WordPress Exploit Scanner Is Here

By Gib@CBO • June 27th, 2008

Are you a WordPress.org user? Are all your files safe? Have they been hacked?

This plugin searches the files and database of your website for signs of suspicious activity. It will not stop someone hacking into your site, but it may help you find any uploaded or compromised files left by the hacker.

When a website is compromised, hackers leave behind scripts and modified content that can be found by manually searching through all the files on a site. Some of the methods used to hide their code or spam links are obvious, like using CSS to hide text, and we can search for those strings.

The database can also be used to hide content or be used to run code. Spam links are sometimes added to blog posts and comments. They’re hidden by CSS so visitors don’t see them, but search engines do. Recently, hackers took advantage of the WP plugin system to run their own malicious code. They uploaded files with the extensions of image files and added them to the list of active plugins. So, despite the fact that the file didn’t have a .php file extension, the code in them was still able to run!

This plugin searches through your site and attempts to find those changed files and db records.

You can find the Scanner admin page linked off the Dashboard. This is the screen you’ll see. You can search in numerous ways:

Files and database.

Files only.

Database only

Search files by custom keyword.

All fairly self explanatory I think. The custom keyword form allows you to search your files for whatever you like. Be careful with that one because a search for a common keyword like “php” will takes ages and generate an extremely long list of files.

Warning! Searching through the files on your site will take some time. Even a clean WordPress install with no plugins will probably take a noticeable length of time. It’s also heavy on your server. Only run the file check when your server is idling and not busy.

Download

Version 0.1: exploit-scanner.0.1.zip
Version 0.1 MD5: 6a88a18a37c4add7dabd72fc97be13b6

Install

Download and unzip the plugin.

Copy the exploit-scanner directory into your plugins folder.

Visit your Plugins page and activate the plugin.

A new menu item called “Exploit Scanner” will be made off the Dashboard.

Security

Security is an important issue of course. If this plugin was somehow writable by the webserver it could be modified. For that reason it displays an md5 checksum of itself. That checksum is listed above, and also in the README file in the plugin zip file. Compare the checksums if you’re paranoid. If you’re really paranoid, run the script through md5sum just in case!
It also uses file checksums to rule out some false positive results which is one reason why a specific version of WordPress is needed. Newer versions of WordPress may create more false positive results.

Thanks to Holy Shmoly!

Comments(3) 1and1, Trouble, WORDPRESS, WordPress Sites, bigdadgib, contributed, cool stuff, plugin

Rodney Olsen posted the following on June 28, 2008 at 5:39 am.
I’ve just bestowed upon you the honour of the Arte y Pico Award. Check my blog for details.
bigdadgib posted the following on June 28, 2008 at 8:30 am.
Thanks Rodney… I think
I’ll check it out.
BigDadGib
bigdadgib posted the following on June 29, 2008 at 11:26 pm.
Nice Job

Sorry, you must Login or Register to post a comment.

Note: We use Gravatars on BigDadGib.net, they are little icons that appear next to your name on this site and on many others. You can get a Gravatar account for free and any other site that supports it will show your avatar too!

« Maple Or Ash? | Home | Blessed Saturday »

If you are looking for the CBO Blog, Click here CBO Christian Bloggers