My previous post about hacked WordPress sites caused Donnacha to ask,
After your last post on this subject, I was thinking that it would be a good idea for Automattic to create a plugin that carries out all the checks you suggested people do to find out if they’ve been hacked…
At the time I wasn’t too optimistic about it but after thinking about the idea for a few days I came up with the WordPress Exploit Scanner which does most of what Donnacha wanted.
This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.
It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.
You must be running WordPress 2.5.1 or higher to use this plugin. There’s not much point in finding exploited files if you’re running an old version of the software that can be broken into again.
Download the plugin from here: WordPress Exploit Scanner
Thanks to those who tested the plugin, especially Cathal Garvey who provided some great feedback!
79 Comments
Fabian (1 comments.) on June 26, 2008 at 7:44 pm.
Thanks! it’s a great option to review ours blogs.
Otto (15 comments.) on June 26, 2008 at 8:30 pm.
This generic principle could be taken a step further to scan for things like obfuscated code in themes and such. Might be worth considering.
Looking for base_64_decode would come up with most of the current malware themes out there, for example. I would not extend that to plugins, because many legit plugins use this methodology to store images in the PHP file (Google XML sitemap generator, to pick an example). But a theme generally doesn’t have the complexity level to contain that sort of thing legitimately.
Donncha (1707 comments.) on June 26, 2008 at 8:40 pm.
Otto – Among the strings included is the base64 string of (one of?) the url used in the recent Google redirect hack.
I hadn’t thought to search for base_64_decode but it’s an obvious one I’ll add for the next release!
Douglas Lampi (1 comments.) on June 26, 2008 at 9:27 pm.
I use wordpress blogs a lot – and I’ve had some of them hacked.
The greatest pain is having dozens of wp sites to upgrade – then next week have to upgrade all my sites again because of another and another security patch.
Thanks for the great plugin – we all need this.
Doug
BG (1 comments.) on June 26, 2008 at 9:30 pm.
Hi, Donncha
I keep getting the following error-message when doing the files only or files+database search:
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 8662604 bytes) in /home/***/public_html/wp-content/plugins/exploit-scanner/exploit-scanner.php on line 82
The database only search is fine.
Any ideas?
David Basulto (1 comments.) on June 26, 2008 at 10:19 pm.
Regarding the “no much point finding exploits on older versions”… i disagree. There´s several people that have a working install with previous versions, that feature unsupported plugins making it hard to upgrade or just don´t have the skills to migrate to a newer version (it´s not “that” easy, specially for 2.0.x) or an´t afford a specialist. IMHO, if a plugin for older versions is available, it could even encourage people to think about upgrading after seeing all the flaws on their install. But leaving 2.0.x, 2.1.x, 2.2.x and 2.3.x users all by themselves is kinda harsh
(specially if 2.0.x branch is supposed to be supported for several years, as i read on a blog post when 2.1 came out)
Rick (1 comments.) on June 26, 2008 at 11:05 pm.
I know you say “Don’t worry if ‘/var/www/html/sandpit/wp-content/plugins/exploit-scanner/exploit-scanner.php’ is listed above. That’s a good sign because this script obviously has all the text to search for and it’s working properly!” at the end, but it is a bit weird (and frightening at first) to have it list itself!
Pingback: WordPress Exploit Scanner 0.1 en Agamum.net
Pingback: Gehackt!
BigDadGib (2 comments.) on June 27, 2008 at 1:31 am.
Downloaded, uploaded, plugged it in and it works great.
I am so glad this plug-in was put together. Thank you.
BigDadGib
BigDadGib (2 comments.) on June 27, 2008 at 1:34 am.
BTW…
I HAVE been hacked. It was worse than having my house robbed. I felt horrible, violated and angry. That’s why I am so happy for this plug-in.
Thanks again…
BigDadGib
Reveller (1 comments.) on June 27, 2008 at 2:01 am.
I’m impressed! This is a great little security utility, and will help me to check out some of the older blogs I’ve set up for people but haven’t had the time to keep under supervision as much as I’d like.
But as in all these things, the devil is in the detail. I’m running WP 2.6 B1 on my flagship blog, and of course (as warned) there are lots of hits that certainly aren’t mallicious code. What would be really useful would be a list of possible false positives, and a compilation of known nasties so that those of us who aren’t techies can either try to fix things ourselves, or call in someone who can help.
Thanks for such a useful tool!
Pingback: Donncha’s WordPress Exploit Scanner :: WPLover
Donnacha (13 comments.) on June 27, 2008 at 3:10 am.
Donncha, thank you so much, it is great to see you respond with such alacrity. This plugin will be indispensable, especially for users unable to use AIDE.
Between this, and the upcoming security improvements in 2.6, we are getting closer to point at which hackers targeting WordPress will have nowhere left to hide.
Sunny (2 comments.) on June 27, 2008 at 4:05 am.
This plugin rocks, WP 2.3 version was a spammers delight and many of the residues from that version can be found in files despite upgrades. Especially if the old files/folders were overwritten and not completely removed prior to the upgrade. Thanks.
Marc Liron (1 comments.) on June 27, 2008 at 4:09 am.
This sounds like a great plugin!
…bit late for many WP 2.3 installs that got hit
Just seen that one of the most prominent Internet Marketers just got “hacked” as he was still using 2.3.3
http://www.marcliron.co.uk/sitebuilditreview/stu-mclarens-blog-gets-infected-by-hackers
-Marc
Pingback: WordPress Plugin: WordPress Exploit Scanner | WordPress Philippines
Pingback: Wordpress Blogs Hacked? | Slow Streamyx
Marek on June 27, 2008 at 10:44 am.
Maybe usage of OWASP http://www.owasp.org/index.php/Main_Page would help as the prevention for every developer.
Pingback: WordPress Exploit Scanner is a Life Saver » Headsetoptions.org
Kirby Witmer (1 comments.) on June 27, 2008 at 4:15 pm.
I keep getting this error message.
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 22700609 bytes)
Peter Löwenstein (1 comments.) on June 27, 2008 at 5:24 pm.
Same fatal error for me: “Allowed memory size ..” for the file check, db-check works fine.
Donncha (1707 comments.) on June 27, 2008 at 6:53 pm.
Kirby – the out of memory is caused by the recursive function that iterates over the filesystem. I’ll have to try and make that less memory intensive!
Sean (2 comments.) on June 27, 2008 at 7:13 pm.
Cool plugin, however your statement “You must be running WordPress 2.5.1 or higher to use this plugin. There’s not much point in finding exploited files if you’re running an old version of the software that can be broken into again” what about the people using the stable and still supported 2.0.11 branch? They shouldn’t be left out of this plugin.
Pingback: Wordpress Exploid Scanner 0.1, checkea la seguridad de tu blog | aNieto2K
Donncha (1707 comments.) on June 27, 2008 at 8:04 pm.
Sean – I had quite forgotten about the stable version distributed in Debian. As I said in an earlier comment, I have checksums for specific files in a specific version (2.5.1).
I couldn’t maintain multiple versions easily, but I’ll change the die() to a warning.
Sean (2 comments.) on June 27, 2008 at 8:08 pm.
@Donncha: Maybe someone would be willing to help you maintain a 2.0.x branch of your plugin since it will be supported until 2010?
Donncha (1707 comments.) on June 27, 2008 at 9:17 pm.
Sean – all things considered, I could probably do it. The 2.0 version barely changes these days so it wouldn’t be too hard to run an md5 check of the files in it and bundle it with the plugin myself.
Donncha (1707 comments.) on June 27, 2008 at 9:17 pm.
And also for the new 2.6 beta. This file of checksums could get quite large!
Donnacha (13 comments.) on June 27, 2008 at 11:14 pm.
Yes … but the headache of getting hacked would be considerably larger
Gamma (1 comments.) on June 28, 2008 at 3:08 am.
When I check just the database it seems to work fine. But if I check the files my Firefox 3 browser starts opening up what seems to be an endless parade of untitled tabs, requiring me to go to the task manager (Win XP)to shut it down. I’m using WP 2.5.1
shadow.super (1 comments.) on June 28, 2008 at 11:09 pm.
please vote yes in the new lisbon refernedum for your country in spring
this will allow the jedi peace to spread throughout europe
please listen to your minister gormley
he is a practising member of the church of jedi
please encourage your family to vote yes or else you will be the cubans of europe
may the force be with you
mocona on June 29, 2008 at 5:34 am.
Donnacha, Great plugin!! unfortunately I get a Fatal error: Allowed memory size of …….
Could you give us a quick fix or something? I can’t find anything on line 82
And may I suggest to add (NOT MALICIOUS CODE) button at your report? of course a (DELETE THIS MALICIOUS CODE) and (BACKUP AND DELETE THIS MALICIOUS CODE) is a very welcome update.
Thanks for the plugin… great job!
Pingback: Sicherheit geht vor: Wordpress Exploit Scanner
Pingback: Plugin: WordPress Exploit Scanner 0.1 | Ferramentas para blogs, Noticias, WordPress, Tutoriais e muito mais... - MUIOMUIO.NET
Donnacha (13 comments.) on June 29, 2008 at 1:55 pm.
BTW, just a small thing, but for the sake of clarity and because Mocona, above, got the names mixed up, and because there has been some confusion before, I’d better stress that there are too of us with similar names in this thread:
Donncha O Caoimh – well-known WordPress dude from Cork, owner of Holy Shmoly, begetter of MU, taker of photos, creator of plugins etc
Donnacha from Dublin, living in Edinburgh, WordPress neophyte and disciple
… because I definitely wouldn’t want Donncha to get the blame for my dumb-ass questions throughout the blogosphere
Chris on June 29, 2008 at 3:27 pm.
Hi,
I’ve just downloaded and installed this plugin, from the link on this page:
http://ocaoimh.ie/exploit-scanner/
…and when I look at the dashboard on my blog, it says the MD5 is:
d41d8cd98f00b204e9800998ecf8427e
…which doesn’t match the one in the readme or on the link above. I think it should be 6a88a18a37c4add7dabd72fc97be13b6.
Am I doing something or is something amiss?
(have tried re-downloading and re-installing)
Cheers,
Chris
Donncha (1707 comments.) on June 29, 2008 at 4:13 pm.
Chris – that’s weird. Did you edit the file with a Windows editor or some other editor that changes file endings? I just downloaded the plugin again to verify that the md5 is ok and it matches.
Chris on June 29, 2008 at 4:16 pm.
No, I’ve not edited it. Just unzipped it, ftp’d it in ASCII mode using a DOS window and that’s it.
Chris on June 29, 2008 at 4:22 pm.
I’ve just Googled the MD5 that I posted above and got a few more hits than I was expecting!
From what I can make out, that’s the MD5 of an empty file – so presumably the MD5 check just isn’t working on my server for whatever reason.
Jedmunds on June 29, 2008 at 7:15 pm.
I am getting the following in PSpellShell.php. Does this mean I’ve been hacked? I tried replacing it with the default WordPress one, and I still get this error :
/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
rror(“PSpell support was not found.”);
$data = shell_exec($cmd);
@unlink($this->_tmpfile);
$returnData = array();
$dataArr = preg_split(“/[\r\n]/”, $data, -1, PREG_SPLIT_NO_EMPTY);
foreach ($dataArr as $dstr) {
$matches = array();
// Skip this line.
if (strpos($dstr, “@”) ===
——————————————————————————–
throwError(“Error opening tmp file.”);
$data = shell_exec($cmd);
@unlink($this->_tmpfile);
$returnData = array();
$dataArr = preg_split(“/\n/”, $data, -1, PREG_SPLIT_NO_EMPTY);
foreach($dataArr as $dstr) {
$matches = array();
// Skip this line.
if (strpos($dstr, “@”) === 0)
Pingback: John Beales - Blog Archive » Wordpress Exploit Scanner should mean Fewer Hacked Blogs
Raph (1 comments.) on June 29, 2008 at 9:12 pm.
Very happy to see this! After my blog was hacked (see here: http://www.raphkoster.com/2008/04/15/more-on-the-blog-hacking/ for the gory details of all the attacks), I wrote a blog post asking for essentially this same plug-in. Here were the things I wished for:
http://www.raphkoster.com/2008/04/16/what-wordpress-needs/
* Greps every file in your public web directory, recursively, looking for “base64″ and tells you about them. The default WP install has none of these.
* Warns you on modification date of any file in the install, plus in any themes.
* Checks header and footer for unusual size changes.
* Warns you on any files added to install directories that are not something in the vanilla install — e.g., any new php files in wp-admin that aren’t part of the install.
* Warns you on any .htaccess redirects.
* Pulls out the list of administrators by querying in wp_usermeta for wp_metavalue containing %administrator% — not whatever the dashboard uses, which appears to correlate to other tables and therefore misses hacked accounts.
* Generates a table of everything in wp_options that is not a part of the vanilla WP install, so you can check it. Sure, a whole bunch of plugins will show up, but maybe you can check that manually.
Pingback: Raph's Website » WordPress Exploit Scanner plugin
Pingback: Wordpress mit dem Exploit Scanner schützen « AdClicks-Agent.de
Pingback: Mehr Erfolg im Internet » Blog Archive » Was tun, wenn Blog gehacked?
Pingback: BlogMaster - Sicurezza di WordPress ancora in primo piano
Otto (15 comments.) on June 30, 2008 at 8:02 pm.
Raph: Not true. wp-app.php as well as a lot of the wp-includes/class-*.php files make use of the base64 functions. You’d have to exclude those from your scans, or at least ignore them.
Otto (15 comments.) on June 30, 2008 at 9:27 pm.
Donncha: I know that SVN uses the MD5 values internally… If that information was exposed (say, through api.wordpress), then you could get the official MD5 sums from the tags repository and compare against those directly.
Donncha (1707 comments.) on June 30, 2008 at 9:54 pm.
Otto – I’ve been thinking about it a bit and it probably wouldn’t be too hard once I had a shell script that I could point at a directory and create a file of md5 checksums.
Shell script shouldn’t be too hard either I guess, so maybe for the next version I’ll grab the current releases – 2.0.x, 2.5.1, and whatever 2.6 beta is out and make an array of checksums..
Pingback: Another Useful WordPress Security Plugin at xentek
Pingback: Scopri se ti hanno bucato WordPress con questo semplicissimo plugin - WordPress Mania.Trucchi, notizie, plugin, temi
Richard Catto (4 comments.) on July 4, 2008 at 7:07 am.
I think what is needed is a standalone php script to check your current WordPress core against the official released version (same version).
All code differences should be highlighted.
Pingback: Best advice on Wordpress spam injection evarrr | Make$ Money$ Blog - Truth, no scam
Otto (15 comments.) on July 10, 2008 at 7:10 pm.
Donncha: I’ve been thinking about it, and I see some problems with the MD5 concept. The problem is the CR/LF conversion is going to mess things up for you, with different hosts and such. Also, keeping big lists is a losing proposition. Why not use the MD5 idea to check if any files changed?
Here’s some sample code I threw together. It basically recursively hashes a directory of files, encrypts all the hashes with a password, and then stores them into a file. It can also read the file, repeat the process, and list any changes made. The reason for the password encryption is that if somebody has access to the file, they can just rehash unless there is something else not on the system itself to protect against that.
$hashvalue) {
if ($filehashes[$hashkey] != $hashvalue) {
echo “$hashkey has changed!\n”;
}
}
}
store_hashes(‘hashes.txt’,'/path/to/wordpress-2.5.1/’,'password’);
check_hashes(‘hashes.txt’, ‘/path/to/wordpress-2.5.1/’,'password’);
Otto (15 comments.) on July 10, 2008 at 7:25 pm.
Ugh. Well, okay, it cut out my code. You can read it here instead:
http://ottodestruct.com/hashes.txt
Pingback: WordPress Exploit Scanner is a Life Saver | Web Templates, Flash Templates, Website Templates Design
Pingback: Taszara.com » Blog Archive » Taszara has been hacked? Wordpress Spam Injection. Please help!
Chris (1 comments.) on July 18, 2008 at 1:39 am.
