directory (WordPress is installed in /blog/ and PHP files in the root client folder (index.php) were also modified).

We have not been able to figure out what the code does exactly because the site appears to function normally until you log in to wp-admin and visit the Plugins page. After WordPress kicks out the error no valid header and plugin deactivated, the site no longer functions correctly due to the missing plugins.

We have analyzed the code added to the top of the pages but have not figured out what it does as of yet. There is no base64 encoding. A random string is generated and then a php function is created. One of our other developers here analyzed this and said the result that he arrived at was a number… like 120 or something which doesn’t make sense.

I restored the site files from backup but retained the SQL database because it didn’t appear that it was compromised with the exception of the blank Administrator user which had an ID of 1001001 which I deleted.

I changed our Administration login password, the MySQL password, I reset the Salt key in wp-config.php, updated WordPress to 3.9.1 and updated all plugins, and added iTheme Security (formerly Better WP security) and enabled most security including removing the admin user, changing the database prefix, etc.

Just the other day, I enabled the function in iThemes to monitor files for changes and a few days ago I received an email notifying me that many php files were changed on July 1st, 2014 (the day after I cleaned everything up). I downloaded a few .php files from the live site and see they have all been compromised again.

The only password that wasn’t changed was the web server password for the client site, so I suspect they either got in using the same SiteWorx password, or one of the other Admin User’s local computers was compromised and not cleaned.

I can provide the code if anyone wants to take a stab at this.

Unfortunately, we manage about 20 – 30 WordPress sites for our clients and late Friday when I found that this one site had been compromised again, I went through to check some of the other client sites and so far have found five other sites that are infected with this same issue.

Trying to find some commonality by adding to the original post so hopefully we can find a solution. Unfortunately, I have a feeling we are in the early stages of a new WordPress vulnerability that has been found and exploited, but not yet patched.

I house 6 wp sites on a single server, it is not a collocation or a VM. I noticed the other day one of my plugins a calendar plugin was missing from the site. when i logged into the admin panel i was presented with a message about Weaver II plugin package should be added. Normally I install all of the updates automatically and deal with issues after. When i went to the plugin control page it said all of the plugins had corrupt headers. using FTP i cleaned every plugins “pluginname.php” and viola all was well for 1 day. I now see every page in every folder has a large amount of data in the header.

Thankfully this is only happening in 1 of 5, strange because most sites have the same plugin but this is the only one running weaver II

Would a piece of sample header help out in this?

I also just noticed something VERY disturbing the creation of a administrator with no username or description. This is out of hand!
when i clean the damaged files it takes very little time for the code to reappear.

Yes. The blank user Administrator with ID 1001001 is consistent with all of the sites that have the code added to the top of each PHP page. We are cleaning up all of the code from the files and trying to figure out some commonality between the affected sites. If anyone can help us decipher what this code actually does, we would be happy to provide it. We have found several variations of the code which generally looks like garbage… but it must be doing something… just not sure what.

Many sites have been similarly hacked https://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html

I guess hackers use a vulnerability in some plugin to create that admin user.

By the way, do any of your blogs have open user registration?

None of the sites have open user registration and almost every site of ours was hit by this. Thanks for the feedback. I hope this isn’t a widespread issue…

After reviewing the link you provided and how about 80% of our sites were compromised, I see this is a pretty wide – spread issue. However, so far I disagree with the thought that they are coming in through a vulnerable plugin as I have not found a common plugin to all of the affected sites.

One common aspect found so far is that all of the sites compromised were not on version 3.9.1 when they were first compromised. The one site I mentioned that was infected again a day later was not hardened immediately after it was cleaned and updated to v3.9.1 I have since been hardening WordPress v3.9.1 using iTheme (formerly better WP security) and so far the sites have remained clean (keeping my fingers crossed).

Will post more details and updates regarding the cleaning process once I feel confident the hole has been patched properly.

Yes it’s wide spread and on many sites we saw that hackers checked for vulnerable plugins (e.g. MailPoet or WPTouch) before trying to access their backdoors or logging into web sites.

By the way,are all those sites share the same server account? If yes, one vulnerable site is enough to compromise all the sites.

Hi to all of you,

we found out that like some of you said a plugin was responsible for that mess. In my case we are pretty sure that is was mailpoet which recently had some security problems!

We have the exact same problem.
What is the best way to fix/solve this problem?

I am unfortunately not responsible for the technical details on my page, but i guess we used a backup, installed all plugins again and deleated the new admin. We also updated mailpoet and wordpress to the last version.

Each of our sites is hosted within its own account with its own security credentials so infection was on a site by site basis. None of our sites use MailPost or WPTouch plugins. All infected sites use different themes and plugins and there is no common plugin used on all sites, so I would rule out the source of the infection from an outdated plugin.

The only thing I have found common is that all sites were not on v3.9.1

Is anyone able to confirm their existing v3.9.1 site was infected?

We have auto updates set up and we are running v3.9.1 and the website is infected.
If the infection happened before the update it is hard to tell.

Sucuri has an update about the MailPoet https://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

but I agree that it’s not the only penetration vector. I also saw infected sites that didn’t have MailPoet. Still investigating…