David Cumberland

(Photographer && Programmer)

My WordPress site has been compromised!

20 February 2020

Ahh, WordPress, powering 35% of all sites on the internet. Love it or hate it, it’s here to stay. While the WordPress core is regularly updated, the plugins and themes, not so much. This is how vulnerabilities are found and exploited.

In my time working in a digital agency on the Gold Coast, we found ourselves on spam blacklists quite frequently (IP Address of our servers), which got me digging into it a little. I found some compromised PHP files, but my regular editor couldn’t pick it up. It just showed the standard <?php tag at the start, but that file was definitely the culprit. So I opened it directly on the server using vi, and sure enough, hidden before the BOM (Byte Order Mark) was a chunk of eval() code blocks with obfuscated code being executed. This is how the attackers were able to send out mass emails that eventually got our server blocked.

In the end, it was a specific popular plugin that was causing this, so we disabled it until an update was available.

I’ve been sitting on these few lines for a few years now, I think it’s now time to share them with the world.

Check for specific code

List all files that have an eval() function in it, we’re only looking at PHP files. If you see something that doesn’t look right, have a look into it.

egrep -lir --include=*.{php,html} "(\{eval\()" .

Check for a common pattern, this should list any files that have been obfuscated – usually files that are using eval( gzinflate( base64_decode() ) ) once decoded.

egrep -lir --include=*.{php,html} "\x65\\\x76" .

If you get any results, review and update using vi or a hexidecimal editor to remove everything before the BOM.

Check File Permissions

This is a big one, if you outsource your development, sometimes the cheaper developers don’t worry/care about best practices and security. What we’re doing now is finding any files or directories that are able to be written to from the outside world (chmod 777 essentially).

find . -type f -perm -a=w -exec find {} -name "*.*" \; 2>&1
find . -type d -perm -a=w -exec find {} -name "*" \; 2>&1

This one searches your entire server, like a WHM server with multiple CPanel Accounts.

find /home -type d -perm -a=w -exec ls -d {} \; 2>&1 | grep "public_html"

If you get any results, review and update.


unsplash-logoTom Pumford