Last week some sites were infected with an exploit through the “portable-phpmyadmin” plugin.
This was a known security problem with wp-phpmyadmin which has been banned for months, but we didn’t realize that this other plugin used exactly the same codebase and therefore the same exploit, and also needed to be banned.
The exploit allows an attacker to insert PHP code into other files. In this particular case, the attack inserted specific code in all files named index.php, most notably the index.php which is located in the WordPress root and which controls all publicly-viewable pages.
This caused certain HTML to be externally visible, which is what Google’s Malware system detected. It also causes PHP to make outbound network calls.
The same day as the attack, we build an automated script which both detects and removes this particular attack. The script was run automatically every 5 minutes to mitigate the effects while we constructed a complete fix.
The plug-in in question is now properly banned.
Also that script will continue to run every 15 minutes as an additional double-check for this or similar types of exploits from vectors other than this particular plugin.
Also we’ve added additional scans in that script to detect similar types of attacks. For specific attacks we know about, the script also automatically fixes the files (and sends us an email so we can investigate further).
For attacks that look fishy but for which we don’t have an automated fix (yet), the script still emails us so we can look at it by hand.
We believe these measures will permanently fix this particular attack, and will assist us in proactively discovering and fixing similar types of attacks in future.
Thank you, and please contact us if you have further questions or concerns.