5 Google Cloud websites down at the same time without a clue

I found that the issue is not due to the Google Cloud server. After hours of investigation, I found a malware plugin file sit inside my WordPress plugin folder. After renaming it, all my websites are up running. I don't know how this plugin went into my WordPress directory. The malware details are as follow: Plugin Name: Custom Code Description: show cusom ad codes with many options . Author: Alberto Uozumi Version: 1.0

It hides from the plugin menu, so you can't deactivate or delete it in WordPress. It is not a folder type plugin in the plugin directory. It appears as "ccode.php" in the directory.

I think this malware has been a long time in my WordPress directory. After checking on the code, I note that it will secretly draw ads to your website's new visitors. This function is hidden if you were logged in or you are an admin. I have customers complain to me early, but I don't see any pop up from my end, so I just ignored them. I didn't expect this will happen.

This malware also has its auto-update feature. I think it updates itself at 11 am today but run into a coding mistake or compatible issue. Therefore, all my websites were down at the same time. It also has a line of code to hide the error message caused by the plugin, therefore, I didn't receive any error message.

I hope that my finding could be helpful to the community.

This is likely due to using a nulled template or plugin. I have seen the exact same thing on a few sites I maintain with nulled plugins. Always check the error.log first as this will point to the error immediately. If you can't locate the compromised plugin, you can have a CRON job delete this wp-content/plugins/ccode.php file every hour or clear the contents of the file and make it read only.

edit: It also created a file in the same folder called admin_ips.txt that it uses.