We search for and remove malicious code on WordPress. Logbook Malicious scripts

The truth of life is that the site can be hacked sooner or later. After successfully exploiting the vulnerability, the hacker tries to gain a foothold on the site by placing hacker web shells and downloaders in system directories and introducing backdoors into the script code and CMS database.

Scanners help detect loaded web shells, backdoors, phishing pages, spam emailers and other types of malicious scripts - all that they know and are pre-added to the malicious code signature database. Some scanners, such as AI-BOLIT, have a set of heuristic rules that can detect files with suspicious code that is often used in malicious scripts, or files with suspicious attributes that can be downloaded by hackers. But, unfortunately, even if several scanners are used on the hosting, there may be situations where some hacker scripts remain undetected, which actually means that the attacker is left with a “back door” and can hack the site and gain full control over it at any time. moment.

Modern malware and hacker scripts are significantly different from those of 4-5 years ago. Currently, malicious code developers combine obfuscation, encryption, decomposition, external loading of malicious code, and other tricks to fool antivirus software. Therefore, the likelihood of missing new malware is much higher than before.

What can be done in this case to more effectively detect viruses on the site and hacker scripts on the hosting? It is necessary to use an integrated approach: initial automated scanning and further manual analysis. This article will discuss options for detecting malicious code without scanners.

First, let's look at what exactly you should look for during a hack.

Hacker scripts.
Most often, when hacking, files that are downloaded are web shells, backdoors, “uploaders”, scripts for spam mailings, phishing pages + form handlers, doorways and hacking marker files (pictures from the hacker group’s logo, text files with a “message” from hackers, etc.)

Injections (code injections) into existing .
The second most popular type of hosting malicious and hacker code is injections. IN existing files website.htaccess can inject mobile and search redirects, inject backdoors into php/perl scripts, and embed viral javascript fragments or redirects to third-party resources into .js and .html templates. Injections are also possible in media files, for example.jpg or. Often malicious code consists of several components: the malicious code itself is stored in the exif header jpg file, but is executed using a small control script, the code of which does not look suspicious to the scanner.

Database injections.
The database is the third target for a hacker. Here, static inserts are possible, , , , which redirect visitors to third-party resources, “spy” on them, or infect the visitor’s computer/mobile device as a result of a drive-by attack.
In addition, in many modern CMS (IPB, vBulletin, modx, etc.) template engines allow you to execute php code, and the templates themselves are stored in the database, so the PHP code of web shells and backdoors can be built directly into the database.

Injections in caching services.
As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data “on the fly” are possible. In some cases, a hacker can inject malicious code into a site's pages without directly hacking the site.

Injections/initiated elements in server system components.
If a hacker has gained privileged (root) access to the server, he can replace elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server using control commands, and on the other hand, from time to time introduce dynamic redirects and malicious code into the site’s pages. As in the case of an injection into a caching service, the site administrator will most likely not be able to detect the fact that the site has been hacked, since all the files and the database will be original. This option is the most difficult to treat.

So, let’s assume that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the virus is still on the page or the mobile redirect continues to work when opening pages. How to search further?

Manual search

On unix, it's hard to find a more valuable pair of commands for finding files and fragments than find / grep.

find . -name ‘*.ph*’ -mtime -7

will find all files that have been changed in the last week. Sometimes hackers “twist” the modification date of scripts so as not to detect new scripts. Then you can search for php/phtml files whose attributes have changed

find . -name ‘*.ph*’ -сtime -7

If you need to find changes in a certain time interval, you can use the same find

find . -name ‘*.ph*’ -newermt 2015-01-25 ! -newermt 2015-01-30 -ls

To search files, grep is indispensable. It can search recursively through files for a specified fragment

grep -ril ‘stummann.net/steffen/google-analytics/jquery-1.6.5.min.js’ *

When hacking a server, it is useful to analyze files that have the guid/suid flag set

find / -perm -4000 -o -perm -2000

To determine which scripts are running in this moment and load the hosting CPU, you can call

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ ( if(!str) ( str= ) else ( str=str””))END(print str)’` | grep vhosts | grep php

We use our brains and hands to analyze files on hosting

We go to the upload, cache, tmp, backup, log, images directories, into which something is written by scripts or uploaded by users, and scan the contents for new files with suspicious extensions. For example, for joomla you can check the .php files in the images:find ./images -name ‘*.ph*’ directory. Most likely, if something is found, it will be malware.
For WordPress, it makes sense to check the wp-content/uploads directory, backup and cache theme directories for scripts.

Looking for files with strange names
For example, php, fyi.php, n2fd2.php. Files can be searched

• - by non-standard combinations of characters,
• - the presence of numbers 3,4,5,6,7,8,9 in the file name

We are looking for files with unusual extensions
Let's say you have a website on WordPress or for them files with extensions .py, .pl, .cgi, .so, .c, .phtml, .php3 will not be quite ordinary. If any scripts and files with these extensions are detected, most likely they will be hacker tools. The percentage of false detections is possible, but it is not high.

We are looking for files with non-standard attributes or creation date
Suspicion may be caused by files with attributes that differ from those existing on the server. For example, all .php scripts were uploaded via ftp/sftp and have the user user, and some were created by the user www-data. It makes sense to check the latest ones. Or if the script file creation date is earlier than the site creation date.
To speed up the search for files with suspicious attributes, it is convenient to use unix command find.

We are looking for doorways using a large number of .html or .php files
If there are several thousand .php or .html files in the directory, this is most likely a doorway.

Logs to help

Web server logs, postal service and FTP can be used to detect malicious and hacker scripts.

• Correlating the date and time of sending a letter (which can be found from the mail server log or the service header of a spam letter) with requests from the access_log helps to identify the method of sending spam or find the spam sender's script.

• Analysis of the FTP xferlog transfer log allows you to understand which files were downloaded at the time of the hack, which were changed and by whom.

• In a correctly configured mail server log or in the service header of a spam email when correct setting PHP will be the name or full path to the sending script, which helps determine the source of spam.

• Using the logs of proactive protection of modern CMS and plugins, you can determine what attacks were carried out on the site and whether the CMS was able to resist them.

• Using access_log and error_log, you can analyze the actions of a hacker if you know the names of the scripts that he called, the IP address or User Agent. As a last resort, you can view POST requests on the day the site was hacked and infected. Often the analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hack.

Integrity control

It is much easier to analyze a hack and look for malicious scripts on a website if you take care of its security in advance. The integrity check procedure helps to timely detect changes in the hosting and determine the fact of hacking. One of the simplest and effective ways– put the site under version control system (git, svn, cvs). If you configure .gitignore correctly, the change control process looks like calling the git status command, and searching for malicious scripts and changed files looks like git diff.

Also, you will always have a backup copy of your files, to which you can “roll back” the site in a matter of seconds. Server administrators and advanced webmasters can use inotify, tripwire, auditd and other mechanisms to track access to files and directories, and monitor changes in the file system.

Unfortunately, it is not always possible to configure a version control system or third-party services on the server. In the case of shared hosting, it will not be possible to install a version control system and system services. But it doesn’t matter, there’s plenty ready-made solutions for CMS. You can install a plugin or a separate script on the site that will track changes in files. Some CMS already implement effective change monitoring and an integrity check mechanism (For example, Bitrix, DLE). As a last resort, if the hosting has ssh, you can create a reference cast file system team

Promotion “2 for the price of 1”

The promotion is valid until the end of the month.

When you activate the "Site under surveillance" service for one website, the second one on the same account is connected free of charge. Subsequent sites on the account - 1,500 rubles per month for each site.

1. Unpack it into the site folder.
2. follow the link your_site/fscure/
3. everything

What can he do?

1. Automatic search viruses by signatures.
2. Search for a string in files
3. Deleting files
4. Patch malicious code using regular expressions

The script will not do all the work for you and requires some minimal knowledge. It is recommended to make a backup of the site before work.

How does it work?

When first launched, it creates an index of files. The fscure.lst file is in the folder. Displays a list of files containing potentially malicious signatures. “Potentially malicious” means that you will have to decide whether it is a virus or not. The list of signatures is configured in the config.php file, constant SCAN_SIGN. With default settings, the script does not check js files and does not contain signatures for them.

Most common problems

1. does not create the fscure.lst index. Can happen if there are not enough rights. Put 777 on the fscure folder

2. 5xx error. Most often "504 Gateway Time-out". The script does not have time to process and crashes due to a timeout. In this case, there are several ways to speed up its work. Speed ​​primarily depends on the size of the index. It's in the fscure.lst file. Typically, a file up to 5MB can be processed in 90% of cases. If it doesn’t have time, you can reduce the “greed” of the script by prohibiting scanning *.jpg;*.png;*.css in the config.
In the config.php file.

// delimiter; define("FILES_EXCLUDE","*.js;*.jpg;*.png;*.css");

3. Hosting issues a warning like
(HEX)base64.inject.unclassed.6: u56565656: /var/www/u65656565/data/www/34535335353.ru/fscure/index.php

There is no virus in the script and there never was. And (HEX)base64.inject.unclassed.6 is a construction like "echo base64_decode(" , which is often encountered and in itself is quite harmless. However, in the latest version, I replaced this code.

What to do if you were unable to find the virus yourself?

You can contact me for help. My rates are modest. I guarantee my work for 6 months. The cost of the work is 800 rubles. for 1 site. If there are several sites on your account, the price is determined individually.

If you managed to do everything yourself, I would be grateful for a financial reward or a link to my site.

My requisites:
yandex
41001151597934

webmoney
Z959263622242
R356304765617
E172301357329

Must be done together. If you eliminate the original cause of the hack (for example, a vulnerability in the CMS extension), but do not remove all the malicious files, the attacker will be able to gain access to the site again using one of his scripts. If you remove all downloaded malicious scripts, but do not eliminate the cause of the hack, the attacker will be able to hack the site again and download scripts onto it again.

A specialist with the appropriate knowledge and experience should carry out work to remove malicious scripts and analyze the causes of hacking:

• To remove malicious scripts, you need to know the language PHP programming, as well as knowledge “from the inside” of popular CMS (Joomla, WordPress, etc.) and extensions for them. This knowledge is required to distinguish scripts directly from the CMS and its extensions from extraneous files, and also to be able to unambiguously determine what actions they perform when encountering dubious scripts.
• To analyze the causes of hacking, server administration experience is required. This is necessary to analyze the state of the files on the account, the time they were changed, and also to compare this data with server logs to determine which actions of the attacker led to the hacking of sites.

Therefore, if your site has been hacked, it is recommended, in order to avoid repeated hacks, not to do the work yourself, but to contact a specialist who will perform the necessary diagnostics and recommend or take the necessary actions to solve the problem, and who can guarantee the quality of the result obtained.

However, there are a number of measures that in some cases help to restore the safe operation of the site without special knowledge. The limitation of the method below is that in order to resume operation of the site, it requires a backup copy of it created before the hack. If the date of the breach is unknown, you can try this method using the oldest backup available. The second limitation, as a consequence of the first, is that after restoring the site, data added to the site after the restore backup was created (for example, new articles, images or documents). If you need to restore the site while retaining new data, you need to contact a specialist.

These measures do not allow us to determine the cause of the site hack, but each of them is aimed at eliminating one of the potential causes of penetration. Since the exact reason for the hack is unknown, it is necessary to perform all of them. The actions are arranged in such an order as to first completely eliminate the possibility of the attacker continuing his activities on the site or hosting account in currently, and then prevent an attacker from entering the site in the future.

The steps below assume that you only have one website on your hosting account. If there are several sites on the account, then they could also be hacked, and the site could be hacked through them. It is necessary to either transfer the site with which restoration work is being carried out to a separate account, or carry out restoration for all sites hosted on the account at the same time.

The order of actions is important, so it is necessary to perform them in the exact order in which they are located below.

Immediately after discovering that a site has been hacked, it is necessary to completely block visitor access to it. This, firstly, will prevent the attacker from carrying out malicious activities on the site, and secondly, will not allow him to interfere with restoration work. This step is very important, since removing malicious scripts and eliminating the cause of the hack does not happen overnight - as a rule, it takes several hours. If the site remains accessible from the outside, the attacker will be able to re-upload scripts to the section of the site that has already been cleared. In this case, an attacker can use different IP addresses to connect, so denying access only to a list of IP addresses will not work. To ensure that the site is cleaned of detected malicious scripts, it is necessary to completely block the attacker’s ability to access the site, which can only be done by completely blocking the site for any visitors. Contact the technical support service of the hosting that hosts your site to block it.

After blocking the site, you need to check the computers from which you were working with the site with a modern antivirus with updated virus databases. If the site was hacked by stealing account passwords using a virus, you must make sure that further work with the hacked site is carried out from a computer that does not have viruses, otherwise after changing the access passwords they may be stolen again.

After blocking the site and checking for viruses, you need to change all access passwords to your account: access via FTP, via SSH, as well as access to the hosting control panel. If an attacker accessed account files using one of these methods, once the passwords are changed, they will no longer be able to do so.

After changing passwords, you must destroy all server processes running under the account on which the site is maintained. Launched by an attacker in background processes, without being destroyed, will be able to re-place malicious scripts on the site after restoration work. To prevent this from happening, all processes running before the site was blocked must be destroyed. The site should already be blocked at this moment so that the attacker cannot launch new processes by accessing one of his scripts on the site. To destroy processes running on your account, contact the technical support service of the hosting that hosts your site.

Now it is impossible to penetrate the site from the outside and you can begin to restore it.

Before further actions, delete all existing site files to ensure that there are no malicious scripts or CMS scripts in which the attacker has inserted malicious code. This step is also important because when restoring a site from a backup, files that existed before the restoration are not always deleted. If, after restoring from a backup, old malicious scripts remain on the site, the attacker will be able to re-enter the site. You can avoid this by deleting all site files before performing recovery.

After deleting all site files, restore the site from a backup created before it was hacked. Often it is enough to restore only the site files, but if, after restoring them, errors are observed in the site’s operation, it is necessary to restore the site completely: both the files and the database.

After restoring from a backup, update your content management system (CMS) and extensions to the latest versions. This is necessary to exclude the presence of known vulnerabilities on the site through which it could be hacked. As a rule, the update can be done through the CMS administration section. For getting full instructions To update the CMS, you must go to the system developer’s website. It is important to update not only the CMS itself, but also all its extensions, since hacking often occurs through a vulnerability present in one of the CMS extensions (for example, plugins, themes, widgets, etc.). At this moment, it is still impossible to unblock the site for visitors, as it may still be vulnerable. To access the site for updates, please contact technical support hosting provider that hosts your site, and ask to allow access to the site only from your computer's IP address. You can find out your IP address, for example, at inet.yandex.ru.

After updating the site management system and its extensions, go to the site administration section and change the administrator access password to it. Make sure that among the site users there are no other users with administrative privileges (they could have been added by an attacker), and if any are found, delete them.

Now that the site has been restored from a backup and does not contain malicious scripts, the CMS and its extensions have been updated to latest versions, in which there are no vulnerabilities, and the access passwords to the site and hosting account have been changed, you can reopen the site to visitors.

All the above actions must be performed in accordance with the specified order, without omissions or any changes. If the actions are performed inaccurately, malicious scripts or vulnerabilities may remain on the site, as a result of which it can be hacked again by an attacker after a short time. If for some reason it is not possible to perform the above steps in the form in which they are indicated, contact a specialist to carry out work to restore the site after a hack.

To protect your site from repeated hacks in the future, you must adhere to the following recommendations:

Keep track of updates to the CMS and extensions for it on the developers' websites and promptly update them to the latest versions. If an update comment states that it fixes a vulnerability, install the update as soon as possible.

Work with the site and hosting account only from computers that are protected from viruses by modern antiviruses with constantly updated virus databases.

Use complex passwords, so that they cannot be selected by searching through the dictionary.

Do not save FTP and SSH passwords in programs for connecting to the site, and do not save the access password to the administrative area of ​​the site and the hosting control panel in your browser.

From time to time (for example, once every three months), change the passwords for accessing the site and hosting account.

If viruses were detected on the computer from which you were working with the site, change the passwords for accessing the site and hosting account as quickly as possible. You need to change all passwords: access passwords via FTP, SSH, the password from the site’s administrative panel, as well as the password from the hosting control panel.

Do not provide access to the site to third parties unless you are confident that they will also follow these guidelines.

WordPress is one of the most popular content management systems, used for a variety of purposes, from blogging to e-commerce. There is a wide selection of WordPress plugins and themes. It happens that some of these extensions fall into the hands of webmasters after some attacker has worked on them.

For his own benefit, he could leave advertising links or code in them with which he will manage your site. Many WordPress users don't have much experience in web programming and don't know how to handle this situation.

For them, I reviewed nine of the most effective tools for detecting malicious changes in the code of a running website or installed add-ons.

1. Theme Authenticity Checker (TAC)

Theme Authenticity Checker (TAC) – WordPress plugin that scans every established theme for suspicious elements such as invisible links or Base64 encrypted code.

Having detected such elements, TAC reports them to the WordPress administrator, allowing him to independently analyze and, if necessary, correct the source theme files:

2. Exploit Scanner

Exploit Scanner scans all source your site and database content WordPress data for the presence of doubtful inclusions. Just like TAC, this plugin does not prevent attacks or combat their consequences in automatic mode.

It only shows detected symptoms of infection to the site administrator. If you want to remove malicious code, you will have to do it manually:

3. Sucuri Security

Sucuri is a well-known WordPress security solution. The Sucuri Security plugin monitors files uploaded to a WordPress site, maintains its own list of known threats, and also allows you to remotely scan the site using free scanner Sucuri SiteCheck Scanner. Behind subscription fee You can further strengthen your site’s security by installing a powerful firewall Sucuri Website Firewall:

4. Anti-Malware

Anti-Malware is a plugin for WordPress that can find and remove Trojan scripts, backdoors and other malicious code.

Scanning and deletion settings can be customized. This plugin can be used after free registration on gotmls.

The plugin regularly accesses the manufacturer’s website, transmitting malware detection statistics and receiving updates. Therefore, if you do not want to install plugins on your site that monitor its operation, then you should avoid using Anti-Malware:

5. WP Antivirus Site Protection

WP Antivirus Site Protection is a plugin that scans all files uploaded to a site, including WordPress themes.

The plugin has its own signature database, which is automatically updated via the Internet. It can remove threats automatically, notify the site administrator by e-mail And much more.

The plugin is installed and functions for free, but has several paid add-ons that are worth paying attention to:

6. AntiVirus for WordPress

AntiVirus for WordPress is an easy-to-use plugin that can scan your site regularly and notify you of security issues via email. The plugin has a customizable " White list"and other functions:

7. Quterra Web Malware Scanner

Quterra's scanner checks a website for vulnerabilities, third-party code injections, viruses, backdoors, etc. The scanner has such interesting features as heuristic scanning and detection of external links.

Basic scanner features are free, while some additional services will cost you $60 per year:

8. Wordfence

If you're looking for a comprehensive solution to your website's security problems, look no further than Wordfence.

This plugin provides ongoing protection for WordPress against known types of attacks, two-factor authentication, support for a “black list” of IP addresses of computers and networks used by hackers and spammers, scanning the site for known backdoors.

This plugin is free in its basic version, but also has premium functionality, for which the manufacturer requests a modest subscription fee:

9.Wemahu

Wemahu monitors changes to your site's code and searches for malicious code.

The database on which malware is detected is replenished using the crowdsourcing method: users themselves replenish it by sending the results of scanning infected WordPress installations to the website of the plugin author. The plugin also supports sending reports by email and other useful features.

Malicious code gets onto the site through negligence or malicious intent. The purposes of malicious code vary, but essentially it harms or interferes with the normal operation of a website. To remove malicious code on WordPress, you must first find it.

What is malicious code on a WordPress site?

By appearance, most often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code by which this or that action is performed. The actions can be very different, for example, your new posts are immediately published on a third-party resource. This is essentially stealing your content. Codes also have other “tasks,” for example, placing outgoing links on site pages. The tasks can be the most sophisticated, but one thing is clear: malicious codes need to be hunted and removed.

How do malicious codes get onto a website?

There are also many loopholes for codes to get into the site.

Most often, these are themes and plugins downloaded from “left” resources. Although, such penetration is typical for so-called encrypted links. Explicit code does not end up on the site.

The penetration of a virus when a site is hacked is the most dangerous. As a rule, hacking a site allows you to place not only a “one-time code”, but also install code with malware elements ( malware). For example, you find a code and delete it, but it is restored after some time. There are, again, many options.

Let me note right away that the fight against such viruses is difficult, but manual removal requires knowledge. There are three solutions to the problem: the first solution is to use antivirus plugins, for example, a plugin called BulletProof Security.

This solution gives good results, but takes time, albeit a little. There is a more radical solution to get rid of malicious codes, including complex viruses, this is to restore the site from pre-made ones backup copies site.

Since a good webmaster does this periodically, you can roll back to a non-infected version without any problems. The third solution is for the rich and lazy, just contact a specialized “office” or an individual specialist.

How to Look for Malicious Code on WordPress

It is important to understand that malicious code on WordPress can be in any file on the site, and not necessarily in the working theme. He can come up with a plugin, a theme, or “homemade” code taken from the Internet. There are several ways to try to find malicious code.

Method 1: Manually. You scroll through all the site files and compare them with the files of an uninfected backup. If you find someone else's code, delete it.

Method 2: Using WordPress Security Plugins. For example, . This plugin has a great feature, scanning site files for the presence of other people's code and the plugin copes with this task perfectly.

Method 3. If you have reasonable support hosting, and it seems to you that there is someone else on the site, ask them to scan your site with their antivirus. Their report will list all infected files. Next, open these files in text editor and remove malicious code.

Method 4. If you can work with SSH access to the site directory, then go ahead, it has its own kitchen.

Important! No matter how you search for malicious code, before searching and then deleting the code, close access to the site files (turn on maintenance mode). Remember about codes that themselves are restored when they are deleted.

Search for malicious codes using the eval function

There is such a function in PHP called eval. It allows you to execute any code on its line. Moreover, the code can be encrypted. It is because of the encoding that the malicious code looks like a set of letters and symbols. Two popular encodings are:

Base64;

Rot13.

Accordingly, in these encodings the eval function looks like this:

• eval(base64_decode(...))
• eval (str_rot13 (...)) //in internal quotes, long, unclear sets of letters and symbols..

The algorithm for searching for malicious code using the eval function is as follows (we work from the administrative panel):

• go to the site editor (Appearance→Editor).
• copy the functions.php file.
• open it in a text editor (for example, Notepad++) and search for the word: eval.
• If you find it, don’t rush to delete anything. You need to understand what this function “asks” to be performed. To understand this, the code needs to be decoded. For decoding there are online tools called decoders.

Decoders/Encoders

Decoders work simply. You copy the code you want to decrypt, paste it into the decoder field and decode.

At the time of writing, I did not find a single encrypted code found in WordPress. I found the code from the Joomla website. In principle, there is no difference in understanding decoding. Let's look at the photo.

As you can see in the photo, the eval function, after decoding, did not display a terrible code that threatens the security of the site, but an encrypted copyright link from the author of the template. It can also be removed, but it will come back after updating the template if you don't use .

In conclusion, I would like to note, so as not to get a virus on the site:

• Malicious code on WordPress often comes with themes and plugins. Therefore, do not install templates and plugins from “left”, unverified resources, and if you install them, carefully check them for the presence of links and executive php functions. After installing plugins and themes from “illegal” resources, check the site with antivirus software.
• Be sure to make periodic backups and perform others.