Cleaning A Hacked WordPress Site

Created for Geek Girl Tech Con - San Diego 2015

https://slides.halfelf.org/ggsd2015

Have You Been Hacked?

Is your site really slow?

Do you get errors all over the place?

Are you using a lot of resources?

Do you have strange users?

Is your site defaced?

Hacks are Serious Business

Cleaning WordPress Is Easy

WordPress Is Just Files (and a DB)

What You'll Need

A File Transfer App (SFTP ONLY!)
Access to your server
Access to your database
Access to all your plugins and theme's source

Step One

Backup Your Files

$ cp -r public_html public_html_backup

Step Two

Backup Your Database

$ mysqldump -u DB_USER -p[DB_PASSWORD] [DB_NAME] > filename.sql

$ wp db export

Step Three

Make an Inventory

What plugins?
What theme(s)?
What else?
Are they all updated?
Are they safe?

Get a list of everything you have installed. Anything NOT WordPress that you have on the domain is going to need to be MANUALLY reviewed. Sorry. For WordPress, make a list of ALL the plugins you have on the site as well as all themes. You're going to need to download clean copies. If the plugin or theme is from WordPress.org, great, it's PROBABLY fine and it's certainly easy to get. If it's not, you will need to go to where ever you got it in the first place. As for the 'else,' all those things you were clever about and uploaded outside of WordPress? Make a note of them too. And here's the hard part. Check ALL of those things for hacks. I know you may not know how, so google 'plugin name vulnerability.' You may be surprised. Google "WordPress SEO Vulnerability" and you'll see there was a blind SQL injection issue in April. But you'll ALSO see that the latest version was patched. So as long as you upgrade, you will be okay.

Step Four

Delete (Almost) Everything

DO NOT DELETE THESE!

wp-config.php
.htaccess
wp-content/uploads/
wp-content/blogs.dir/

Step Five

Check What's Left

$a51a0e6bb0e53a=str_rot13('tmhapbzcerff')
$a51a0e6bb0e5e4=str_rot13(strrev('rqbprq_46rfno'));
eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/')));
eval(gzinflate(base64_decode('dVRtb6NGE.....')));

Step Five (B)

Command Line Is Our Friend

$ find ./wp-content/uploads/ -name "*.php"
$ find . -name ".htaccess"

$ grep -R --include=*.php "[0-9A-Za-z]\{30,\}" * |
  grep "[a-zA-Z][0-9]" | grep "[0-9][a-zA-Z]"

Step Six

Reinstall It Clean

https://wordpress.org/latest.zip
wp core download --force
wp plugin install [slug, url, zip]

Step Six (B)

Clean The Theme

wp theme install [slug, url, zip]

Step Seven

What About The Database?

wp-options -> class_generic_support
wp-options -> widget_generic_support
wp-options -> wp_check_hash
wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf
wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea
wp-options -> rss_552afe0001e673901a9f2caebdd3141d

Generally speaking, the Database is RARELY infected by these hacks. Rarely. There is a fairly famous hack called the PHARMA hack which left weird entries in your database like the ones listed here on the slide. And yes, they're incredibly hard to find and remove. How hard? Well one of the better ways to find it was to look for the words "Levitra/Cialis/Viagra" spelled BACKWARDS in the database. Ouch. Why doesn't this kind of hack happen all the time? A couple reasons. DB injection attacks are harder to pull off, since not all themes will work the same way. They're reliant on specific themes to get to the level of phrama. Also after that hack, we all got WAY better about sanitizing our SQL input. AND your webhosts are working hard to prevent the injection from working at all, using firewalls and tools like fail2ban and mod_security. I worry about this less than I do file hacks.

Step Eight

So What Happened?

$ grep -R --exclude=*.{png,jpg,gif,jpeg,sql,ttf}
  "[0-9A-Za-z]\{30,\}" * | grep "[a-zA-Z][0-9]"
  | grep "[0-9][a-zA-Z]"

Technically that's outside the goal of this class, which is cleaning up a hacked site, but since you have that backup, you can start going through the files. That grep command I used before is AWESOME to help find the evil. I generally only bother running it on plugins and themes, since while my WP core files MIGHT have been hacked, the odds are they're not the source of it all. No, the odds are the hack was in a plugin or a theme, so really that's all I want to check. That command looks the same as the one I ran before, except I removed the check for PHP only and changed it to EXCLUDE images and .sql files. I also tossed in ttf files for fonts. So when I said you should do that inventory and make SURE all that code was safe? You've taken care of this. If the world doesn't know about a hack or vulnerability in there, you may not be able to find it either, so you have to trust. And upgrade. And since you have your handy backup, check what versions of the plugins you were using and see if they had a KNOWN hack. If they did, that's what happened most likely.

Step Nine

An Ounce of Prevention

No software is bug free. It's how you respond to these bugs that makes you good. Trust the people who update quickly & explain what's wrong.

Resources - Software

Cyberduck - https://cyberduck.io/
Transmit - https://panic.com/transmit/
iTerm2 - http://iterm2.com/
PuTTY - http://www.chiark.greenend.org.uk/~sgtatham/putty/
DeltaWalker - http://www.deltawalker.com/