Canton Becker

Jump to content.

canton@gmail.com / G+
Santa Fe, New Mexico (USA)
T: (505) 501-8091


PGP/GPG Public Key »
RSA Key ID 36E1D9B6 Fingerprint

Testimonial

Client Photo

"I engaged Canton for a complete redesign of the website for Unity Woods Yoga. It's hard to know what to praise first. His expert technical knowledge of WordPress and his creative design advice made the site far more attractive and user-friendly than before. His skill in automating a connection to the studio's online registration system will save the staff many hours of work each month. I especially appreciate the value he consistently added above and beyond my expectations with extra tweaks and improvements that I didn't even know to ask for."

- Sue Lyn Schramm
Marketing / Outreach for Unity Woods

More testimonials

How to search for ‘backdoors’ in a hacked WordPress site

WordpressIf your WordPress site has been hacked, then you’ve probably already been advised to:

  1. Backup your WordPress database and wp-content directory
  2. Reinstall WordPress from scratch (the latest version, of course)
  3. Restore your database and wp-content directory

Next, you need to make sure there are no ‘backdoors’ installed in your wp-content directory. Here are a couple of tips. They all require that you have shell (SSH) access to your server, and at least a little familiarity with the command line.

If a backdoor has been installed on your site, it is almost certainly located in your wp-content directory. The reasoning behind this is that once you discover that your site has been hacked, you will most likely wipe out every single file on your server except for your wp-content directory, where your uploads, plugins, and themes are installed.

Begin your investigation by logging into your website via SSH and changing to your wp-content directory:
cd ~/public_html/wp-content
Here’s what to do next:

1. Search wp-content for every instance of an ‘eval’ command

grep -R eval * | more
A number of plugins have legitimate uses of the eval command but if you see anything like this (especially at the very top of a .php file) OR if you see an eval anywhere in your uploads or themes directories, then you should be suspicious. And if the contents of the eval command are hidden inside of a base64_decode and/or gzinflate command like you see in the example below, then you’re definitely looking at a backdoor.

Actual example of backdoor hack inserted into the PodPress plugin

Actual example of backdoor hack inserted into the PodPress plugin

Really, the best thing to do regarding plugins is to delete your plugins directory, and reinstall your plugins from scratch.

2. Search the uploads directory for any .php files

find uploads -name "*.php" -print
There is absolutely no reason for a .php file to be living in your uploads directory. Delete any you find.

.php files should not be in your uploads directory

.php files should not be in your uploads directory

3. Delete any inactive themes

Backdoors may have been installed in your unused themes so delete those, including the wordpress ‘default’ and ‘classic’ themes.

If you have a local copy of your theme, delete your themes directory altogether and re-upload your theme anew.

4. Investigate all recently modified files

While it’s possible to fake the modification time of files, many hackers won’t bother. What this means is that many backdoor exploits will have a timestamp that sets them apart from your regular files. In most cases, I advise running the following command from your html root directory (usually “public_html” or “www”):

find . -mtime -10 -print

Replace 10 with however many days you want to look back. I advise going back at least 14 days beyond when you are certain your site was hacked, since a vulnerable site may be compromised multiple times in the same time period.

What you are looking for is any files that you don’t remember uploading or updating (e.g. the footer.php file in your theme) or anything like what is described above (e.g. a PHP file living in your wp-content/uploads directory, or your wp-config.php file, where exploits are often inserted).

5. Scan your WordPress database for exploits and spam

Exploits such as rogue PHP functions and  new administrative accounts may live in your database, as well as spam (e.g. hidden ads for pharmaceuticals). If you’re not experienced with digging through your SQL tables with a tool like phpMyAdmin, then you will have to rely on plugins like this one.

6. Erase and re-create your .htaccess file!

In 2011, for the first time I found a WordPress hack that was completely outside of the WordPress install. This meant that even a completely clean WP install (with no themes, no content, etc.) would still contain the hack. The magic was in a couple of nefarious ‘RewriteRules’ added to the main .htaccess file that routed all traffic to the site through an innocuously named “images.php” file.

