Finding Hacked Code in Wordpress

30th May

When your Wordpress or other commonly used CMS is hacked it can be very frustrating.   What we can count on is the hackers use certain techniques to try hide their code. These techniques create a pattern, and patterns can be searched for.

What this small tip will do is show you a few linux commands to search through all your site files for possible hacked code. Its up to you to then investigate and repair this files. Remember these commands are only a suggestion to find possible hacked files. Restoring your sites from backup is still the best solution to hacked sites. 

First command:

grep -r --include=*.php -PHn "(eval\(.*\);)" .

This command will search through all the php files in the current directory for any 'eval(' command . NOTE: Many plugins and even wordpress has legit files containing this command.  What you are looking for is files that contain base64 decoding as well as files containing eligible code. Here is an example screenshot.

THIS IS A LEGIT EXAMPLE

THIS IS HACKED CODE 

After you get a list, go into each file and remove the hack code. Sometimes the entire file has been placed in directories to be run later, to say infect other parts of the site or server, or send out spam email. These files can just be deleted.

We've noticed that on some occasions the hacker coder, tries to avoid this type of search by placing a small commented out random string after the function name 'eval' and just before the function opening brackets like this..

eval/*dfsdf*/($enccosd)

Here is the search command to find these files..

grep -r --include=*.php -PHn "eval\/\*" .

Once run, again just repair or delete the files in question. 

After doing so, remember to reset all your user passwords, and run the correct file and folder permissions with these 2 commands.

find ./ -type d -exec chmod 777 {} +
find ./ -type f -exec chmod 644 {} +

 For more Wordpress specific tips you can have a look at this article, or even better, dont use a CMS and let us build a fast secure site for you. Take a look here to get more information.

Have a great day.


Posted date: 30th May 2018
General Help and Tips - Business Websites
By Richard Brandon

Share this post


0 Comments

Leave a comment