BonJecker

Each of our sites is hosted within its own account with its own security credentials so infection was on a site by site basis. None of our sites use MailPost or WPTouch plugins. All infected sites use different themes and plugins and there is no common plugin used on all sites, so I would rule out the source of the infection from an outdated plugin.

The only thing I have found common is that all sites were not on v3.9.1

Is anyone able to confirm their existing v3.9.1 site was infected?

None of the sites have open user registration and almost every site of ours was hit by this. Thanks for the feedback. I hope this isn’t a widespread issue…

Yes Helptourists… It appears your site may have been hacked.

We had this same problem on one of our client sites on June 30th, 2014. What appeared to be malicious code was added to the top of every php file within the client root directory on our live server. I would like to reiterate: this code was even added to .php files that were outside of the WordPress directory (WordPress is installed in /blog/ and PHP files in the root client folder (index.php) were also modified).

We have not been able to figure out what the code does exactly because the site appears to function normally until you log in to wp-admin and visit the Plugins page. After WordPress kicks out the error no valid header and plugin deactivated, the site no longer functions correctly due to the missing plugins.

We have analyzed the code added to the top of the pages but have not figured out what it does as of yet. There is no base64 encoding. A random string is generated and then a php function is created. One of our other developers here analyzed this and said the result that he arrived at was a number… like 120 or something which doesn’t make sense.

I restored the site files from backup but retained the SQL database because it didn’t appear that it was compromised with the exception of the blank Administrator user which had an ID of 1001001 which I deleted.

I changed our Administration login password, the MySQL password, I reset the Salt key in wp-config.php, updated WordPress to 3.9.1 and updated all plugins, and added iTheme Security (formerly Better WP security) and enabled most security including removing the admin user, changing the database prefix, etc.

Just the other day, I enabled the function in iThemes to monitor files for changes and a few days ago I received an email notifying me that many php files were changed on July 1st, 2014 (the day after I cleaned everything up). I downloaded a few .php files from the live site and see they have all been compromised again.

The only password that wasn’t changed was the web server password for the client site, so I suspect they either got in using the same SiteWorx password, or one of the other Admin User’s local computers was compromised and not cleaned.

I can provide the code if anyone wants to take a stab at this.

Unfortunately, we manage about 20 – 30 WordPress sites for our clients and late Friday when I found that this one site had been compromised again, I went through to check some of the other client sites and so far have found five other sites that are infected with this same issue.

Trying to find some commonality by adding to the original post so hopefully we can find a solution. Unfortunately, I have a feeling we are in the early stages of a new WordPress vulnerability that has been found and exploited, but not yet patched.