Duration: 2:17

39 views

0

Here's how to Check malicious codes in WP site or server automatically.

Here is the vid-mentioned batch script:

@echo off

rem Check for malicious files
dir /s /b wp-includes\*.php | findstr /i "/timthumb.php"
dir /s /b wp-admin\*.php | findstr /i "/wp-config.php"
dir /s /b wp-content\uploads\*.php | findstr /i "/evalcode"

rem Check for backdoors
findstr /c:"wp_cd_bd" *.php
findstr /c:"eval(base64_decode(" *.php
grep -Ri "base64_decode$" *

rem Check for malicious code in files
findstr /s /i "curl_exec" *.php
findstr /s /i "shell_exec" *.php
findstr /s /i "eval(" *.php
findstr /s /i "system(" *.php
findstr /s /i "popen(" *.php
findstr /s /i "exec(" *.php
findstr /s /i "passthru(" *.php
findstr /s /i "base64_decode" *.php
findstr /s /i "gzinflate" *.php
findstr /s /i "gzuncompress" *.php
findstr /s /i "gzdecode" *.php

rem Look for unknown/suspicious files
dir /a-d /b /s | findstr /i /v "/wp-content/plugins/"

rem Look for suspicious URLs requesting sensitive files
grep wp-config *access*
grep wp-config *error*

i. Here are a few methods to automatically run a batch script on a WordPress server:

1. Add a cron job (for Linux servers):

- Edit the crontab with `crontab -e`
- Add a line like:

`*/5 * * * * /path/to/script.bat`

This will run the script every 5 minutes. Adjust timing as needed.

2. Use Windows Task Scheduler:

- Open Task Scheduler and create a new task
- Set the trigger for when you want the script to run
- Add an action to "Start a program" and select your batch file

3. Use a startup script:

- Save your batch file to `/etc/init.d`
- Make executable: `chmod +x script.bat`
- Add to startup: `update-rc.d script.bat defaults`

4. Use wp-cron by adding to functions.php:

```
if ( ! wp_next_scheduled( 'my_bat_event' ) ) {
wp_schedule_event(time(), 'hourly', 'my_bat_event');
}

add_action('my_bat_event', 'run_my_bat');

function run_my_bat() {
shell_exec('path/to/script.bat');
}
```

This will run it hourly using WordPress cron. Adjust the schedule as needed.

The cron job or Task Scheduler methods keep it independent of WordPress. Wp-cron ties it directly into WordPress scheduling.

ii. Here is an example batch script to help detect malicious code or malware in WordPress themes:

```bat
@echo off

rem Check theme files for malicious code
findstr /s /i "angled-bracket-here?php eval(" *theme*
findstr /s /i "base64_decode(" *theme*
findstr /s /i "gzinflate" *theme*
findstr /s /i "shell_exec" *theme*
findstr /s /i "curl_exec" *theme*
findstr /s /i "php_eval" *theme*
findstr /s /i "system(" *theme*

rem Check for obfuscated code
findstr /r /c:"*?" *theme*
findstr /r /c:"@?@?" *theme*
findstr /r /c:"$%{" *theme*

rem Look for suspicious file extensions
dir /b /s *theme* | findstr /e .txt
dir /b /s *theme* | findstr /e .exe
dir /b /s *theme* | findstr /e .js

rem Look for files not in wp-content/themes
dir /ad /b /s | findstr /i /v "/wp-content/themes/"

rem Look for eval in files
grep -Ri "eval(" *theme*

rem Look for base64 encoded strings
grep -Ri "/base64_decode(" *theme*

rem Look for fopen, readfile, file_get_contents
grep -Ri "fopen(" *theme*
grep -Ri "readfile(" *theme*
grep -Ri "file_get_contents(" *theme*

rem Look for curl requests
grep -Ri "curl_" *theme*
```

Customize patterns further for your specific theme.

iii. Below are the newest reported WP backdoors and found some results that might interest you:

- A backdoor that was planted in dozens of WordPress plugins and themes hosted on a developer's website in September 2021. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company. The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites. The same extensions were fine if downloaded or installed directly from the WordPress [.]org directory.
- A backdoor that exploits unpatched vulnerabilities in 30 different WordPress plugins and has infected hundreds if not thousands of sites. The backdoor causes infected sites to redirect visitors to malicious sites. It also disables event logging, goes into standby mode, and shuts itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality to WordPress. The plugins include WP Live Chat Support, WordPress Email Template Designer, WordPress Ultimate FAQ, and more.
- A backdoor that is part of a massive ongoing WordPress malware campaign called Balada Injector. The backdoor is used to plant PHP, JavaScript, and HTML injections into WordPress files. The injections are used to redirect visitors to spam or malicious sites, or to display ads or pop-ups. The backdoor is installed by exploiting vulnerabilities in WordPress core or plugins, or by brute-forcing login credentials.

Learn more@ https://www.youtube.com/c/ITGuides/search?query=WP.