Two techniques to scan your WordPress installation and check if you’re hacked.

News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I just helped another target of the timthumb.php vulnerability to clean their machine. The method the hacker used to hide their tracks was a little different to what I’ve seen in the past. So I wanted to mention it here and let you know how to scan for it.

As I previously mentioned, the method I’ve seen hackers use to hide their source code is to encode it using base64 encoding and then use base64_decode and eval() in PHP to execute the code at runtime.

You can scan for base64 decoding by getting a shell on your WordPress server and running the following in the root of the WordPress installation directory:

grep -r base64_decode *

Keep in mind that some files that are not hacked will show up, like the newest version of timthumb.php which includes a base64 encoded image. But this is a good starting point to get a list of files that warrant further inspection.

The hack I saw today was different. The hacker used hexadecimal escaping to hide their tracks. They didn’t just encode hostnames and things that a security analyst would obviously search for. They also encoded individual javascript commands and strings containing HTML element names.

You can use this perl compatible regular expression to search for hex encoded data in your javascript. Again, run this in a shell in the wordpress root installation directory:

grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *

This will search for strings of at least 5 sequential hex encoded digits. You may get some false positives like class-simplepie.php . But again, this will give you a list of files that require closer inspection.

The file that was infected today was wp-includes/js/l10n.js. The attacker had appended hex encoded javascript to it. You can see what a normal file looks like here.

If you’ve been hacked, or suspect you’ve been hacked, drop me an email at mmaunder at gmail. I charge a very reasonable consulting rate and it usually takes 1 to 3 hours to fix the system and harden up permissions to prevent future attacks.

54 thoughts on “Two techniques to scan your WordPress installation and check if you’re hacked.

  1. Today, I went to the beach with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She placed the shell to her ear
    and screamed. There was a hermit crab inside and it pinched her ear.
    She never wants to go back! LoL I know this is totally
    off topic but I had to tell someone!

  2. “Burning fluid” or camphene, the most popular lamp fuel of the 1850s, consisted of turpentine distilled from wood, alcohol distilled from grains,
    and camphor oil, and sold for 50 cents a gallon.
    The best part about this is that you get to grow food
    yourself, thus are assured of its quality as well as its being chemical-free.
    If you want to grow delicate plants, make sure you give them a natural environment which may die
    if you put them outside the greenhouse due to extreme weather.

  3. Hey there, I think your website might be having browser compatibility issues.
    When I look at your blog site in Ie, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you a quick heads up!
    Other then that, superb blog!

  4. s a bit of truth to the mostly fiction tales we were told as kids.
    “Methylcobalamin is required for the function of the folate-dependent enzyme, methionine synthase. Not much research has been done to prove that this is the case though.

  5. We are a gaggle of volunteers and starting a brand new
    scheme in our community. Your website offered us with valuable information to work on.

    You’ve performed a formidable process and our entire community
    shall be thankful to you.

  6. Unquestionably consider that which you stated.
    Your favorite reason seemed to be at the net the simplest factor to be aware of.
    I say to you, I certainly get annoyed even as other folks consider concerns
    that they plainly do not understand about. You controlled to hit the nail upon the highest and defined out the whole thing with no need side effect ,
    other folks can take a signal. Will likely
    be back to get more. Thanks

  7. Is it any wonder that the Iraqi Parliament may be
    unable to perform or be unwilling to perform its duties and obligations.

    That almost always is an excellent choice for anybody as long as you learn the right things
    that will make a difference. The concept of American Manifest Destiny is biblically-rooted, but also bitterly betrayed by those blessed and honored with the duty of
    fulfilling it, as a virtuously magnanimous example and inspiration to the world.

  8. I know this if off topic but I’m looking into starting my own blog and was curious what all is needed to get set
    up? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web smart so I’m not 100% sure. Any suggestions or advice would be greatly
    appreciated. Cheers

  9. Usually I do not learn post on blogs, however I would like to say that this write-up very forced me to try and do so!
    Your writing style has been surprised me. Thank you, quite great post.

  10. Oh my goodness! Amazing article dude! Many thanks,
    However I am having difficulties with your RSS.

    I don’t know the reason why I can’t join it. Is there anyone else getting identical RSS issues?
    Anyone that knows the solution will you kindly respond?

    Thanks!!

  11. Antarctica is attractive and dangerous because of the freezing and snowfall in Antarctica.
    Movies of your liking are barely a click away- literally
    and figuratively. The Xbox 360 game console lets members
    immediately discover movies & TV episodes streamed from Netflix for the Television.

  12. That is, eery speck, every cobwebs, every bit cleaning services bloomington in of
    dust off of a shelf. Earlier, these services were availed
    by only richh people, the home owner mighjt ask friends who are currently cleaning
    services bloomington in enjoying similar situations or compare prices by actually calling cleaning services are heaven sent.
    Satisfying their customers is their firsst priority.
    In recent times, thee agencies aree alsao offering their service for thee major portion of the
    dirt accumulates.

  13. I drove both the clutch-less “semi-automatic” and the manual
    version of this line. The Ferrari F40 possesses splendid style, shows excellent performance and handling and is one of the finest products of Ferrari.
    All of the standard safety and power systems are
    there across the line but the Spyder ST gets a fairing and riding
    position more like the RT (the touring model) as well as the option to add audio, cruise control, floor
    boards and factory panniers.

  14. The application, verification, along with the loan processing itself can make such a headache that it causes the applicant to shun
    the process entirely. Xavier Alexander is often a well known Financial Consultant.
    The denominator represents the amount of days in a year, which data is
    based mostly on what accrual basis the lender is using for the loan.

  15. This must not be too difficult, considering it’s the action’s second level-also it’s very easy.
    Check out my other Webkinz articles to get more
    codes. Escaping to a hidden place to chat to
    strangers such as car, garage, and basement is only suspicious.

  16. Awesome! WordPress trouble shooting is difficult enough as it is. Using grep sure made this process easy for me. Thanks for the help!

  17. I have been using it for approximately each week and a half, but it is nothing short of amazing! i still have my meals but smaller potion. i have regular eating habits and that i also do exercise, and i dropped 12lbs per month. losing bodyweight isn’t so hard .

  18. I blog frequently and I seriously thank you for your content.
    This great article has really peaked my interest. I am going to take
    a note of your blog and keep checking for new information about once
    a week. I opted in for your RSS feed too.

  19. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I
    get four emails with the same comment. Is there any way you
    can remove people from that service? Appreciate it!

  20. hi, i have the vbs trojan malware, and this is my second clean install of wordpress, redoing all my passwords , ftp, passwords, how much do you carge for removal?

  21. How much to clean this website and strenghten security.(http://www.psestainless.com.au/).Can you give me a maximum cost for worst case senario.

    Had the timthumb script on an elegant themes theme. Have tried to fix it but since I have made a lot of small changes to the pages and styles over months I don’t want to have to figure that out again.

    Cheers
    Peter

  22. Hi there, I have a question. my site http://www.la-juice.com (a word press blog on thesis theme) was hacked today. I contacted my web host, they told me to change all my passwords (I did) and they said they’d run a scan of my site files ( do not know the results). So in the meantime I began to back up everything that I know to back up: WP export, copy of FTP folders, SQL databases ( I also have other back ups of my sql databases and my WP export, which I performed last week). I am pretty sure this was a hack derived from breach of my WP password, and from what I have read, reinstalling wordpress from scratch seems to be the smartest option for people like me. The main things I am worried about are (1) whether I have done all the right/possible back ups, and (2) how to avoid restoring a backed up WP export file that that has a modified or hacked file or installing a virus. Am I worried about nothing? Any advice?

    • Sure, if you want to exclude something from the output of any unix command, simply add this at the end:

      | grep -v exclude-this

      that pipes the output to another grep command and the -v tells grep to exclude the string “exclude-this”.

  23. I tried using the second one

    “grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *”

    But I get an error message saying the -P option is not supported.

    Is there another way to search for the hex code?

  24. I found similar code in the same file (wp-includes/js/l10n.js) and removed it; either I just got “lucky” that I was infected in the same was as your client, or else the attacker(s) aren’t particularly innovative or original.

    Either way, thanks for pointing out that file in particular; it proved to be an issue, and I have corrected it on my site. Hopefully, this means the issues I’ve been having are now gone…though I’m still running the grep searches anyway.

    • Sigh, sorry. Anyway, I site actually got hacked. People were seeing warning notes from certain browsers, and sometimes I’d get redirected when I tried to log into my dashboard. I updated my timthumb.php to the newest version, and my site is now showing up malware-free at sucuri.net. However, I ran the base64 grep on my wordpress installation and there’s still code everywhere. It’s definitely the mnalware code…dozens of lines of gibberish. So, am I still vulnerable? What should I do about all the code that’s already been injected? Thanks!

      • That’s a tough one. I cleaned several sites that have been hacked like this but I charge for the service. I would contact your web dev and either clean each file by hand or the safest is to do a full reinstall of WordPress. Best of luck!

        • Thanks Mark! I actually emailed you about rates, but…I think I might be ok. I dug into the grep results, and it injected code into the footer of a bunch of themes I had, that I wasn’t using. I deleted all those themes, and reran the grep, and don’t find anything suspicious. LOTS of timthumb.php files that I’ll need to manually replace though. I will ping you back if I get stumped and decide to hire an expert. BTW…I didn’t read your site before, but you’ve got a new reader now!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.