How to locate corrupt php or WP files in Wordpress website

Question

Alright, this is a bit of an issue:

I recently got a job with an IT company (small business level), and they do a little bit of web development. Originally, the boss had a 3rd party freelance developer build a site for a major client. He was unhappy with his service, so he handed it down to me (managing the website, changing things, etc). I discovered that the website is blacklisted for spam, and that it's possibly what's called the "StealRat Botnet". I've done some reading, and found that it's usually found in the wp-content/plugins folder and/or in php files that shouldn't be there.

At home, I am on a Linux machine, so I am able to sftp into the server (also using Filezilla for GUI). Does anyone have any tips on how I can trace these corrupt files and get rid of this? I've tried sifting through files, but I don't know what I'm looking for. Any help is appreciated because this is a major issue.

Answer 1

First, make a backup and test that the restore from backup operation works!!

1. If this is well-known malware, you may want to look into a malware scanner. One free, open-source option is Maldet from rfxn. I have no links to that project, and I don't know how well it works, but it can be set to scan daily (cron job) and send reports by email, and it updates its signatures daily as well I think.

2. Harden your PHP installation by disabling functions that regular code isn't expected to use. Use this cheat sheet to get you started.

3. Sorting files by created date can be helpful. If the website hasn't been changed in a while, the recent files should be scrutinized. If you know when the infection occurred, then definitely use this information to hone in on files.

4. To be safe, you could deny execution of all PHP files by default, and only allow those on an approved list. See my answer here for inspiration. To build up a whitelist of "good" files, I would enable auto_append_file setting in php.ini. This file gets run at the end of every script session (docs). Within the file, you can use the get_included_files function to get a list of all the files that were executed. If you write this list to a log, then browse through every non-infected page of the website, you will get a list of all the legitimate PHP files. That's your whitelist!! Once you have it, use the auto_prepend_file (also set in php.ini) to block any PHP that doesn't belong on that list. The next time the attackers try to run a PHP script, the auto_prepend_file which always runs first will block it.

5. Every piece of software increases your attack surface so uninstall all unused plugins. Update everything that's in use. If possible enable auto-update (I'm not familiar with Wordpress, but that's a generally sound security tip)

Answer 2

Most of the corrupted WordPress websites are due to malicious themes and/or plugins.

Try searching for each occurence of exec(base64_decode( and eval( (as those are the most common snippets hidden in malicious files) in your php files in both your wp-content/themes and wp-content/plugins directories, that should be a good start.

If you know when the website has been infected, you could also try to look for files edited or added around that time (easy to do in SSH if you have access to the server)

Good luck to you, I recently had to clean several WordPress sites, this wasn't a cake walk.