Unhacking a Hacked WordPress Site

A collection of commands to help you determine if you’ve been hacked, the same commands can be used to find obfuscated code and dangerous php in any other CMS system such as Joomla or Drupal.

Firstly we’ll check for long strings in various ways

Run the following command to get a list of all the files containing strings that are longer than 62 alphanumeric characters:

grep -r --include=*.php -e '[[:alnum:]]\{63,\}'

Now to find all the PHP files that contain alphanumeric characters including forward slashes and plus signs that are longer than 136 characters you just need to run the following command:

grep -r --include=*.php -e '[[:alnum:]\/\+]\{137,\}'

For core JavaScript files, the maximum size of an alphanumeric string is 150 characters, and that of an alphanumeric string with pluses and forward slashes is 480. Which means that we will need to run the below commands to get those potentially malicious JavaScript files:

grep -r --include=*.js -e '[[:alnum:]]\{150,\}'
grep -r --include=*.js -e '[[:alnum:]\/\+]\{481,\}'

Next step is to make sure that we don’t have any php files in upload dir

find wp-content/uploads/ -type f -not -name "*.jpg" -not -name "*.png" -not -name "*.gif" -not -name "*.jpeg"

Lets continue, next we will look for dangerous php commands

find . -type f -name '*.php' | xargs grep -l "eval *(" --color

find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color

find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color

find . -type f -name '*.php' | xargs egrep -i "(fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\(" --color

Published by Nimpen J. Nordström

System Developer and Network Security Enthusiast

Leave a comment

Your email address will not be published. Required fields are marked *