I just helped another target of the timthumb.php vulnerability to clean their machine. The method the hacker used to hide their tracks was a little different to what I’ve seen in the past. So I wanted to mention it here and let you know how to scan for it.
As I previously mentioned, the method I’ve seen hackers use to hide their source code is to encode it using base64 encoding and then use base64_decode and eval() in PHP to execute the code at runtime.
You can scan for base64 decoding by getting a shell on your WordPress server and running the following in the root of the WordPress installation directory:
grep -r base64_decode *
Keep in mind that some files that are not hacked will show up, like the newest version of timthumb.php which includes a base64 encoded image. But this is a good starting point to get a list of files that warrant further inspection.
The hack I saw today was different. The hacker used hexadecimal escaping to hide their tracks. They didn’t just encode hostnames and things that a security analyst would obviously search for. They also encoded individual javascript commands and strings containing HTML element names.
You can use this perl compatible regular expression to search for hex encoded data in your javascript. Again, run this in a shell in the wordpress root installation directory:
grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *
This will search for strings of at least 5 sequential hex encoded digits. You may get some false positives like class-simplepie.php . But again, this will give you a list of files that require closer inspection.
The file that was infected today was wp-includes/js/l10n.js. The attacker had appended hex encoded javascript to it. You can see what a normal file looks like here.
If you’ve been hacked, or suspect you’ve been hacked, drop me an email at mmaunder at gmail. I charge a very reasonable consulting rate and it usually takes 1 to 3 hours to fix the system and harden up permissions to prevent future attacks.
I have been using it for approximately each week and a half, but it is nothing short of amazing! i still have my meals but smaller potion. i have regular eating habits and that i also do exercise, and i dropped 12lbs per month. losing bodyweight isn’t so hard .
My wordpress site is hacked 2 times in 2 days. I must try this, because i dont know what to do anymore
How can I hire you to unhack my site. I keep removing all instances of base64 but it keeps coming back.
I blog frequently and I seriously thank you for your content.
This great article has really peaked my interest. I am going to take
a note of your blog and keep checking for new information about once
a week. I opted in for your RSS feed too.
If some one needs expert view about blogging and site-building afterward i suggest him/her to pay a quick visit this
blog, Keep up the fastidious job.
When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I
get four emails with the same comment. Is there any way you
can remove people from that service? Appreciate it!
hi, i have the vbs trojan malware, and this is my second clean install of wordpress, redoing all my passwords , ftp, passwords, how much do you carge for removal?
Can you please contact me at id.jprice@gmail.com. I would like know what you charge to repair a hacked wordpress site. Thanks!
Jonathan
How much to clean this website and strenghten security.(http://www.psestainless.com.au/).Can you give me a maximum cost for worst case senario.
Had the timthumb script on an elegant themes theme. Have tried to fix it but since I have made a lot of small changes to the pages and styles over months I don’t want to have to figure that out again.
Cheers
Peter
I have a kosher recipe site. I am not technical at all. Can u help me? My links are being re-routed by Google. Thanks so much.
My site keeps getting rerouted and I have no idea how to fix it. Help! Please!
Hi there, I have a question. my site http://www.la-juice.com (a word press blog on thesis theme) was hacked today. I contacted my web host, they told me to change all my passwords (I did) and they said they’d run a scan of my site files ( do not know the results). So in the meantime I began to back up everything that I know to back up: WP export, copy of FTP folders, SQL databases ( I also have other back ups of my sql databases and my WP export, which I performed last week). I am pretty sure this was a hack derived from breach of my WP password, and from what I have read, reinstalling wordpress from scratch seems to be the smartest option for people like me. The main things I am worried about are (1) whether I have done all the right/possible back ups, and (2) how to avoid restoring a backed up WP export file that that has a modified or hacked file or installing a virus. Am I worried about nothing? Any advice?
Is there a way to take class-simplepie.php out of the scan results? It’s generating a ton of false positives for your grep command.
Thanks!
Sure, if you want to exclude something from the output of any unix command, simply add this at the end:
| grep -v exclude-thisthat pipes the output to another grep command and the -v tells grep to exclude the string “exclude-this”.
I tried using the second one
“grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *”
But I get an error message saying the -P option is not supported.
Is there another way to search for the hex code?
Doug after posting that I realized that some folks don’t have perl compatible regular expressions compiled into their version of grep. That’s why you’re getting that error. My fault.
So this should work for you:
grep -r "\(\\\\x[0-9a-fA-F]\{2\}\)\{5\}" *Let me know because I don’t have a non-PCRE grep to test this on.
Yes that worked for me. Got all simple pie hits so nothing strange.
Thanks Doug.
I found similar code in the same file (wp-includes/js/l10n.js) and removed it; either I just got “lucky” that I was infected in the same was as your client, or else the attacker(s) aren’t particularly innovative or original.
Either way, thanks for pointing out that file in particular; it proved to be an issue, and I have corrected it on my site. Hopefully, this means the issues I’ve been having are now gone…though I’m still running the grep searches anyway.
It’s probably a worm, which explains the similarity.
Mark, thanks for the information you’ve posted to far. I have a question though.
Sigh, sorry. Anyway, I site actually got hacked. People were seeing warning notes from certain browsers, and sometimes I’d get redirected when I tried to log into my dashboard. I updated my timthumb.php to the newest version, and my site is now showing up malware-free at sucuri.net. However, I ran the base64 grep on my wordpress installation and there’s still code everywhere. It’s definitely the mnalware code…dozens of lines of gibberish. So, am I still vulnerable? What should I do about all the code that’s already been injected? Thanks!
That’s a tough one. I cleaned several sites that have been hacked like this but I charge for the service. I would contact your web dev and either clean each file by hand or the safest is to do a full reinstall of WordPress. Best of luck!
Thanks Mark! I actually emailed you about rates, but…I think I might be ok. I dug into the grep results, and it injected code into the footer of a bunch of themes I had, that I wasn’t using. I deleted all those themes, and reran the grep, and don’t find anything suspicious. LOTS of timthumb.php files that I’ll need to manually replace though. I will ping you back if I get stumped and decide to hire an expert. BTW…I didn’t read your site before, but you’ve got a new reader now!
Welcome, welcome!
Sorry about not replying.