Find exploit scripts in WordPress through terminal

code editor

While searching on internet i found a site which provides premium plugin and themes for free. Because of the excitement i just downloaded a woocommerce premium plugin and uploaded directly to our live server through Git. Unfortunately, its was a big mistake. That plugin contains some exploit script.

Nature of the Exploit Script:

I have using  in digitalocean server. Hosted more than 12+ domains. All websites root folder  created a some random files and folder and which included some script in some js files. Initially, i can’t find the files which contain this type of script.


Code i tried to find exploit code in wordpress files.

grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|GLOBALS.*exit|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php*

grep -Rn “shell_exec *(” /var/www

grep -Rn “base64_decode *(” /var/www

grep -Rn “phpinfo *(” /var/www

grep -Rn “system *(” /var/www

grep -Rn “php_uname *(” /var/www

grep -Rn “chmod *(” /var/www

grep -Rn “fopen *(” /var/www

grep -Rn “fclose *(” /var/www

grep -Rn “readfile *(” /var/www

grep -Rn “edoced_46esab *(” /var/www

grep -Rn “eval *(” /var/www

grep -Rn “passthru *(” /var/www

Check File Permissions:

777 folder permission is one of the dangerous permission. You need to change such files and folder. to check permission use following code.

find / -type f -perm 0777

Right permission for wordpress files is 644 and folder is 755. Check detailed post regarding file permission here.

Check Upload Directory:

In some cases the malicius code will be in wordpress upload directory. Hence check any php files present in this folder. goto your wordpress root directiry and

 find . -path "*wp-content/uploads*" -name "*.php"

and delete if any

 find . -path "*wp-content/uploads*" -name "*.php" -delete

Leave a Reply

Your email address will not be published. Required fields are marked *