WordPress Exploit Scanner 0.1

My previous post about hacked WordPress sites caused Donnacha to ask,

After your last post on this subject, I was thinking that it would be a good idea for Automattic to create a plugin that carries out all the checks you suggested people do to find out if they’ve been hacked…

At the time I wasn’t too optimistic about it but after thinking about the idea for a few days I came up with the WordPress Exploit Scanner which does most of what Donnacha wanted.

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.
It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.

You must be running WordPress 2.5.1 or higher to use this plugin. There’s not much point in finding exploited files if you’re running an old version of the software that can be broken into again.

Download the plugin from here: WordPress Exploit Scanner

Thanks to those who tested the plugin, especially Cathal Garvey who provided some great feedback!

Comments

comments

79 Replies to “WordPress Exploit Scanner 0.1”

  1. I think what is needed is a standalone php script to check your current WordPress core against the official released version (same version).

    All code differences should be highlighted.

  2. Donncha: I’ve been thinking about it, and I see some problems with the MD5 concept. The problem is the CR/LF conversion is going to mess things up for you, with different hosts and such. Also, keeping big lists is a losing proposition. Why not use the MD5 idea to check if any files changed?

    Here’s some sample code I threw together. It basically recursively hashes a directory of files, encrypts all the hashes with a password, and then stores them into a file. It can also read the file, repeat the process, and list any changes made. The reason for the password encryption is that if somebody has access to the file, they can just rehash unless there is something else not on the system itself to protect against that.

    $hashvalue) {
    if ($filehashes[$hashkey] != $hashvalue) {
    echo “$hashkey has changed!\n”;
    }
    }
    }

    store_hashes(‘hashes.txt’,’/path/to/wordpress-2.5.1/’,’password’);

    check_hashes(‘hashes.txt’, ‘/path/to/wordpress-2.5.1/’,’password’);

  3. Thanks for a great security tool. Having had my site and sql database hacked I appreciate this extra level of security. I was able to run the scanner all right for the first time. But now I get the followong message : Warning: file_get_contents(/home/xxx/public_html/xxxxxx/include/l110n.php) [function.file-get-contents]: failed to open stream: Permission denied in /home/xxx/public_html/xxx/wp-content/plugins/exploit-scanner/exploit-scanner.php on line 82

    Any views suggestions appreciated

    Thanx

  4. hi all i found this after scaner

    “style=\”visibility:hidden” => “CSS styling to hide parts of a web page”,
    “ShellBOT” => “This may be a script used by hackers to get control of your server.”,
    “uname -a” => “Tells a hacker what operating system your server is running”,
    “shell_exec” => “Executes a server command like ls, cd, wget, etc. This may be a script used by hackers.”,
    “YW55cmVzdWx0cy5uZXQ=” => “Base64 encoded text found in PHP code that redirects visitors from Google.”,
    “” => “HTML code used to hide spammy links, but is also legitimate code.”,
    “eval(unescape” => “Could be Javascript code used to hide code inserted by a hacker.”,
    “String.fromCharCode” => “Javascript code used to hide suspicious code, but can also be legitimate code.”,
    ‘$_COOKIE[“yahg”]’ => “YAHG Googlerank.info exploit code. See here for further info.”

    how can i fix this hacks??
    thanks!!

  5. I’m using version 0.3 and when i’m scanning with the “search files onley” ore “files and database” it redirects me to a russian site “http://gpt0. ru/default .cgi”
    That site seems to be ofline, but do i have a problem???

    “database onley” gives a hoorey 🙂

    Could you help me?

    THX!

    1. That’s weird, and yes, I’d say you have a problem! If you can login to your server, use “grep” to search through it for that site’s url.

      1. Thx for the tip, but it seems that I can’t use grep on my server. (non linux).

        weird thing is, your scanner works in IE, no bad scrips found. only in firefox the redirection occurs ??? Could FF be the problem?
        Searing for the Russian url gave me a site which probably hosts “free virus scanner software” The one you don’t want…

        THX for your time!

  6. I love this plugin. Since my hosting is on linux, I am very stressed out as I don’t know any antivirus solution for this, at least not one that can work with a shared hosting plan. The wordpress exploit scanner just made my life better especially since most of my sites are wordpress powered.

    I want to suggest that future versions should have external definition files with malware code and maybe even auto-update features.

Leave a Reply