Thanks for a great security tool. Having had my site and sql database hacked I appreciate this extra level of security. I was able to run the scanner all right for the first time. But now I get the followong message : Warning: file_get_contents(/home/xxx/public_html/xxxxxx/include/l110n.php) [function.file-get-contents]: failed to open stream: Permission denied in /home/xxx/public_html/xxx/wp-content/plugins/exploit-scanner/exploit-scanner.php on line 82
Any views suggestions appreciated
Thanx
Pingback: Plugin wordpress che scopre se ti hanno bucato il tuo blog | MarcoSiviero.Com | Tutto Gratis
Pingback: Some annoying things about WordPress
Pingback: Was tun beim gehackten Wordpress? | Blog von Michael Karl, Webdeveloper
sapimoto (1 comments.) on August 22, 2008 at 3:45 am.
It’s an usefull plugins for user of wordpress, thanks for sharing…
Michael Web (1 comments.) on August 27, 2008 at 2:29 pm.
Hey nice Plugin, some sites from my customers had been cracked, i hope this plugin will help.
Thanks a lot.
Kei on September 29, 2008 at 12:29 pm.
Where can I find the link on 2.6.1?
I’ve uploaded and activated it but can’t find the link..
Pingback: 30+ (More) Most Wanted Wordpress Tips, Tricks and Hacks | Wordpress
Pingback: 30+ (More) Most Wanted Wordpress Tips, Tricks and Hacks | Web Burning Blog
Pingback: 20+ plugin per Wordpress e non solo | Area3000
thanasis on February 4, 2009 at 11:23 pm.
hi all i found this after scaner
“style=\”visibility:hidden” => “CSS styling to hide parts of a web page”,
“ShellBOT” => “This may be a script used by hackers to get control of your server.”,
“uname -a” => “Tells a hacker what operating system your server is running”,
“shell_exec” => “Executes a server command like ls, cd, wget, etc. This may be a script used by hackers.”,
“YW55cmVzdWx0cy5uZXQ=” => “Base64 encoded text found in PHP code that redirects visitors from Google.”,
“” => “HTML code used to hide spammy links, but is also legitimate code.”,
“eval(unescape” => “Could be Javascript code used to hide code inserted by a hacker.”,
“String.fromCharCode” => “Javascript code used to hide suspicious code, but can also be legitimate code.”,
‘$_COOKIE["yahg"]‘ => “YAHG Googlerank.info exploit code. See here for further info.”
how can i fix this hacks??
thanks!!
Pingback: Wordpress Autotest: effetti collaterali imprevisti — Il non-blog di Mario Pascucci
Pingback: Trojan on this website |
Pingback: Most Wanted Wordpress Tips, Tricks and Hacks « Online Free Applications Software Tips Tools Wallpapers
monn (2 comments.) on May 18, 2009 at 3:06 pm.
I’m using version 0.3 and when i’m scanning with the “search files onley” ore “files and database” it redirects me to a russian site “http://gpt0. ru/default .cgi”
That site seems to be ofline, but do i have a problem???
“database onley” gives a hoorey
Could you help me?
THX!
Donncha (1707 comments.) on May 18, 2009 at 3:12 pm.
That’s weird, and yes, I’d say you have a problem! If you can login to your server, use “grep” to search through it for that site’s url.
monn (2 comments.) on May 20, 2009 at 12:53 pm.
Thx for the tip, but it seems that I can’t use grep on my server. (non linux).
weird thing is, your scanner works in IE, no bad scrips found. only in firefox the redirection occurs ??? Could FF be the problem?
Searing for the Russian url gave me a site which probably hosts “free virus scanner software” The one you don’t want…
THX for your time!
John on June 11, 2009 at 12:09 am.
I love this plugin. Since my hosting is on linux, I am very stressed out as I don’t know any antivirus solution for this, at least not one that can work with a shared hosting plan. The wordpress exploit scanner just made my life better especially since most of my sites are wordpress powered.
I want to suggest that future versions should have external definition files with malware code and maybe even auto-update features.
tiara (1 comments.) on February 12, 2010 at 8:25 pm.
thanks for this plugin! I used it for all my blogs and found a few suspicious files. tsk tsk.
Srikanth AD (1 comments.) on June 28, 2010 at 1:04 pm.
The AntiVirus plugin does a daily virus scan for wordpress, really helpful. Is there a way to manually scan wordpress for a malware?
Pingback: Hackers on smack | John M. Ryan