Learn More
Resend Email
15
sylar182
7y

Going through a WordPress site that hasn't been updated in over a year. It's so severely infected that even the Wordfence and Security plugins say it's fine. So I'm going through the file structure manually.

File by file, folder by folder manually searching for infected files. This is the most tedious thing I've had to do. But I'm learning some really interesting tips. One file looked empty and I almost missed it because the code had been tabbed over a few hundred times clearing it way off the the right of the screen.

undefined
Favorite
Ranter
Comments
  • 1
    7y
    I had to do the same thing with a joomla site. Found a dozen filesman Trojans in different directories.
  • 1
    7y
    Run some greps for sketchy code you find, most have commonalities
  • 0
    7y
    @nerd that's exactly what I did.
  • 0
    7y
    What I then did was saved the theme and manually wen let through those and reinstalled the whole cms as I didn't trust that there were more types that I couldn't find
  • 1
    7y
    Get a clean version of your plugins and core from the repo, manually clean your db, uploads and theme.
  • 2
    7y
    One tip would be to grep looking for all files with base64 or 46esab
  • 2
    7y
    This is the first time I've had to manually do a server so I am running some grep commands now that I have some commonalities. I used to do this with viruses on desktops all the time so I have some idea what I'm looking for.

    Definitely learning a lot right now though too.
  • 0
    7y
    @sylar182 good luck. It's a pain in the ass.
  • 2
    7y
    3 hours in, discover the guy before me built the site in two separate locations on the server and the one being used is not the one in the root/the one I was working on.
  • 1
    7y
    Ouch, that's a painful thing to discover after 3 hours. Something you may want to investigate for preventing future breaches is suhosin - at work I set it up to scan files posted via PHP, and drop them if they contain PHP opening tags or various commands (I can't think of any legit reason for allowing PHP code to be in a post file upload).
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment