What's causing this? All plugins disappear, code is added to each PHP file!

If it helps, the code that appears in the file comes after the first line that typically starts with “<?php” and it looks like this:

[ Redacted ]

but goes on for much longer.

I have exactly the same problem. I’m very interested in hearing the answer.

The php codeblock is some 13250 chars long and is added to all php files within the public_html folder.

I really hope someone has a meaningfull reply.

Thank in advance.

Peter Zzzz

Does it happen to you often? I’m trying to figure out what the catalyst is that changes it. When it happened again today, I don’t think I altered anything, I simply clicked on the “plugins” tab on the dashboard.

Once I upload the backed up versions, I’m up and running again.

Do you have mailpoet plugin installed?

This happened to me as a result of a vulnerability with the above plugin.

Currently using wordfence to clean up my install but I think I’ll need to delete all the plugins via FTP and re-install them because wordfence isn’t scanning the plugins as they are deactivated by wordpress due to inaccurate headers (malicious code added to php files throughout.)

Hope this will ‘fix’ it!

Well, I ran Wordfence and discovered that this modification was not only done to the php files in the plugins, but EVERY php file within the WordPress folder! From the sounds of it, Ian, this has to do with one of the plug-ins. Here’s the ones I have installed:

accordion-slider (paid)
ajax-event-calendar
akismet
akkord-slider
all-in-one-favicon
bulletproof-security
contact-form-7
envato-wordpress-toolkit
get-the-image
horizontal-scrolling-announcement
ml-slider

Should I select all the WordPress PHP files for “bulk repair” in Wordfence, or manually remove the code?

I’ve worked with mailpoet before (it’s actually in another wordpress install in a different directory), but I don’t currently have it installed in this subdirectory.

Once I get this fixed, is there a way to keep it from happening again or figure out the culprit?

Yes I do have mailpoet installed.

This problem has happend to me twice. I have managed to cleanup the mess and I’m up and running angain.

Haven’t used Wordfence before. Is it good ? Any advice ?

Yes second time for me too (first time I tried to use old back ups to fix)

Wordfence is good but…… because the plugins are deactivated wordfence (or any anti hacking software) isn’t scanning the actual plugin folders.

I have found the code (injected into the top of EVERY php file in the plugins folder!! It’s a whole bunch of seemingly gibberish (well to me at least lol!)

I tried deleting it on all the files within a single plugin and the WordPress dashboard automatically reinstated the plugin. Yippee!

Now I ask myself do I want to do this for all the plugins I have (20) or do I simply delete the plugin folders via FTP and simply download them again via the WordPress backend/dashboard…….

The mailpoet vulnerability affects even websites that don’t have mailpoet installed, but are on the same(shared)server, so my other blog was ‘infected’ even though it didn’t have mailpoet installed.

In the end I updated the core files by allowing wordfence to auto correct (about 500 files!) and I think I’ll just start over with the plugins… there are a LOT of php files in each one.

I feel like I am struggling with this one alone (Hostpapa support dismal, mailpoet guys understandably snowed under with tickets etc) even though sucuri report tens of thousands of sites affected.

I just hope I get it all as even a singe page missed (the code creates a ‘backdoor’) will start it all over again…. very “Matrix” like I must say!

How are you guys getting on?

Well for now I have disabled MailPoet.

I got the same problem with disabled plugins. What good is a backup plugin if it’s disabled because of this problem ? Last night I cleaned up the mess sufficiently to reactivate the backup plugin. Then I could restore and get online again.

All php files where hit by the code injection. More than 3000 files.

I will take a look at Wordfence.

Good luck and let is know if you learn anything interesting!
Ian

Wordfence did an excellent job of detecting all of the modified WP files. I did a bulk repair and it worked great without the need for manually replacing any backed up files.

As far as the plug-ins, I would suggest re-downloading them and replacing the folders (same thing I did with the backup). This will ensure that you know the bad code is gone. Then do another scan with Wordfence.

I just wish I could figure out the culprit so I can avoid it happening again. I’m making sure to use only totally necessary plugins, updating them all, and making periodic backups. I’ll let you all know if I find out anything further.

It seems clear that mailpoet was the victim of this particular attack but it’s not particularly fair to ‘point the finger’ as they were the victim of malicious intent from outside.

How did you get wordfence to scan the pugins mixmethods? Just that WordPress wouldn’t recognize my plugins after the foreign code had been added and so the dashboard was as if there were no plugins installed and therefore non-scanable (if that is even a word!)

Hi Ian, did you just read about that particular attack, or did you somehow know that was specifically the culprit on your own site?

I had a recent backup of the plugins, so I just replaced all of the plug-in file folders completely so they showed up again. Then your plugins should reappear. Or, you can also install a fresh copy of each plugin. Interestingly, most of the plugins retained the information that I had previously put into them (for instance, my image sliders were still set up the same as previously). That must be stored in the database, I suppose?

As an alternate method, if you manually remove the code from each PHP file within the plugin folder, it should also reappear for you, although I don’t know if that is the ideal method or not.

Yes, losing settings was my worry but they do seem to ‘find themselves’ again after re-installing which is good news.

I read a lot after searching for similar symptoms which matched what others had experienced. Plus I raised a query elsewhere here and a mod was confident that it was the mailpoet hack, pointing my efforts in the right direction.

I should point out that the latest version of mailpoet is clean and that I was offline (hols) so missed all their efforts to notify us.

Good to know, thanks!

Well, I cleaned out all unnecessary plugins, updated them all, and used Wordfence to scan and confirm there were no more issues… then backed up again!

I’ll keep tracking my every move to see if it happens to rear it’s ugly head again… but I’m hoping that I managed to get rid of whatever was causing the havoc.

I have also been reading about the MailPoet problem. To me it seems very plausible that MailPoet was the culprit.

However !!! When my website was hacked friday or saturday I was using MailPoet version 2.6.10, which is (was?) supposed to be safe.

Which version are you guy using ?