After waking up one morning, I went through my usual routine of getting coffee and checking on websites I manage. I clicked a bookmark and one of the websites loaded in my browser. My jaw dropped. The website was certainly not meant to sell Viagra — or any other drugs for that matter! I felt my heart sink and panic started to set in. Google quickly blacklisted the domain. What do I do now? How do I clean it up? Once I clean it up, how do I prevent it from happening again?
Many people that run WordPress may have experienced the same issue. WordPress is a target for hacks. When running it, one needs to be vigilant on preventing and identifying holes in the security of the website. This post explores five tips for finding backdoor files planted in your WordPress installation. Once you get rid of those, the unwanted behavior usually goes away. Prevention, however, can be much more work. (See my article on Securing WordPress for more information).
These tips assume that the WordPress installation is running on Linux and you have access to a shell. If you do not have access to a shell or are uncomfortable with the Linux command line, try some of the scanning tools available or sign up for a service such as SiteLock, Sucuri, or WP White Security. You may want or need to get some help if the attack is complicated or any user information has been compromised.
PLEASE NOTE – you must understand and be comfortable running these commands. Only number 4 will modify files on your server, but do not hold me responsible for any issues that might occur. For example, a typo could be made and another command could be called.
1. Look at your logs
Web logs can be found in a variety of places on a Linux system. Check your hosting provider or webserver configuration to find where they are. They usually will be in a standard format. We don’t want to spend hours looking through millions of lines. When using some text search tools, interesting items can be filtered out in reasonably sized chunks. The Linux grep command is easy to use. Navigate to the log directory and use the following command to browse access to php files that may not be part of normal browsing.
grep -r -Ev "wp-login.php|xmlrpc.php|wp-cron.php" php * | grep php | less
The -r switch tells grep to look in all the directories under the path; -Ev excludes the following pipe delimited list. We pass that to another grep command to look for php in the contents. Last, we pass that to the less command to look through it page by page. Add more exclusions in the pipe delimited string. Look for strange filenames like wad.php or images.php, and examine the paths for the file requests.
2. Look at the difference between a fresh install and yours
Downloading a new install — or creating one from a backup — and comparing it to the existing files can help to identify where suspect files may be hiding. It’s a great idea to keep a snapshot of your files as each upgrade is done. If you don’t have one, just create a new directory, download WordPress, your themes, and your plugins. Then run this command to find the file differences:
diff -qr wordpress_directory/ fresh_install/
The -q switch will show just the filenames and message; -r signals the command to check all the directories. Keep in mind the upload directory where dynamic content is uploaded in WordPress (usually under wp-content/uploads) will always have files that are not included in a fresh installation. Either move that out of the way when running the command, or leave it in if you have a snapshot of what it should be.
3. Use grep to find php tags in files where they shouldn’t be
This is one of my favorites. It’s interesting what will show up, especially if you allow users to upload files. Sometimes hackers will hide code in a file without the php extension and include it somehow. I have found a couple files used by hackers this way.
grep -l --exclude=*.php -rnw 'wordpress_directory' -e "php"
The -l switch tells grep to only output the filename, -w tells grep to search for the whole word, and -r to search all directories. Using the –exclude option filters out php files. Keep in mind that there may be legitimate reasons the text “php” occurs such as a variable name. This command can be tweaked and offers a good start for investigation.
4. Use the find command to remove any injected code
USE CAUTION HERE Test this amply before executing and make a backup of everything before doing anything. This command can be tweaked to remove code that was injected by a script. For example, I’ve seen every single file with the tag “</head>” be infected on a server.The actual website address was changed to XX.XX.XX.XX to prevent actual calls being made. If you find something like this, replace XX.XX.XX.XX with the actual domain or IP address the hacker used. The command as written will replace <script type=\”text/javascript\” src=\”http://XX.XX.XX.XX/ads/inpage/pub/collect.js\“></script></head> with </head>.
find wordpress_directory -type f -print0 | xargs -0 sed -i 's#<script type=\"text/javascript\" \ src=\"http://XX.XX.XX.XX/ads/inpage/pub/collect.js\"></script></head>#</head>#g'
5. Look for modification dates and bad file permissions
Lastly, check for modification dates that don’t make sense. If you updated last week, why would a WordPress core file have a modification date from yesterday? The find command is great at finding files created or modified after a certain date. Use the following approach for created:
#set timestamp for file
touch --date "2015-1-31" /tmp/start_date
find wordpress_directory -newer /tmp/start_date
Use this command to see files modified in the last 60 days:
find wordpress_directory -iname "*" -mtime -60 -print
You can use the standard “ls -al” command in Linux to see file permissions.
Once you have removed the infestation and secured WordPress, you can use the Google Webmaster tools to request Google recheck your website and remove the blacklisting.
Happy hunting!