Skip to content

Instantly share code, notes, and snippets.

@sandys
Created July 14, 2015 22:54
Show Gist options
  • Save sandys/272fe3ce7fc6be041b1b to your computer and use it in GitHub Desktop.
Save sandys/272fe3ce7fc6be041b1b to your computer and use it in GitHub Desktop.
cleaning malware from wordpress

Look for any outbound port 80 connections with:

lsof -i :80

You will see your own apache server in that list too, but keep an eye for other stuff.

usually, attacks like this are very obvious in the output of:

ps faux

If you see suspiciously named user processes, use:

lsof -p $PID

find ./ -ctime -10

To find *.php files that have been modified between two periods in time:

find . -name '*.php' -newermt 2014-08-27 ! -newermt 2014-08-30

Find and remove *.php files (for example in a folder they do not belong in like your uploads folder). Warning! Dangerous! Make sure you are in wp-content/uploads folder first!

find . -name '*.php' -exec rm -rf {} ; Or if you want to run this in the root of several sites:

find . -name '*.php' | grep "wp-content/uploads" | xargs rm

One of the hacks I've found ran '/usr/bin/host/ preloading a hacked library. Nasty (but creative) stuff. I used this command to find all PHP files that were containing '/usr/bin/host' string:

grep -ri --include=*.php "/usr/bin/host" ./

Sometime you need to find out what a certain process (that is taking too much CPU for example) is doing?

strace -p PID This will filter it to open and close system calls, increase the output message length to 80 chars and dump output to a file.

strace -e open,close -s 80 -o log.txt -p PID

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment