sorry, I din’t read the line: Put code in between backticks. 🙂 I will put it again [removed]
You got hacked mate! This happened to me once. Really hard to get the code out of them but apparently they were sending out spam emails. It has a $_POST somewhere in there and mail. So whatever content, emails etc they post and it will send the emails from your server.
If you are on a VPN, be sure to check for these spam emails otherwise your IP will be blacklisted.
This generally happens due to a badly coded plugin.
The only solution is to restore a backup of the files or clean each of these files manually. But be sure to check all the plugin for unsafe or non standard code.
Good luck!
Just had the same thing happen to me! Not resolved yet and not sure how it happened!
I could be wrong but it looks like this infection to me:
http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html
http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html
The infector code is very buggy and breaks almost every single file that it infects, and it’s a big pain because the code is designed to infect every PHP file that it can get its grubby hands on.
If you do not have a recent/clean backup of the site I find that the most efficient way to clear this infection is to manually replace all files with fresh copies. This is much faster than manually removing the code from every single file.
Consider it a nice opportunity to update all your software 🙂
Basically, you’ll just need to replace your WordPress core files, plugin files and theme files, after that it should be good to go, but don’t forget to change all your passwords!!!
Also, with this infection it seems to create an admin user with the value of 100101 or something like that. Make sure that you purge this user from your WordPress users list.
Just happened again – I had Wordfence activated and malicious scripts and all plugins were up to date!!
It’s pretty annoying
(I don’t think it’s a good idea to post malware php code. Can a moderator removes these lines ? )
arghh, so do with my site. http://pastebin.com/QKyQrg37
@_@ now I’m subscribing this post, maybe will solve my problem too
but I don’t use that MailPoet –a and these plugins that used http://prntscr.com/4l1ilv, any thought maybe that related with exploit?
Moderator
James Huff
(@macmanx)
Volunteer Moderator
Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
This infection used to regain access just through a single added wp-admin user, however newer variants tend to be coupled with a backdoor. Every PHP file has both the malicious script and backdoor injected together. If you miss a single file then your site will get reinfected 🙁
@montaingoat are you using shared hosting? Your site might just be getting infected by any other sites with write access or sharing the same directory.
