A collection of useful Linux commands for cleaning malware from WordPress sites

Determined

I recently sat down to clean a server hosting a bunch of old WordPress sites. You can imagine what that looked like – about third of them were hacked in every way imaginable. I encountered bitcoin miners, post injections, mass emailers.

I realized that one type of malware produced files named lndex.php (with an l not an i), master.php, security.php, cache.php.

This command will search for the specific file name:

find . -name ‘lndex.php’

Here is how to check for all this these in one command:

find . \( -name ‘lndex.php’ -o -name ‘master.php’ -o -name ‘security.php’ -o -name ‘cache.php’ \)

Have in mind some of these may be valid files from your plugins. So you need to inspect these files for suspicious code (base64, binary etc.)

Another way of finding suspicious files is to find out what files have been modified in last say 10 days:

find ./ -ctime -10

To find *.php files that have been modified between two periods in time:

find . -name ‘*.php’ -newermt 2014-08-27 ! -newermt 2014-08-30

Find and remove *.php files (for example in a folder they do not belong in like your uploads folder). Warning! Dangerous! Make sure you are in wp-content/uploads folder first!

find . -name ‘*.php’ -exec rm -rf {} \;

Or if you want to run this in the root of several sites:

find . -name ‘*.php’ | grep “wp-content/uploads” | xargs rm

One of the hacks I’ve found ran ‘/usr/bin/host/ preloading a hacked library. Nasty (but creative) stuff. I used this command to find all PHP files that were containing ‘/usr/bin/host’ string:

grep -ri –include=*.php “/usr/bin/host” ./

In most cases I decided to delete the infected folders/plugins and re-install them where needed.

Sometime you need to find out what a certain process (that is taking too much CPU for example) is doing?

strace -p PID

This will filter it to open and close system calls, increase the output message length to 80 chars and dump output to a file.

strace -e open,close -s 80 -o log.txt -p PID

I remember having particularly strong negative sentiment towards hackers as I was going through all this (to put it mildly). As a result of the entire experience I told to myself that the next big feature we integrate into ManageWP will be the suite of carefully executed security tools that will help automate this process, in the same way we automated updates or backups. People should really not have to go through all this.

Related Articles:

Comments are closed.