jump to navigation

How to detect Malicious ( Exploit ) code on WordPress July 20, 2011

Posted by Tournas Dimitrios in Wordpress - 3.

With over 30 Million blogs having WordPress installed it’s a major target to spammers , a good example is the “Pharma hack ” that came in  front a year back . The concept is as follows : A  bad – hacker attacks your block and embeds malicious ( exploit ) code into  core files  , and in the database  of your site  in order to work evil . Malicious code often looks like long strings of encoded gibberish that acts as a backdoor into your website . There is a plugin , Exploit Scanner , that does an incredible job of actually finding this ” stuff ” . It does not remove anything ( that is left to the user to do ) , a good practice would be to make a fresh installation of the core files ,  drop the database and recover the content with a previous backup  . You have a backup policy ,  do you ???

Unfortunately it’s impossible to catch every hack and it’s all too easy to catch false positives (show a file as suspicious when in reality it is clean). If you have been hacked, this script may help you track down what files, comments or posts have been modified. On the other hand, if this script indicates your blog is clean, don’t believe it. This is far from foolproof.
For the paranoid…
To prevent someone hiding malicious code inside this plugin  itself and to check that the signatures file hasn’t been changed , access the control panel of the plugin Dashboard -> Tools -> Exploit Scanner   and compare the MD5 hash with the original signature of the plugin’s  home site .

  •  Install / enable the plugin
  • To run the scan go to Dashboard -> Tools -> Exploit Scanner
  • As the scan completes , the results are displayed . The 3 levels of results are :
    1) Level Severe : strong indication of a hack or exploit code .
    2)Warnings : not as bad as Severe , but treat with caution .
    3)Notes : lowest priority , results commonly used and probably safe .

There is criticism for the effectiveness of scanning malicious code , but my belief is that not all malicious code is as cleverly written , and so some basic scanning is indeed somewhat effective  . Of course the best effective way  to protect your website is by hardening the security roles on your configuration files . That’s a subject for a future article 🙂 .



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s