I have recently found a nasty hack inside one of my clients’ sites, based on WordPress. Turned out that the site got hacked, and WSO Web Shell was injected in several files, one in the theme, and one in Akismet plugin.
Here’s the code, if you’re curious:
Pastebin Update: This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on January 19, 2021, 6:51 pm CST.
How to clean the WSO Web Shell hack
So, I have used this PHP file to find all occurrences of wso inside my server. Simply add the file in your website’s root and run it.
<?php
/**
* POSSIBLE PATTERNS = "passthru|shell_exec|system|phpinfo|base64_decode|popen|exec|proc_open|pcntl_exec|python_eval|fopen|fclose|readfile"
*/
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');
find_files('.');
function find_files($seed) {
if (!is_dir($seed)) {
return false;
}
$files = [];
$dirs = [$seed];
while (NULL !== ($dir = array_pop($dirs))) {
if ($dh = opendir($dir)) {
while(false !== ($file = readdir($dh))) {
if ($file == '.' || $file == '..') {
continue;
}
$path = $dir . '/' . $file;
if (is_dir($path)) {
$dirs[] = $path;
} else {
if (preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) {
check_files($path);
}
}
}
closedir($dh);
}
}
}
function check_files($this_file) {
$str_to_find = 'wso'; // the string(code/text) to search for
if (!($content = file_get_contents($this_file))) {
echo "<p>Could not check $this_file</p>\n";
} else {
if (stristr($content, $str_to_find)) {
echo "<p>$this_file -> contains $str_to_find</p>\n";
}
}
unset($content);
}
Bonus Tip
Replace wso with base64_decode to look for encoded strings, a definite sign of malware or injected code. There will be false positives, but if you know what to look for, you’ll find it.
Previous article
Keep your sites flying with SpeedFactor performance insights
Next article
