Two techniques to scan your WordPress installation and check if you’re hacked.

News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I just helped another target of the timthumb.php vulnerability to clean their machine. The method the hacker used to hide their tracks was a little different to what I’ve seen in the past. So I wanted to mention it here and let you know how to scan for it.

As I previously mentioned, the method I’ve seen hackers use to hide their source code is to encode it using base64 encoding and then use base64_decode and eval() in PHP to execute the code at runtime.

You can scan for base64 decoding by getting a shell on your WordPress server and running the following in the root of the WordPress installation directory:

grep -r base64_decode *

Keep in mind that some files that are not hacked will show up, like the newest version of timthumb.php which includes a base64 encoded image. But this is a good starting point to get a list of files that warrant further inspection.

The hack I saw today was different. The hacker used hexadecimal escaping to hide their tracks. They didn’t just encode hostnames and things that a security analyst would obviously search for. They also encoded individual javascript commands and strings containing HTML element names.

You can use this perl compatible regular expression to search for hex encoded data in your javascript. Again, run this in a shell in the wordpress root installation directory:

grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *

This will search for strings of at least 5 sequential hex encoded digits. You may get some false positives like class-simplepie.php . But again, this will give you a list of files that require closer inspection.

The file that was infected today was wp-includes/js/l10n.js. The attacker had appended hex encoded javascript to it. You can see what a normal file looks like here.

If you’ve been hacked, or suspect you’ve been hacked, drop me an email at mmaunder at gmail. I charge a very reasonable consulting rate and it usually takes 1 to 3 hours to fix the system and harden up permissions to prevent future attacks.

133 thoughts on “Two techniques to scan your WordPress installation and check if you’re hacked.

  1. Flash technology generates animation, sound,and
    rich colour, which makes the banner ad eye-catching and engaging, encouraging the prospective customer to click on it.
    Website creating companies in USA has appeared to
    offer creating solutions to both method and businesses. Whether you’re a fashionista or a Suits fan who just
    envies Rachel’s constantly amazing style, check out The TIG – if not
    to be inspired, then at least to check out another side
    of Meghan Markle, who is as gifted a writer and photographer as she is an actress.

  2. I just like the helpful information you supply for your articles.
    I’ll bookmark your blog and test again here
    frequently. I’m reasonably certain I’ll learn a lot of new stuff right right here!

    Good luck for the following!

  3. Hi! This post could not be written any better! Reading through this post reminds me of
    my previous room mate! He always kept chatting about this.

    I will forward this write-up to him. Pretty sure he will have a good read.
    Thanks for sharing!

  4. Keep these toned prices off your own pledge join sheets.
    For instance, since the north side of the house receives more sunlight, you could use this to your advantage by placing windows there.
    Although weekly is recommended it really does vary depending on your cars use
    and storage conditions, for example a car that is
    garaged for 6 days a week will need to be washed far less regularly then a car
    that is used for a daily commute and then left
    in the elements all day.

  5. Hello! I know this is kinda off topic but I’d figured I’d ask.
    Would you be interested in trading links or maybe guest
    writing a blog article or vice-versa? My site addresses a lot of the same subjects
    as yours and I believe we could greatly benefit from each other.
    If you might be interested feel free to shoot me an e-mail.
    I look forward to hearing from you! Superb blog by
    the way!

  6. Fantastic goods from you, man. I have be mindful your stuff prior to and you are
    just too excellent. I really like what you’ve got right here, certainly like what you are
    stating and the way in which by which you assert it.

    You’re making it enjoyable and you continue to
    care for to stay it wise. I can not wait to read much more from you.
    This is actually a terrific site.

  7. It really is therefore a squander of your time coming up with numerous
    irrelevant keywords just to have your website overlooked from the search engines.
    The reason behind this is sometimes the customers look only three to four pages at a time but not more than that and for that the very last page
    of the web site remain unseen. Above anything, a
    person need to be yourself in the interview.

  8. Right here is the right website for everyone who hopes to understand
    this topic. You realize so much its almost tough to argue
    with you (not that I really will need to…HaHa). You certainly put a brand new
    spin on a subject that has been written about for a long time.
    Great stuff, just great!

  9. Calculate the total figure that you are realistically able to afford on the roof repairs, without depleting the savings entirely.
    Many OR roof repair specialists find that roof
    leaks in an otherwise in tact roof frequently involve flashing.
    t climb up the roof right after a storm because it may be structurally unstable.

  10. Veel onderwijsinstellingen en ziekenhuizen ook verhuur de goedkoopste North Vancouver slotenmaker
    service te installeren hoge beveiliging apparatuur voor de veiligheid van de studenten en patiënten respectievelijk.

    Als je eenmaal hebt verzameld en de tools, en enige kennis opgedaan uit praktijk en het lezen u kunt beginnen na te denken over je natte voeten. IK ben geen voorstander de aankoop van iets dat
    niet legaal is waar u woont.

  11. I was curious if you ever thought of changing the layout of
    your blog? Its very well written; I love what youve got to say.
    But maybe you could a little more in the way of content so people could connect
    with it better. Youve got an awful lot of text for
    only having one or 2 images. Maybe you could space it
    out better?

  12. Hello there! I know this is kind of off topic but I was wondering if you knew where
    I could get a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having problems finding one?
    Thanks a lot!

  13. Thanks for one’s marvelous posting! I definitely enjoyed reading it,
    you could be a great author.I will make certain to bookmark
    your blog and definitely will come back down the road.
    I want to encourage you to ultimately continue your great writing, have
    a nice evening!

  14. What i don’t understood is in truth how you are no longer actually much more smartly-preferred than you might be now.
    You’re very intelligent. You know thus significantly in the case of this subject,
    produced me personally imagine it from so many various angles.
    Its like women and men are not involved unless it’s something to accomplish with
    Girl gaga! Your own stuffs great. All the time handle it up!

  15. This was partly due to the new medical knowledge and public amenities
    and services which helped to prolong the average lifespan. Virtual academies, too, could enjoy a
    finish overhaul not simply in how they educate their individuals,
    but how they’re positioned fiscally to supply
    a lot more instructional chances. And, oh, by the way, No Child Left Behind is up for renewal.

  16. ” Both experimental and clinical experience shows a low toxicity for DMSA. Usually the molars at the end of you jaw gets treated by this method. Key Topics Covered in the Report ‘ Number of medical tourists arrival in Asian countries (India, Thailand, Malaysia, South Korea, Singapore, Taiwan, Philippines) ‘ Medical Tourism market in Asian countries (India, Thailand, Malaysia, South Korea, Singapore, Taiwan, Philippines) ‘ Number of medical tourists arrival in Thailand ‘ Medical Tourism market in Thailand ‘ Major Drivers and Roadblocks of Medical Tourism in Thailand.

  17. Based in Rochester, New York City, 5LINX may be acknowledged
    by numerous third party companies for their good results and ideal plan to
    the primary selling market. If you are looking at a job out of your home chance which will be right for you, then Energy Influx Marketing and advertising
    Inc’s direct email method could be for you personally.
    Within this report I will look into the main topic of training inside office.

  18. Pretty great post. I simply stumbled upon your weblog and wanted
    to mention that I have really enjoyed surfing around your blog posts.
    After all I will be subscribing for your rss feed and I’m hoping you write
    once more soon!

  19. you’re really a good webmaster. The site loading pace is amazing.
    It seems that you are doing any distinctive trick. Furthermore, The contents are masterwork.
    you’ve performed a wonderful task on this subject!

  20. Undeniably imagine that which you said. Your favorite justification seemed to be at the
    web the simplest factor to take into account of. I say to you, I definitely get
    annoyed while other folks consider issues that they just don’t recognise about.
    You controlled to hit the nail upon the highest and also outlined out the
    entire thing with no need side-effects , other people could take a signal.

    Will likely be again to get more. Thank you

  21. I hardly write remarks, however i did a few searching and wound up here Two techniques to
    scan your WordPress installation and check if you’re hacked.
    | mmmm. And I actually do have 2 questions for you if it’s allright.
    Is it only me or does it seem like a few of these remarks look like
    they are coming from brain dead individuals? :-P And, if you
    are writing on other places, I’d like to keep up with anything fresh you have to post.
    Could you make a list of all of your communal sites like your linkedin profile, Facebook page or twitter feed?

  22. I’m impressed, I have to admit. Rarely do I
    encounter a blog that’s both educative and interesting, and let me tell you, you’ve hit the nail on the head.
    The problem is something which not enough people are speaking intelligently about.
    I’m very happy that I found this during my hunt for something
    regarding this.

  23. What I liked immediately was that it is suitable for
    many readers, including expecting parents, brand new parents, and even experienced caregivers of older
    children. Many parents would love to tuck their baby into a protective bubble that
    prevents anything toxic from ever getting anywhere
    near. Others (like me and many of you reading this), have children who may fall asleep easily the first month, but after that
    the trouble begins.

  24. The vibration is usually caused by an obstruction, such as tonsils,.
    Snoring can cause problems for both you and your partner as it can cause lack
    of sleep, daytime sleepiness, poor concentration, fatigue, tiredness and irritability.

    The consumption of alcohol will also cause narrowing of the
    air passage and will result in snoring even though the person doesn’t normally snore.

  25. Attractive section of content. I just stumbled upon your weblog and in accession capital to assert that I get actually enjoyed account your blog posts.
    Any way I’ll be subscribing to your feeds and even I achievement
    you access consistently quickly.

  26. 10 inches an hour while a heavy rain is one which can register 0.

    Not only can you save money, but there is also a much wider selection available online too.
    The number one issue in regard to juicing is doing your best to maximize the
    health benefits. 9 million yuan subsidies paid to the farmer, but the actual cash subsidies to farmers only
    23. The Hunter brand now features countless different colours and looks to choose from that adorn the rubber shoe allowing for any kind of fashion statement.

  27. Thanks a lot for shgaring this with all people you realoy recognise what you are talking about!

    Bookmarked. Please also discuss with my web site =). We caan have
    a link trade contract between us

  28. Thank you for any other magnificent article. The place else may just
    anybody get that kind of info in such a perfect means of writing?

    I’ve a presentation next week, and I’m at the search
    for such information.

  29. I appreciate, lead to I discovered just what
    I used to be looking for. You have ended my 4 day lengthy hunt!
    God Bless you man. Have a nice day. Bye

  30. Wonderful goods from you, man. I have take into account your stuff prior to and you are
    simply too fantastic. I really like what you have bought here, certainly like what you’re saying and the best
    way wherein you are saying it. You’re making it entertaining
    and you continue to care for to keep it smart. I can’t wait to learn far more from you.
    This is really a great web site.

  31. You are so awesome! I don’t think I have read through something like this
    before. So great to discover someone with some unique thoughts
    on this subject. Seriously.. thanks for starting this up.
    This web site is one thing that is required on the web, someone with a little
    originality!

  32. Without the need to house tubes or accommodate a labyrinth of
    wires, they can be created to provide power for the
    smallest of electronic devices. If you have a magnifying glass that has a good high power, you
    can get a big close-up of a bad connection. They are; Power – Start Commissions, Uni – Level
    Commissions, Global Bonus Pool Commissions, Global Bonus Pool Commissions, 500K Bonus
    Pool Commissions, Retail Sales Commissions, and Incentive Trips and Awards.

  33. It is one of the most unhealthy things to do to the body
    both physically as well as spiritually,,think of breath the breath of life,,Prana the life force
    in the breath,,imagine what smoking does to the spirit.
    Having a presence can also be free publicity for your business.
    Basically, it’s organized chaos as usual on this show, just with an added side of extra weirdness.

  34. Sweet blog! Ifound it while surfing around on Yahoo News.
    Do you have any suggestions onn how to get listed in Yahoo News?
    I’ve been trying for a while bbut I never seem to get there!
    Manyy thanks

  35. Heya i’m for the primary time here. I came across this board and I in finding It truly useful & it helped me out a lot.
    I’m hoping to present something again and aid others such as you aided me.

  36. A few weeks ago I came across the Sticky Buddy advertised on T.
    These people are almost always really warm and friendly and reasonable.
    Natural digestion chewable wafers or liquids help your body
    to better absorb food nutrients from the foods you eat
    and the supplements you take – plus you’re able to break down dairy products and other hard-to-digest foods.

  37. It may seem like reconciliation is right around the corner and that you’re only a few messages away from jumping back
    into his arms. Rights advocates might have a
    bit of hope that now the medical community will finally understand gun owner
    concerns about privacy and loss of rights to an increasingly intrusive Obama administration’s efforts to dig as deeply into
    their personal affairs as possible, while cloaking itself in secrecy.
    This free gift from nature can be turned into functional items
    and works of art.

  38. Hence, set up customer support networks that have friendly representatives at your front desk.
    You can easily spot, or more aptly hear the variation in sound quality between a good headphone and a run-of-the-mill type.
    When you walk into a room or even your workplace and smile, it demands
    a positive response from others.

  39. Have you ever considered about adding a little bit more than just your articles?
    I mean, what you say is important and everything. However think about if you added some great
    photos or videos to give your posts more, “pop”! Your content is excellent
    but with pics and videos, this blog could definitely
    be one of the very best in its field. Terrific blog!

  40. hello there and thank you for your information – I have definitely picked up anything new from right here.
    I did however expertise several technical points using this web site, as I experienced to
    reload the web site many times previous to I could get
    it to load correctly. I had been wondering if your hosting is OK?
    Not that I’m complaining, but slow loading instances
    times will sometimes affect your placement in google and can damage your high quality score if
    advertising and marketing with Adwords. Anyway I am adding this RSS to my
    e-mail and could look out for much more of your respective fascinating content.
    Make sure you update this again very soon.

  41. Great post. I used to be checking constantly this weblog and I
    am impressed! Very useful info particularly the ultimate part :) I care for such info much.
    I was seeking this particular information for a long time.
    Thank you and best of luck.

  42. When I originally commented I appear to have clicked on the -Notify me when new comments are
    added- checkbox and now each time a comment is added I get 4
    emails with the same comment. Perhaps there is a means you are
    able to remove me from that service? Thank you!

  43. Today, I went to the beach with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She placed the shell to her ear
    and screamed. There was a hermit crab inside and it pinched her ear.
    She never wants to go back! LoL I know this is totally
    off topic but I had to tell someone!

  44. “Burning fluid” or camphene, the most popular lamp fuel of the 1850s, consisted of turpentine distilled from wood, alcohol distilled from grains,
    and camphor oil, and sold for 50 cents a gallon.
    The best part about this is that you get to grow food
    yourself, thus are assured of its quality as well as its being chemical-free.
    If you want to grow delicate plants, make sure you give them a natural environment which may die
    if you put them outside the greenhouse due to extreme weather.

  45. Hey there, I think your website might be having browser compatibility issues.
    When I look at your blog site in Ie, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you a quick heads up!
    Other then that, superb blog!

  46. s a bit of truth to the mostly fiction tales we were told as kids.
    “Methylcobalamin is required for the function of the folate-dependent enzyme, methionine synthase. Not much research has been done to prove that this is the case though.

  47. We are a gaggle of volunteers and starting a brand new
    scheme in our community. Your website offered us with valuable information to work on.

    You’ve performed a formidable process and our entire community
    shall be thankful to you.

  48. Unquestionably consider that which you stated.
    Your favorite reason seemed to be at the net the simplest factor to be aware of.
    I say to you, I certainly get annoyed even as other folks consider concerns
    that they plainly do not understand about. You controlled to hit the nail upon the highest and defined out the whole thing with no need side effect ,
    other folks can take a signal. Will likely
    be back to get more. Thanks

  49. Is it any wonder that the Iraqi Parliament may be
    unable to perform or be unwilling to perform its duties and obligations.

    That almost always is an excellent choice for anybody as long as you learn the right things
    that will make a difference. The concept of American Manifest Destiny is biblically-rooted, but also bitterly betrayed by those blessed and honored with the duty of
    fulfilling it, as a virtuously magnanimous example and inspiration to the world.

  50. I know this if off topic but I’m looking into starting my own blog and was curious what all is needed to get set
    up? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web smart so I’m not 100% sure. Any suggestions or advice would be greatly
    appreciated. Cheers

  51. Usually I do not learn post on blogs, however I would like to say that this write-up very forced me to try and do so!
    Your writing style has been surprised me. Thank you, quite great post.

  52. Oh my goodness! Amazing article dude! Many thanks,
    However I am having difficulties with your RSS.

    I don’t know the reason why I can’t join it. Is there anyone else getting identical RSS issues?
    Anyone that knows the solution will you kindly respond?

    Thanks!!

  53. Antarctica is attractive and dangerous because of the freezing and snowfall in Antarctica.
    Movies of your liking are barely a click away- literally
    and figuratively. The Xbox 360 game console lets members
    immediately discover movies & TV episodes streamed from Netflix for the Television.

  54. That is, eery speck, every cobwebs, every bit cleaning services bloomington in of
    dust off of a shelf. Earlier, these services were availed
    by only richh people, the home owner mighjt ask friends who are currently cleaning
    services bloomington in enjoying similar situations or compare prices by actually calling cleaning services are heaven sent.
    Satisfying their customers is their firsst priority.
    In recent times, thee agencies aree alsao offering their service for thee major portion of the
    dirt accumulates.

  55. I drove both the clutch-less “semi-automatic” and the manual
    version of this line. The Ferrari F40 possesses splendid style, shows excellent performance and handling and is one of the finest products of Ferrari.
    All of the standard safety and power systems are
    there across the line but the Spyder ST gets a fairing and riding
    position more like the RT (the touring model) as well as the option to add audio, cruise control, floor
    boards and factory panniers.

  56. The application, verification, along with the loan processing itself can make such a headache that it causes the applicant to shun
    the process entirely. Xavier Alexander is often a well known Financial Consultant.
    The denominator represents the amount of days in a year, which data is
    based mostly on what accrual basis the lender is using for the loan.

  57. This must not be too difficult, considering it’s the action’s second level-also it’s very easy.
    Check out my other Webkinz articles to get more
    codes. Escaping to a hidden place to chat to
    strangers such as car, garage, and basement is only suspicious.

  58. Awesome! WordPress trouble shooting is difficult enough as it is. Using grep sure made this process easy for me. Thanks for the help!

  59. I have been using it for approximately each week and a half, but it is nothing short of amazing! i still have my meals but smaller potion. i have regular eating habits and that i also do exercise, and i dropped 12lbs per month. losing bodyweight isn’t so hard .

  60. I blog frequently and I seriously thank you for your content.
    This great article has really peaked my interest. I am going to take
    a note of your blog and keep checking for new information about once
    a week. I opted in for your RSS feed too.

  61. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I
    get four emails with the same comment. Is there any way you
    can remove people from that service? Appreciate it!

  62. hi, i have the vbs trojan malware, and this is my second clean install of wordpress, redoing all my passwords , ftp, passwords, how much do you carge for removal?

  63. How much to clean this website and strenghten security.(http://www.psestainless.com.au/).Can you give me a maximum cost for worst case senario.

    Had the timthumb script on an elegant themes theme. Have tried to fix it but since I have made a lot of small changes to the pages and styles over months I don’t want to have to figure that out again.

    Cheers
    Peter

  64. Hi there, I have a question. my site http://www.la-juice.com (a word press blog on thesis theme) was hacked today. I contacted my web host, they told me to change all my passwords (I did) and they said they’d run a scan of my site files ( do not know the results). So in the meantime I began to back up everything that I know to back up: WP export, copy of FTP folders, SQL databases ( I also have other back ups of my sql databases and my WP export, which I performed last week). I am pretty sure this was a hack derived from breach of my WP password, and from what I have read, reinstalling wordpress from scratch seems to be the smartest option for people like me. The main things I am worried about are (1) whether I have done all the right/possible back ups, and (2) how to avoid restoring a backed up WP export file that that has a modified or hacked file or installing a virus. Am I worried about nothing? Any advice?

    • Sure, if you want to exclude something from the output of any unix command, simply add this at the end:

      | grep -v exclude-this

      that pipes the output to another grep command and the -v tells grep to exclude the string “exclude-this”.

  65. I tried using the second one

    “grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *”

    But I get an error message saying the -P option is not supported.

    Is there another way to search for the hex code?

  66. I found similar code in the same file (wp-includes/js/l10n.js) and removed it; either I just got “lucky” that I was infected in the same was as your client, or else the attacker(s) aren’t particularly innovative or original.

    Either way, thanks for pointing out that file in particular; it proved to be an issue, and I have corrected it on my site. Hopefully, this means the issues I’ve been having are now gone…though I’m still running the grep searches anyway.

    • Sigh, sorry. Anyway, I site actually got hacked. People were seeing warning notes from certain browsers, and sometimes I’d get redirected when I tried to log into my dashboard. I updated my timthumb.php to the newest version, and my site is now showing up malware-free at sucuri.net. However, I ran the base64 grep on my wordpress installation and there’s still code everywhere. It’s definitely the mnalware code…dozens of lines of gibberish. So, am I still vulnerable? What should I do about all the code that’s already been injected? Thanks!

      • That’s a tough one. I cleaned several sites that have been hacked like this but I charge for the service. I would contact your web dev and either clean each file by hand or the safest is to do a full reinstall of WordPress. Best of luck!

        • Thanks Mark! I actually emailed you about rates, but…I think I might be ok. I dug into the grep results, and it injected code into the footer of a bunch of themes I had, that I wasn’t using. I deleted all those themes, and reran the grep, and don’t find anything suspicious. LOTS of timthumb.php files that I’ll need to manually replace though. I will ping you back if I get stumped and decide to hire an expert. BTW…I didn’t read your site before, but you’ve got a new reader now!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.