Two techniques to scan your WordPress installation and check if you’re hacked.

News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I just helped another target of the timthumb.php vulnerability to clean their machine. The method the hacker used to hide their tracks was a little different to what I’ve seen in the past. So I wanted to mention it here and let you know how to scan for it.

As I previously mentioned, the method I’ve seen hackers use to hide their source code is to encode it using base64 encoding and then use base64_decode and eval() in PHP to execute the code at runtime.

You can scan for base64 decoding by getting a shell on your WordPress server and running the following in the root of the WordPress installation directory:

grep -r base64_decode *

Keep in mind that some files that are not hacked will show up, like the newest version of timthumb.php which includes a base64 encoded image. But this is a good starting point to get a list of files that warrant further inspection.

The hack I saw today was different. The hacker used hexadecimal escaping to hide their tracks. They didn’t just encode hostnames and things that a security analyst would obviously search for. They also encoded individual javascript commands and strings containing HTML element names.

You can use this perl compatible regular expression to search for hex encoded data in your javascript. Again, run this in a shell in the wordpress root installation directory:

grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *

This will search for strings of at least 5 sequential hex encoded digits. You may get some false positives like class-simplepie.php . But again, this will give you a list of files that require closer inspection.

The file that was infected today was wp-includes/js/l10n.js. The attacker had appended hex encoded javascript to it. You can see what a normal file looks like here.

If you’ve been hacked, or suspect you’ve been hacked, drop me an email at mmaunder at gmail. I charge a very reasonable consulting rate and it usually takes 1 to 3 hours to fix the system and harden up permissions to prevent future attacks.

83 thoughts on “Two techniques to scan your WordPress installation and check if you’re hacked.

  1. Thanks a lot for shgaring this with all people you realoy recognise what you are talking about!

    Bookmarked. Please also discuss with my web site =). We caan have
    a link trade contract between us

  2. Thank you for any other magnificent article. The place else may just
    anybody get that kind of info in such a perfect means of writing?

    I’ve a presentation next week, and I’m at the search
    for such information.

  3. I appreciate, lead to I discovered just what
    I used to be looking for. You have ended my 4 day lengthy hunt!
    God Bless you man. Have a nice day. Bye

  4. Wonderful goods from you, man. I have take into account your stuff prior to and you are
    simply too fantastic. I really like what you have bought here, certainly like what you’re saying and the best
    way wherein you are saying it. You’re making it entertaining
    and you continue to care for to keep it smart. I can’t wait to learn far more from you.
    This is really a great web site.

  5. You are so awesome! I don’t think I have read through something like this
    before. So great to discover someone with some unique thoughts
    on this subject. Seriously.. thanks for starting this up.
    This web site is one thing that is required on the web, someone with a little
    originality!

  6. Without the need to house tubes or accommodate a labyrinth of
    wires, they can be created to provide power for the
    smallest of electronic devices. If you have a magnifying glass that has a good high power, you
    can get a big close-up of a bad connection. They are; Power – Start Commissions, Uni – Level
    Commissions, Global Bonus Pool Commissions, Global Bonus Pool Commissions, 500K Bonus
    Pool Commissions, Retail Sales Commissions, and Incentive Trips and Awards.

  7. It is one of the most unhealthy things to do to the body
    both physically as well as spiritually,,think of breath the breath of life,,Prana the life force
    in the breath,,imagine what smoking does to the spirit.
    Having a presence can also be free publicity for your business.
    Basically, it’s organized chaos as usual on this show, just with an added side of extra weirdness.

  8. Sweet blog! Ifound it while surfing around on Yahoo News.
    Do you have any suggestions onn how to get listed in Yahoo News?
    I’ve been trying for a while bbut I never seem to get there!
    Manyy thanks

  9. Heya i’m for the primary time here. I came across this board and I in finding It truly useful & it helped me out a lot.
    I’m hoping to present something again and aid others such as you aided me.

  10. A few weeks ago I came across the Sticky Buddy advertised on T.
    These people are almost always really warm and friendly and reasonable.
    Natural digestion chewable wafers or liquids help your body
    to better absorb food nutrients from the foods you eat
    and the supplements you take – plus you’re able to break down dairy products and other hard-to-digest foods.

  11. It may seem like reconciliation is right around the corner and that you’re only a few messages away from jumping back
    into his arms. Rights advocates might have a
    bit of hope that now the medical community will finally understand gun owner
    concerns about privacy and loss of rights to an increasingly intrusive Obama administration’s efforts to dig as deeply into
    their personal affairs as possible, while cloaking itself in secrecy.
    This free gift from nature can be turned into functional items
    and works of art.

  12. Hence, set up customer support networks that have friendly representatives at your front desk.
    You can easily spot, or more aptly hear the variation in sound quality between a good headphone and a run-of-the-mill type.
    When you walk into a room or even your workplace and smile, it demands
    a positive response from others.

  13. Have you ever considered about adding a little bit more than just your articles?
    I mean, what you say is important and everything. However think about if you added some great
    photos or videos to give your posts more, “pop”! Your content is excellent
    but with pics and videos, this blog could definitely
    be one of the very best in its field. Terrific blog!

  14. hello there and thank you for your information – I have definitely picked up anything new from right here.
    I did however expertise several technical points using this web site, as I experienced to
    reload the web site many times previous to I could get
    it to load correctly. I had been wondering if your hosting is OK?
    Not that I’m complaining, but slow loading instances
    times will sometimes affect your placement in google and can damage your high quality score if
    advertising and marketing with Adwords. Anyway I am adding this RSS to my
    e-mail and could look out for much more of your respective fascinating content.
    Make sure you update this again very soon.

  15. Great post. I used to be checking constantly this weblog and I
    am impressed! Very useful info particularly the ultimate part :) I care for such info much.
    I was seeking this particular information for a long time.
    Thank you and best of luck.

  16. When I originally commented I appear to have clicked on the -Notify me when new comments are
    added- checkbox and now each time a comment is added I get 4
    emails with the same comment. Perhaps there is a means you are
    able to remove me from that service? Thank you!

  17. Today, I went to the beach with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She placed the shell to her ear
    and screamed. There was a hermit crab inside and it pinched her ear.
    She never wants to go back! LoL I know this is totally
    off topic but I had to tell someone!

  18. “Burning fluid” or camphene, the most popular lamp fuel of the 1850s, consisted of turpentine distilled from wood, alcohol distilled from grains,
    and camphor oil, and sold for 50 cents a gallon.
    The best part about this is that you get to grow food
    yourself, thus are assured of its quality as well as its being chemical-free.
    If you want to grow delicate plants, make sure you give them a natural environment which may die
    if you put them outside the greenhouse due to extreme weather.

  19. Hey there, I think your website might be having browser compatibility issues.
    When I look at your blog site in Ie, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you a quick heads up!
    Other then that, superb blog!

  20. s a bit of truth to the mostly fiction tales we were told as kids.
    “Methylcobalamin is required for the function of the folate-dependent enzyme, methionine synthase. Not much research has been done to prove that this is the case though.

  21. We are a gaggle of volunteers and starting a brand new
    scheme in our community. Your website offered us with valuable information to work on.

    You’ve performed a formidable process and our entire community
    shall be thankful to you.

  22. Unquestionably consider that which you stated.
    Your favorite reason seemed to be at the net the simplest factor to be aware of.
    I say to you, I certainly get annoyed even as other folks consider concerns
    that they plainly do not understand about. You controlled to hit the nail upon the highest and defined out the whole thing with no need side effect ,
    other folks can take a signal. Will likely
    be back to get more. Thanks

  23. Is it any wonder that the Iraqi Parliament may be
    unable to perform or be unwilling to perform its duties and obligations.

    That almost always is an excellent choice for anybody as long as you learn the right things
    that will make a difference. The concept of American Manifest Destiny is biblically-rooted, but also bitterly betrayed by those blessed and honored with the duty of
    fulfilling it, as a virtuously magnanimous example and inspiration to the world.

  24. I know this if off topic but I’m looking into starting my own blog and was curious what all is needed to get set
    up? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web smart so I’m not 100% sure. Any suggestions or advice would be greatly
    appreciated. Cheers

  25. Usually I do not learn post on blogs, however I would like to say that this write-up very forced me to try and do so!
    Your writing style has been surprised me. Thank you, quite great post.

  26. Oh my goodness! Amazing article dude! Many thanks,
    However I am having difficulties with your RSS.

    I don’t know the reason why I can’t join it. Is there anyone else getting identical RSS issues?
    Anyone that knows the solution will you kindly respond?

    Thanks!!

  27. Antarctica is attractive and dangerous because of the freezing and snowfall in Antarctica.
    Movies of your liking are barely a click away- literally
    and figuratively. The Xbox 360 game console lets members
    immediately discover movies & TV episodes streamed from Netflix for the Television.

  28. That is, eery speck, every cobwebs, every bit cleaning services bloomington in of
    dust off of a shelf. Earlier, these services were availed
    by only richh people, the home owner mighjt ask friends who are currently cleaning
    services bloomington in enjoying similar situations or compare prices by actually calling cleaning services are heaven sent.
    Satisfying their customers is their firsst priority.
    In recent times, thee agencies aree alsao offering their service for thee major portion of the
    dirt accumulates.

  29. I drove both the clutch-less “semi-automatic” and the manual
    version of this line. The Ferrari F40 possesses splendid style, shows excellent performance and handling and is one of the finest products of Ferrari.
    All of the standard safety and power systems are
    there across the line but the Spyder ST gets a fairing and riding
    position more like the RT (the touring model) as well as the option to add audio, cruise control, floor
    boards and factory panniers.

  30. The application, verification, along with the loan processing itself can make such a headache that it causes the applicant to shun
    the process entirely. Xavier Alexander is often a well known Financial Consultant.
    The denominator represents the amount of days in a year, which data is
    based mostly on what accrual basis the lender is using for the loan.

  31. This must not be too difficult, considering it’s the action’s second level-also it’s very easy.
    Check out my other Webkinz articles to get more
    codes. Escaping to a hidden place to chat to
    strangers such as car, garage, and basement is only suspicious.

  32. Awesome! WordPress trouble shooting is difficult enough as it is. Using grep sure made this process easy for me. Thanks for the help!

  33. I have been using it for approximately each week and a half, but it is nothing short of amazing! i still have my meals but smaller potion. i have regular eating habits and that i also do exercise, and i dropped 12lbs per month. losing bodyweight isn’t so hard .

  34. I blog frequently and I seriously thank you for your content.
    This great article has really peaked my interest. I am going to take
    a note of your blog and keep checking for new information about once
    a week. I opted in for your RSS feed too.

  35. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I
    get four emails with the same comment. Is there any way you
    can remove people from that service? Appreciate it!

  36. hi, i have the vbs trojan malware, and this is my second clean install of wordpress, redoing all my passwords , ftp, passwords, how much do you carge for removal?

  37. How much to clean this website and strenghten security.(http://www.psestainless.com.au/).Can you give me a maximum cost for worst case senario.

    Had the timthumb script on an elegant themes theme. Have tried to fix it but since I have made a lot of small changes to the pages and styles over months I don’t want to have to figure that out again.

    Cheers
    Peter

  38. Hi there, I have a question. my site http://www.la-juice.com (a word press blog on thesis theme) was hacked today. I contacted my web host, they told me to change all my passwords (I did) and they said they’d run a scan of my site files ( do not know the results). So in the meantime I began to back up everything that I know to back up: WP export, copy of FTP folders, SQL databases ( I also have other back ups of my sql databases and my WP export, which I performed last week). I am pretty sure this was a hack derived from breach of my WP password, and from what I have read, reinstalling wordpress from scratch seems to be the smartest option for people like me. The main things I am worried about are (1) whether I have done all the right/possible back ups, and (2) how to avoid restoring a backed up WP export file that that has a modified or hacked file or installing a virus. Am I worried about nothing? Any advice?

    • Sure, if you want to exclude something from the output of any unix command, simply add this at the end:

      | grep -v exclude-this

      that pipes the output to another grep command and the -v tells grep to exclude the string “exclude-this”.

  39. I tried using the second one

    “grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *”

    But I get an error message saying the -P option is not supported.

    Is there another way to search for the hex code?

  40. I found similar code in the same file (wp-includes/js/l10n.js) and removed it; either I just got “lucky” that I was infected in the same was as your client, or else the attacker(s) aren’t particularly innovative or original.

    Either way, thanks for pointing out that file in particular; it proved to be an issue, and I have corrected it on my site. Hopefully, this means the issues I’ve been having are now gone…though I’m still running the grep searches anyway.

    • Sigh, sorry. Anyway, I site actually got hacked. People were seeing warning notes from certain browsers, and sometimes I’d get redirected when I tried to log into my dashboard. I updated my timthumb.php to the newest version, and my site is now showing up malware-free at sucuri.net. However, I ran the base64 grep on my wordpress installation and there’s still code everywhere. It’s definitely the mnalware code…dozens of lines of gibberish. So, am I still vulnerable? What should I do about all the code that’s already been injected? Thanks!

      • That’s a tough one. I cleaned several sites that have been hacked like this but I charge for the service. I would contact your web dev and either clean each file by hand or the safest is to do a full reinstall of WordPress. Best of luck!

        • Thanks Mark! I actually emailed you about rates, but…I think I might be ok. I dug into the grep results, and it injected code into the footer of a bunch of themes I had, that I wasn’t using. I deleted all those themes, and reran the grep, and don’t find anything suspicious. LOTS of timthumb.php files that I’ll need to manually replace though. I will ping you back if I get stumped and decide to hire an expert. BTW…I didn’t read your site before, but you’ve got a new reader now!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.