Plugin: Exploit Scan
Local malware and exploit scan
I need a plugin that scans files for suspicious patterns (base64_decode, eval, uudecode, etc) and database for posts and comments with suspicious text (iframe, noscript, etc).
I am testing these plugins on real infected site where there was script
WSO Web Shell exploit in file
cache.php seeded inside
Warning: It needs to have Wordress core hashes. If not, when I tested, it found 550 matches and in that way effectively has hide the real threat. Simply too much information and false positives specifying a lot of regular WP files.
How to obtain core hashes if they are nonexistant:
- must enable
allow_url_fopenor it won’t be possible to generate WordPress core hashes if they are missing
/wp-content/plugins/exploit-scanner/hashes-generator.phpto generate hashes for latest WordPress, and manually upload a file to plugin dir.
- You will usually find those hashes already created in philipjohn/exploit-scanner-hashes repository, but don’t forget to look in pull requests that are not merged yet.
Even with valid hashes, it had too much warnings to be useful. Found my malware, along with a dozen of others.
- must enable
Wemahu is a beautiful idea, but they decided to discontinue it. Didn’t found my malware.
AntiVirus is checking only themes directory. No feedback and therefore not very usable.
WP Doctor seems little amateur-ish, and it didn’t detect my exploit.
Monitor File Changes
WordPress: Vulnerability Scanners
WordPress vulnerability scanners / Malware Scanner
WPScan and WPScan database
Tool to use as WordPress vulnerability scanner: wpscanteam/wpscan How To Use WPScan to Test for Vulnerable Plugins and Themes in Wordpress | DigitalOcean
GPL fork is delvelabs/vane
Vulnerability database for WPScan: WordPress Plugin Vulnerabilities
Or use preinstalled environment: wpscanteam/docker-wpscan
Test in docker:
sudo docker run -t -i --name wpscan wpscanteam/wpscan bash sudo docker start wpscan sudo docker exec -it wpscan bash
ruby wpscan.rb --update
Also, great toturials: Online Vulnerability Scanners and Port Scans