Skip to content

Instantly share code, notes, and snippets.

@andersevenrud

andersevenrud/wordpress-hack.md

Created March 5, 2016 19:37
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save andersevenrud/63b567e3489aafde64a6 to your computer and use it in GitHub Desktop.
Save andersevenrud/63b567e3489aafde64a6 to your computer and use it in GitHub Desktop.
Download ZIP
wordpress-hack.md
Raw
wordpress-hack.md

Wordpress is a very popular target for hackers. They normally get in with holes found in plugins, themes or in wordpress core.

Prevention methods

An up-to-date installation (including plugins and themes) is crutial!

Hardening Wordpress is sadly not a part of the standard installation documentation, but they have a guide available in the "codex": http://codex.wordpress.org/Hardening_WordPress

Removing unused plugins and users, setting htpasswd and/or ip-whitelisting in //wp-admin// also should be considered.

Detecting and removing Malicious files

The files are usually pretty easy to find because the code style and file-naming does not follow the correct style. The code also usually contain compressed and/or encoded data which makes them stand out.

//Some hacks actually inject code into files that are a part of the installation. Do not remove these. Modify them or replace with originals.//

These commands might come in handy:


# If the hack was recent, check lastly modified files
$ find . -mtime 0

# Some hacks are nice enough to include a comment for when a block starts/ends  (ex: //istart)
$ find . -type f -name "*.php" | xargs grep -H "istart"

# Normally files with hacks use base64 encoded data in an attempt to hide code
$ find . -type f -name "*.php" | xargs grep -H "base64_decode"

# Eval-ing of code is usually a sign of something naughty (allthough lots of plugins etc use this)
$ find . -type f -name "*.php" | xargs grep -H "eval("

# Sometimes php files are "hidden" inside the javascript assets folder
$ find wp-includes/js -type f -name "*.php"

Another method would be to use git:


$ cd ~
$ mkdir wordpress-tmp
$ cd wordpress-tmp
$ wget https://wordpress.org/latest.tar.gz
$ tar zxvf latest.tar.gz
$ cd wordpress
$ git init && git add . && git commit -a -m "Initial commit"
$ cd ~/www
$ mv ~/wordpress-tmp/wordpress/.git .

# List all modifications and additions/deletions
$ git status

# Check if there are any suspicious things in there
$ git diff name/of/file

# Revert to original
$ git checkout -- name/of/file

# When you are done, remove .git
$ rm -rf .git

Here are some commonly used file(s):


# Hijacked files:

wp-content/themes/genesis/footer.php
wp-content/themes/twentytwelve/footer.php
wp-content/themes/enfold/footer.php
wp-content/themes/twentyfourteen/footer.php
wp-content/themes/twentythirteen/footer.php
wp-includes/nav-menu.php

# Uploads:

wp-content/themes/bco/phpini.php 
wp-content/plugins/press.php 
wp-includes/SimplePie/Decode/blog.php 
wp-includes/js/tinymce/themes/ajax85.php 
wp-content/plugins/types/marketing/general31.php
wp-admin/css/colors/ectoplasm/help.php 
wp-content/uploads/03.php.
wp-content/OrIvVFnnhLA.php 
wp-content/xhl8dNm.php 
wp-content/s2.php 
wp-content/s.txt 
wp-content/plugins/simple-history/inc/object.php 
wp-includes/SimplePie/config.php 
wp-includes/js/tinymce/cache.php 
wp-includes/js/tinymce/leftpanelsin.php 
wp-includes/js/tinymce/themes/modern/menu.php 
wp-includes/js/tinymce/langs/footer.php 
wp-includes/pomo.php 
wp-includes/cache_checkexpress.php 

# Common filename patterns:
sed254w5A
_input_1_wp_user.php5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment