WordPress WSO Web Shell Hack

👋 Ciprian on Friday, August 28, 2020 in Blog
Last modified on Friday, November 12, 2021

Learn JavaScript by example. Code snippets, how-to's and tutorials. Try now!

I have recently found a nasty hack inside one of my clients’ sites, based on WordPress. Turned out that the site got hacked, and WSO Web Shell was injected in several files, one in the theme, and one in Akismet plugin.

Here’s the code, if you’re curious:

Pastebin Update: This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on January 19, 2021, 6:51 pm CST.

So, I have used this PHP file to find all occurrences of wso inside my server:

<?php
/**
 * POSSIBLE PATTERNS = "passthru|shell_exec|system|phpinfo|base64_decode|popen|exec|proc_open|pcntl_exec|python_eval|fopen|fclose|readfile"
 */
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');

find_files('.');

function find_files($seed) {
    if (!is_dir($seed)) {
        return false;
    }

    $files = [];
    $dirs = [$seed];

    while (NULL !== ($dir = array_pop($dirs))) {
        if ($dh = opendir($dir)) {
            while(false !== ($file = readdir($dh))) {
                if ($file == '.' || $file == '..') {
                    continue;
                }
                $path = $dir . '/' . $file;
                if (is_dir($path)) {
                    $dirs[] = $path;
                } else {
                    if (preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) {
                        check_files($path);
                    }
                }
            }
            closedir($dh);
        }
    }
}

function check_files($this_file) {
    $str_to_find = 'wso'; // the string(code/text) to search for

    if (!($content = file_get_contents($this_file))) {
        echo "<p>Could not check $this_file</p>\n";
    } else {
        if (stristr($content, $str_to_find)) {
            echo "<p>$this_file -> contains $str_to_find</p>\n";
        }
    }
    unset($content);
}

Bonus Tip

Replace wso with base64_decode to look for encoded strings, a definite sign of malware or injected code. There will be false positives, but if you know what to look for, you’ll find it.

Buy me a coffee to support my work!

👋 Added by Ciprian on Friday, August 28, 2020 in Blog. Last modified on Friday, November 12, 2021.

2 comments on “WordPress WSO Web Shell Hack

    1. You don’t install the hack. It’s not available anymore, anyway, Pastebin took it down and I don’t have the original source code. You can search for it, though, using my cleanup script, by putting it into a PHP file and dropping it into the root of your WordPress website. Run it from there, then remove it.

Leave a Reply

You have to agree to the comment policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy