Comments on: How to find a backdoor in a hacked WordPress

By: JoeyD714

JoeyD714 — Thu, 11 Mar 2010 06:10:23 +0000

We believe the site has a backdoor installed by the company we hired to create it.

any ideas on how to find a backdoor created by the site builders?

By: Otto on WordPress » Blog Archive » How to find a backdoor in a hacked WordPress

Thu, 04 Mar 2010 22:28:29 +0000

[...] How to find a backdoor in a hacked WordPress March 4, 2010, 4:27 pm Originally posted here: http://ottodestruct.com/blog/2.....backdoors/ [...]

By: Spring Cleaning – Of Hacked Files : Money News

Spring Cleaning – Of Hacked Files : Money News — Wed, 03 Mar 2010 10:44:25 +0000

[...] How to find a backdoor in a hacked WordPress [...]

By: Obnoxious Clients - CLEARLY I'M NOT A PEOPLE PERSON

Obnoxious Clients - CLEARLY I'M NOT A PEOPLE PERSON — Sun, 07 Feb 2010 08:09:05 +0000

[...] How to find a backdoor in a hacked WordPress [...]

By: Sanaa

Sanaa — Tue, 26 Jan 2010 22:43:38 +0000

one of my sites got hacked, I had it restored to a Jan 6th version…(I am adding the lost info and will do a backup). I did have the latest version of wordpress but like you said, the hack could have already been installed.

I had it restored to a previous date but…

HOW do I prevent this from happening again on this site, as well as, on my other sites which haven’t been hacked –in other words, how do I find the backdoor and close it?

By: Jillian

Jillian — Fri, 11 Dec 2009 09:56:35 +0000

Does anyone know if people who installed WP into a randomly named sub-directory under the DocumentRoot were less likely to get hacked? It probably doesn’t matter too much, but if any of the backdoors assumed where files were located with respect to the docroot — then installing WP in a subdirectory would be another security measure. Not that injected code couldn’t smarten up and add logic to compensate. I’m just curious. Also, did it affect WPMU installations the same way?

Just curious.

By: Averill

Averill — Tue, 24 Nov 2009 15:04:30 +0000

Thanks, Otto. I’m kinda compulsive, so I had to comb through the site to find whatever I could. There were, as you say, more backdoors, and I don’t trust that I caught all of them. I also deleted multiple users from the database, and did lose the extra (hidden) admin person. I can see that they easily could have gained access through our plugin folder. I’m learning a lot more about this than I ever planned to learn. I guess it’s good. I appreciate your sharing this information.

By: Otto

Otto — Mon, 23 Nov 2009 23:04:33 +0000

I don’t think there is a wp-manager.php file, that whole thing is probably added by the hacker.

There’s almost certain to be more than one backdoor in the system, I’d go through and replace all the WP files with fresh ones, just to be sure. Anything else should be examined carefully.

By: Averill

Averill — Mon, 23 Nov 2009 14:47:26 +0000

P.S. I’ve found several other files that have been altered, including wp-manager.php, wp-blog-header.php… I can’t even begin to figure out what to do with the wp-manager file, since I don’t have the original. On to re-doing the site. Quite insidious, this invasion!

By: Averill

Averill — Mon, 23 Nov 2009 14:21:12 +0000

We’ve been hacked. I found a file hidden in an upload folder, called 257409.php. No reason for a php file to be buried in one of those folders. It contained 203KB of random characters. It took me a bit to find the hidden eval and base64_decode within (it being on the first line helped, though).


We are going to go to a brand new theme (ours is very old) and upgrading to the latest version of WordPress – and will follow the instructions in the article How To Completely Clean Your Hacked WordPress Installation. Should we be looking for more backdoors or other malicious code if we do this?



By: Gumblar blocheaza blogurile WordPress si alte websiteuri complexe in PHP | WorldIT
Sat, 07 Nov 2009 10:24:58 +0000
[...] de el:  Botnet authors crash wordpress sites Revenge of gumblar zombies Wordpress exploit scanner How to find backdoor scripts Unmask [...]



By: Las penas del Agente Smith » Cómo arreglé el blog sin morir en el intento
Las penas del Agente Smith » Cómo arreglé el blog sin morir en el intento — Thu, 05 Nov 2009 06:02:43 +0000
[...] Tras encontrar algunos trozos de código sospechoso en lugares donde nunca deberían estar, me pongo a rebuscar por Internet, a ver si alguien tiene experiencia solucionando algo parecido. Encuentro una entrada algo antigua pero con cerros de información valiosa: Wordpress exploit: we been hit by hidden spam link injection. Desde ahí también llego a How to find a backdoor in a hacked WordPress. [...]



By: Patrick Gibson
Patrick Gibson — Tue, 03 Nov 2009 21:53:09 +0000
It's still early days, but I've written a script to help seek out old versions of WordPress and even help with some of the clean-up. Introducing WordPress Butler!. It will be most useful for web hosting companies or individuals who manage multiple WordPress blogs on the same server.


By: Password protected wordpress hack
Password protected wordpress hack — Thu, 15 Oct 2009 09:03:19 +0000
[...] and messed up to a point that it is time to reinstall? This post by Otto makes for good reading, removing wordpress hacks , and is very informative , and give the main reasons why the upgrade does not necessarily get rid [...]



By: p
Fri, 02 Oct 2009 01:54:31 +0000
great post, let me wonder about potential ways to avoid – at least – some hack attemps. first one: deny via htaccess any GET querystring with, let’s say, base64 or 46esab (actually, who need them?). second one: a little plugin that looks around for the same things in POST queries. 
Just thougths, of course. But cleaning is so boring…



By: Lon
Lon — Wed, 30 Sep 2009 03:02:46 +0000
Before switching to 2.8.4, our site was compromised.  The @*%$! spammers deployed two files to our system /wp-admin/fotter.php and /wp-admin/inclode.php (note the purposeful misspellings).  These were encrypted files that were web-based backdoors.  These were causing our theme footer to be overwritten nightly.



By: Webdesigner from Berlin
Webdesigner from Berlin — Fri, 25 Sep 2009 06:35:50 +0000
Hey, thanks for sharing. That’s probably less work than clearing that stuff of an successful attack…  



By: Follow-Up To The Wordpress Exploit and Tips to Protect Your Blog | CenterNetworks
Tue, 22 Sep 2009 00:24:24 +0000
[...] How to check if you have any backdoors that the exploiters can use to get into your blog – Otto [...]



By: Allen
Allen — Mon, 21 Sep 2009 21:52:10 +0000
great post otto – i will link it up when/if i make an update post.