A collection of useful Linux commands for cleaning malware from WordPress sites

Determined

I recently sat down to clean a server hosting a bunch of old WordPress sites. You can imagine what that looked like - about third of them were hacked in every way imaginable. I encountered bitcoin miners, post injections, mass emailers.

I realized that one type of malware produced files named lndex.php (with an l not an i), master.php, security.php, cache.php.

This command will search for the specific file name:

find . -name 'lndex.php'

Here is how to check for all this these in one command:

find . \( -name 'lndex.php' -o -name 'master.php' -o -name 'security.php' -o -name 'cache.php' \)

Have in mind some of these may be valid files from your plugins. So you need to inspect these files for suspicious code (base64, binary etc.)

Another way of finding suspicious files is to find out what files have been modified in last say 10 days:

find ./ -ctime -10

To find *.php files that have been modified between two periods in time:

find . -name '*.php' -newermt 2014-08-27 ! -newermt 2014-08-30

Find and remove *.php files (for example in a folder they do not belong in like your uploads folder). Warning! Dangerous! Make sure you are in wp-content/uploads folder first!

find . -name '*.php' -exec rm -rf {} \;

Or if you want to run this in the root of several sites:

find . -name '*.php' | grep "wp-content/uploads" | xargs rm

One of the hacks I've found ran '/usr/bin/host/ preloading a hacked library. Nasty (but creative) stuff. I used this command to find all PHP files that were containing '/usr/bin/host' string:

grep -ri --include=*.php "/usr/bin/host" ./

In most cases I decided to delete the infected folders/plugins and re-install them where needed.

Sometime you need to find out what a certain process (that is taking too much CPU for example) is doing?

strace -p PID

This will filter it to open and close system calls, increase the output message length to 80 chars and dump output to a file.

strace -e open,close -s 80 -o log.txt -p PID

I remember having particularly strong negative sentiment towards hackers as I was going through all this (to put it mildly). As a result of the entire experience I told to myself that the next big feature we integrate into ManageWP will be the suite of carefully executed security tools that will help automate this process, in the same way we automated updates or backups. People should really not have to go through all this.


More like this:


Posted in: WordPress
Both comments and trackbacks are currently closed.

5 Comments

  1. Sep 14th, 2014 9:08 AM

    It’s a very fascinating and very interesting Post thanks for sharing such an informative post

  2. Sep 10th, 2014 9:35 PM

    Some interesting file names and the "l"ndex is a good pointer, however, that will fleetingly change as often as it gets detected. I get a file change warning from my Security plugin each time that happens (to my chagrin using a caching plugin at the same time means 99% of changes are actually harmless, frequent and intentional, yet at least I get notified. I noticed another interesting thing: I get a lot (a lot!) of site lockout notifications during the first months of setting up a new WP, site, then suddenly it drops to near zero. This to me seems to indicate, there is a finite number of hackers that eventually gets all locked out, not, as I used to think, an infinite number ...

    • Sep 11th, 2014 9:38 AM

      I am aware that files names are not fixed in nature, and the purpose of this post is to demonstrate the use of Linux commands, not provide a step by step malware removal instructions. Interesting info on what happens on your new sites though.

  3. Sep 8th, 2014 9:15 PM

    Great technical tips for cleaning up malware on wordpress sites. I run a few of these and will definitely keep these commands in find if I ever get hacked.

    • Sep 11th, 2014 9:38 AM

      Thanks, glad it was of help for you.