WordPress WSO Web Shell Hack

I have recently found a nasty hack inside one of my clients’ sites, based on WordPress. Turned out that the site got hacked, and WSO Web Shell was injected in several files, one in the theme, and one in Akismet plugin.

Here’s the code, if you’re curious:

So, I have used this PHP file to find all occurrences of wso inside my server:

<?php
/**
 * POSSIBLE PATTERNS = "passthru|shell_exec|system|phpinfo|base64_decode|popen|exec|proc_open|pcntl_exec|python_eval|fopen|fclose|readfile"
 */
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');

find_files('.');

function find_files($seed) {
    if (!is_dir($seed)) {
        return false;
    }

    $files = [];
    $dirs = [$seed];

    while (NULL !== ($dir = array_pop($dirs))) {
        if ($dh = opendir($dir)) {
            while(false !== ($file = readdir($dh))) {
                if ($file == '.' || $file == '..') {
                    continue;
                }
                $path = $dir . '/' . $file;
                if (is_dir($path)) {
                    $dirs[] = $path;
                } else {
                    if (preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) {
                        check_files($path);
                    }
                }
            }
            closedir($dh);
        }
    }
}

function check_files($this_file) {
    $str_to_find = 'wso'; // the string(code/text) to search for

    if (!($content = file_get_contents($this_file))) {
        echo "<p>Could not check $this_file</p>\n";
    } else {
        if (stristr($content, $str_to_find)) {
            echo "<p>$this_file -> contains $str_to_find</p>\n";
        }
    }
    unset($content);
}

Bonus Tip

Replace wso with base64_decode to look for encoded strings, a definite sign of malware or injected code. There will be false positives, but if you know what to look for, you’ll find it.

Added by Ciprian on Friday, August 28, 2020 in Blog

Unlimited Automated Page Speed Monitoring & Tracking.
Use SpeedFactor to track your website. It’s simple and reliable.
See how real people experience the speed of your website. Then find (and fix) your web performance problems.
Get Started

Related Articles

Privacy Policy