A few weeks ago I upgraded to the latest 3.2.1 release of wordpress. Of course like everyone I’ve a few what I’ll call core plugins I require.
The most recent of these to get added to my list is Donncha O’Caoimh’s http://ocaoimh.ie/exploit-scanner/
Of course when I installed it at the same time as installing the 3.2.1 release of wordpress the hash files weren’t available for 3.2.1. This lead me to lots of False positives. Yesterday then when I scanned I for some reason thought I was seeing the same thing. I mean upd.php and config.php seem like two perfectly normal files don’t they? Well hell no after asking a rather silly question over on Google Plus I realised the error of my ways and went about fixing things.
Exploit Scanner works on the basis that all your core files should have the same hash as a clean version. ( A hash is a value that gets created and mostly two different things can’t have the same hash )
The md5 Hashes for the two files are as follows
- exploit-scanner.php (1.0.5): ac8d7f3574a7470a245a2067e9c79072
- hashes-3.2.1.php: a660a35382f648c8735414a7d3531970
So if your websites version of these doesn’t match it’s fair to assume someone has edited the files on your site. You can always find these values on the exploit scanner plugin page. It’s well worth installing.
The Exploit scanner immediately told me about the errors. Unfortunately it’s a bit of a manual process as you still need to see what’s wrong and make sure the files aren’t valid. So backing up is a good idea first. I also ended up removing a few unused plugins and all the old themes I had on the site. It doesn’t have hash values for any plugins or themes you’re using so you may need to manually scan these and check if they have been altered. One way I did this was visually check the date of creation / modification of the files in my ftp client.
Anyways exploit scanner is about to become the first plugin that gets installed on all new wordpress installs ( and even a few older ones ) and I’m debating creating a rather simple script to show the last edited / created time for files as I’d find that one handy as well. The files were uploaded to my site on the 6th august for example. I know I wasn’t doing much there then so apart from an image or two and my cache things shouldn’t have been changed recently.