Fix Mailpoet / WYSIJA break in

A WordPress instance that I maintain was affected by a security vulnerability recently discovered in Mailpoet. As so often, Mailpoet was not even being used on that page, but was installed and active anyways.

Through the vulnerability attackers managed to store about 10 new files all containing similar code on the server and in addition, manipulated all php files that they had write access to (good thing the server isn’t running as root or anything – that would have been a real problem).

I discovered that all files were manipulated in a similar way, some obfuscated code was injected into the first line, always containing the keyword “yhvobwawyd”. This might be specific to our instance, or apply globally.

Since the attackers managed to manipulate several thousand files, I quickly wrote a script that would remove these “infected” first lines:

$ grep -l yhvobwawyd * -R | xargs -i sh -c "echo {} && sed -i '1 s/^.*$/<?php/' \"{}\";"

The script searches for the keyword and replaces the first line of all matching files with a standard <?php opening tag. Please add your comments here or on the gist on github.

Thought, someone might find this useful.