Wordpress Exploit Scanner Helps Administrators Scan Their Database For Malicious Files
I wrote awhile back about how my personal blog got hacked due to my negligence. Long story short, I had not upgraded my version of Wordpress to the latest and greatest iteration and I got slammed. Now when the problems have been fixed and the dust settled, how do you know if your installation or site is compromised? Well, you really won’t unless you go and check everything by hand. And on over 2000 posts that can be quite tedious. I have found a Wordpress Exploit Scanner that should do the heavy lifting for you. Let’s check it out.
Go ahead and download the plug-in files and either upload them via FTP or use the automatic plug-in uploader via your Wordpress wp-admin console. You can see my experience below. I logged in to WP-admin, I hit the plug-ins menu option on the left hand side. Then I clicked Add. I choose the upload option and pushed the browse button. After navigating to my plugins directory where I downloaded the Wordpress exploit scanner plugin to, I was able to hit the Install now button.
While it is installing you can see it’s progress on your screen like so.
Hit the ‘Activate plugin’ button and you are ready to go. You can verify that the plugin is actually active by scrolling through the active plugin list. It should look like this:
Once it is successfully active, you will have a new menu item listed directly under your Dashboard menu item. Click on it to get down to business.
Once you click on the link for the Wordpress exploit scanner, it will start querying your database for all of your files. What it checks is as follows:
- Modified Core Wordpress File – this is when a hacker modifies system files to have Wordpress do their bidding like injecting code into posts or even serving up malware. You need to be very cautious about this. Thankfully, this came up as Hooray! None of your core wordpress files have been modified! I am thankful for things like this as I will not have to reinstall Wordpress!
- Suspicious strings. It searches for iFrames – unfortunately I use iFrames on my site for various reasons so I had to scrutinize the entries below. Hackers use iFrames to inject content or ads into your site.
I read through the 1500 entries or so with iFrames and thankfully they were all pointing right back at my site. The attack that I corrected before actually injected these iFrames into my site to show my users Viagra ads! Freaking hackers! It actually got me unlised briefly from Google Searches. But after going over my results with a fine-tooth comb, I am at ease.
Did your search result in any unexpected modified files or some nasty code injected? We would love to hear about it and I would love to lend my expertise in helping out hacked Wordpress owners.
Hit us up in the comments, bloggers – We are here for ya! The plugin author’s website can be found at here.
(By) Karl Gechlik is a superhero of the IT industry. His days are spent monitoring and maintaining systems on Wall Street. He helps people with their technical issues for free over at AskTheAdmin.com. You can follow him on Twitter
I would bet you get owned wordpress is always having issues if you have r00t I would look into ids and mod_security with one mod security file you can block all the bots
http://www.binrev.com/forums/index.php/topic/34774-apache-limit-max-connections-per-ip-and-friends/
We make it our job to fight this sort of thing. http://www.hackersmart.com. Keep on educating folks!