How to search for malicious code in WordPress without antivirus and scanners

The truth of life is that the site sooner or later can crack. After successful exploitation of the vulnerability, the hacker tries to gain a foothold on the site, placing hacker web shells, loaders in the system directories and introducing backdoors into the script code and the CMS database.

To detect malicious code in files and the database, there are specialized solutions – antiviruses and scanners for hosting. They are not so many, of the popular ones are AI-BOLIT, MalDet (Linux Malware Detector) and ClamAv.

Scanners help detect downloaded web shells, backdoors, phishing pages, spam mailers and other types of malicious scripts – all that they know and pre-added to the signature database of malicious code. Some scanners, for example AI-BOLIT, have a set of heuristic rules that allow you to detect files with suspicious code, which is often used in malicious scripts, or files with suspicious attributes that can be downloaded by hackers.

But, unfortunately, even if several scanners are used on hosting, there may be situations when some hacker scripts remain unidentified, which in fact means that the attacker has a “backdoor” and he can hack the site and get full control over him in any moment.

Modern malicious and hacking scripts are significantly different from those that were 4-5 years ago. Now, malware developers combine obfuscation, encryption, decomposition, external loading of malicious code and using other tricks to deceive antivirus software. Therefore, the probability of missing new “malware” is much higher than before.

What can be done in this case for more effective detection of viruses on the site and hacker scripts on the hosting? It is necessary to use an integrated approach: initial automated scanning and further manual analysis. In this article, we’ll talk about options for detecting malicious code without scanners.

First, let’s look at what to look for when hacking.

Hacking scripts.
Most often, when hacking, files that are web shells, backdoors, uploaders, spam mailing scripts, phishing pages + form handlers, doorway files and hacking files (images from the hacker group logo, text files with “Message” from hackers, etc.)

Injection (code injection) in existing files.
The second most popular type of hosting malware and hacker code is injections. Existing site files.htaccess can implement mobile and search redirects, in php / perl scripts they can inject backdoors, into .js and .html templates, to insert virus javascript fragments or redirects to third-party resources. There are also possible injections in media files, for example .jpg or.

Often the malicious code consists of several components: the malicious code itself is stored in the exif-header of the jpg file, but is executed using a small control script, the code of which does not look suspicious for the scanner.

Injection in the database.
The database is the third target for the hacker. There are static <script>, <iframe>, <embed>, <object> static insertions that redirect visitors to third-party resources, spy on them, or infect a visitor’s computer / mobile device as a result of a drive-by attack.

In addition, in many modern CMS (IPB, vBulletin, modx, etc.), templateers allow executing php code, and templates themselves are stored in the database, so php code of web shells and backdoors can be built directly into the database.

Injection in caching services.
As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data “on the fly” are possible. In some cases, a hacker can inject malicious code into the pages of a site without directly hacking the latter.

Injects / incursions in system components of the server.
If the hacker has been privileged (root) access to the server, he can replace the elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server with the help of control commands, on the other – from time to time introduce dynamic redirects and malicious code on the pages of the site.

As with the injection into the caching service, the site administrator will most likely not be able to detect the fact of hacking the site, since all files and the database will be original. This option is the most difficult to treat.

So, suppose that you have already scanned the files on the hosting and the database dump, but they did not find anything, and the virus <script …> is still on the page or the mobile redirect continues to work when you open the pages. How to search further?

Manual Search

In unix, it’s hard to find a more valuable pair of commands for finding files and fragments than find / grep.

find. -name ‘* .ph *’ -mtime -7

will find all the files that have been changed in the last week. Sometimes hackers “twist” the date of change in scripts, so that they do not discover new scripts. Then you can search for php / phtml files that have changed attributes

find. -name ‘* .ph *’ -time -7

If you want to find changes in some time interval, you can use the same find

find. -name ‘* .ph *’ -newermt 2015-01-25! -newermt 2015-01-30 -ls

For searching in files, grep is irreplaceable. It can search for files in a recursive way on the specified fragment

grep -ril ‘’ *

When hacking a server, it’s useful to analyze files that have a guid / suid flag installed

find / -perm -4000 -o -perm -2000

To determine which scripts are running at the moment and load the hosting CPU, you can call

lsof + r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘{if (! str) {str =} else {str = str »,}}} END {print str}’` | grep vhosts | grep php

Use the brain and hands to analyze files on the hosting

We go to the directory upload, cache, tmp, backup, log, images, into which something is written by scripts or loaded by users, and we scan the contents for the presence of new files with suspicious extensions. For example, for joomla, you can check .php files in the images directory: find ./images -name ‘* .ph *’ Most likely, if something is found, it will be harmful.

For WordPress, it makes sense to check the wp-content / uploads, backup and cache directories for scripts.
Looking for files with strange names
For example, php, fyi.php, n2fd2.php. Files can be searched
– by non-standard combinations of symbols,
– the presence of digits 3,4,5,6,7,8,9 in the file name

Looking for files with uncharacteristic extensions
Let’s say you have a site on WordPress or For them files with the extensions .py, .pl, .cgi, .so, .c, .phtml, .php3 will not be quite ordinary. If some scripts and files with these extensions are detected, most likely these will be hacking tools. A percentage of false detections is possible, but it is not large.

Looking for files with non-standard attributes or creation date
Suspicions can cause files with attributes that are different from those existing on the server. For example, all .php scripts were downloaded via ftp / sftp and have a user user, and some are created by www-data. It makes sense to check the latest. Or if the date of the script file creation is earlier than the date of the site creation.

To speed up the search for files with suspicious attributes, it is convenient to use the unix command find.
We are looking for doorways for a large number of .html or .php files
If there are several thousand .php or .html files in the directory, this is likely a doorway.

Logs will help

Logs of the web server, mail service and FTP can be used to detect malicious and hacker scripts.

Correlation of the date and time of sending the letter (which can be found from the log of the mail server or the service header of the spam mail) with requests from access_log helps to identify the way spam is sent or to find the spam mailer script.

Analysis of FTP transfer log xferlog allows you to understand what files were downloaded at the time of hacking, which ones are changed and by whom.
In a properly configured e-mail server log or in the spam mail service header, if the PHP is configured correctly, there will be a name or full path to the sender script, which helps determine the source of spam.

According to the proactive protection logs of modern CMS and plug-ins, you can determine what attacks were performed on the site and whether the CMS managed to resist them.

By access_log and error_log, you can analyze the actions of the hacker if you know the names of the scripts that it called, IP address or User Agent. In extreme cases, you can view POST requests on the day of hacking and infection of the site. Often, the analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of hacking.

Integrity control

It is much easier to analyze the hacking and look for malicious scripts on the site if you take care of its security in advance. The integrity check procedure helps to detect changes in the hosting on a timely basis and determine the fact of breaking. One of the simplest and most effective ways is to put the site under the version control system (git, svn, cvs). If you correctly configure .gitignore, then the process of monitoring changes looks like calling the git status command, and searching for malicious scripts and modified files is git diff.

Also you will always have a backup of the files to which you can “roll back” the site in a matter of seconds. Server administrators and advanced webmasters can use inotify, tripwire, auditd, and other mechanisms to track access to files and directories, and monitor changes in the file system.

Unfortunately, it’s not always possible to configure the version control system or third-party services on the server. In the case of shared hosting, you will not be able to install a version control system or system services. But it does not matter, there are quite a few ready-made solutions for CMS.

On the site you can install a plug-in or a separate script that will track changes in files. In some CMS, effective monitoring of changes and the mechanism of integrity check have already been implemented (for example, in, DLE). In an extreme case, if there is an ssh on the hosting, you can create a master snapshot of the file system with the command

ls -lahR> original_file.txt

and in case of problems, create a new cast in another file, and then compare them in the programs WinDiff, AraxisMerge Tool or BeyondCompare.


In most cases, anti-virus software developers and scanners do not keep up with the developers of malicious code, so when diagnosing and treating sites, you can not rely solely on automated software solutions and scripts. Using a heuristic approach, rich operating system tools and CMS capabilities, you can find malicious code that could not be detected by antiviruses and scanners. Using manual analysis makes the process of treating sites more efficient and effective.


By | 2017-09-19T20:14:51+00:00 September 19th, 2017|Categories: WordPress|