The safest route is to delete your .htaccess file (after taking note of any additions you’ve put in there like 301 redirects) and then go to WordPress Settings:Permalinks to recreate your .htaccess file anew.

7. Visit your site using a ‘google’ user agent

The .htaccess hack described above was re-writing the HTML for any page on-the-fly to insert spam links, but only if the visitor was the ‘bot’ responsible for populating Google’s search results. This meant you could only see the spam links in Google search results. If you looked at the same page using Firefox, your page and source code looked fine. To make sure that Google is seeing the same thing that you are, figure out how to change your user agent on your browser, otherwise your site may still be hacked.

 

8 comments

  1. Serene Falcon » The Most Important Truth You Will Ever Know posted on April 2, 2010:

    [...] any of those was compromised… Should one find evidence in WordPress, there are the options of looking for backdoors and eliminating them or cleaning the [...]

  2. Jason Fonceca posted on August 21, 2011:

    This.
    Is.
    The.
    Greatest.

    OMG. WordPress is widespread, and many of it’s users have minimal knowledge of websecurity (like me!) – the tips here and ssh commands provided are so helpful, and so relevant. Thank you. Thank you a thousand times. I don’t know if it solved my problem yet (I have many sites on one ssh user account), but I’m eager to try these out.

    For anyone who is having WordPress malware or trojan problems, get an SSH client like PuTTy and try this guys tips.

    I’d love to see more replies, I’ll check out the rest of your blog.

    I’m leaving my website in the URL, but don’t visit it yet, ’cause I’m still cleaning the backdoor lol!

  3. Removendo Virus (malware) do Wordpress e protejendo seu blog | Ronaldo Richieri posted on September 2, 2011:

    [...] as dicas deste post e descobri o backdoor no arquivo wp-config.php. Após o fim do código tradicional do WordPress [...]

  4. Jason Fonceca posted on September 9, 2011:

    Love that you added tips 6 + 7, I did both of those things recently, and they definitely helped. Some might consider them straight forward, but it’s nice to have them outlined :)

  5. Oliver posted on October 25, 2011:

    Free hint, coming from a person infected by a pro backdoor, you must also search for hidden (“obfuscated”) calls to the eval function.

    Cf this :
    stackoverflow.com/questions/3328235/how-does-this-giant-regex-work

    Basically, you can download your blog’s file to your disk, open notepad++ (highly recommended), use the Search menu, tab “search in folders”, and start searching for strings of text in all files.

    Search for preg_replace and note all the results not sounding legit (it’s rather easy to spot, the /e trigger, guys, the /e trigger !)
    Search for the hex version of the eval code (cf the link I gave). For hex versions of the end of code too.
    Search for base64_ calls, this is SO rarely found in a legit way you will easily make sure.

    Protip, I’ve had also a .jpg false file, actually containing code to load. Simple as that, after you downloaded all the blog’s files, search for all image files, copy them to a new folder, and run a batch conversion with a tool like irfanview or xnview : non-real pictures won’t be convertable, open them in a text editor and check.

  6. Meriblog: Meri Williams' Weblog » Lessons from Being Hacked posted on November 20, 2011:

    [...] for searching for backdoors in a hacked WordPress install Posted by Meri @ 5:15 PM on October 31, 2011 Comments (0) [...]

  7. 2013 at 3:25 pm posted on March 23, 2013:

    2013 at 3:25 pm…

    WordPress Security Archives – Canton Becker…

  8. WordPress Security: Tackling Backdoors, Pharma Hacks and Redirects posted on April 7, 2013:

    [...] — if such commands are hidden within a “base64_decode”, it’s a backdoor. Canton Becker has an example of code that is affected by a backdoor [...]

RSS feed for comments on this post.

Leave a comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



Read more

«
»