Diagnosing a WordPress site hack

Cyber AttackSadly, my WordPress site was hacked. The first post in this series shared the discovery of the hack.  This post is all about diagnosing how the site was hacked with an eye towards cleaning it up. In the last post I suggested brushing up on your Unix and now it’s time to break out your command line skills!  This gets pretty techie.  If you’d like the benefit of my experience you can reach me at john[at]refford[dot]com. I’m not a WordPress guru, but I’ll help if I can.

A note before you begin.  Keep records of what you find while diagnosing the hack, you’ll want to refer to the results while cleaning up the hack later. You can save the results by appending “> filename.txt” the commands below.

Diagnosing the hack

Dreamhost advised me that there are three main ways a WordPress site is hacked: account hack, an “open” directory or a vulnerable piece of code. On WordPress the code is likely out of date WordPress software, a plugin or some other software connected to your site.

1. Check to see if your account has been hacked

It’s easy to see the last time you logged into your site. If you see recent logins and they aren’t you (or your designated administrator), then you’ve likely discovered how the hacker got into your site.

After logging into your site via ssh, type the following to see your logins for the current month. If you don’t know how to use ssh, search your host providers help section.

last -i | grep  (replace  with the account you used for ssh)

Use this command to see your logins for the previous month

last -if /var/log/wtmp.1 | grep username

If the logins look okay, then you can rule out an account hack.

The logins should all be you (I greyed out some info for security concerns)

The logins should all be you (I greyed out some info for security concerns)

2. Check for “open” directories

Next, check for world writeable directories permissions on your server. If your site has an open directory, hackers can put their code on your site. Check for open directories with this command:

find . -type d -perm -o=w

If you have open directories, secure them with this command:

find . -type d -perm -o=w -print -exec chmod 770 {} \; 
Zero open directories, that's what you'd like to see

Zero open directories, that’s what you’d like to see

3. Look for a CGI attack

After checking for unauthorized account access and open directories, it’s time to look for a CGI attack. We’re going to use a two step process: figure out the time of the attack and search the log for activity at about that time.

Two step process:

  1. Identify the time of the attack
  2. Search the logs for activity during the attack

Identify the time of the attack

You need to start looking for files that have been changed recently. You can use the command below to get a list of files modified in the last three days. To search for different time periods, change the “3” as needed.

find . -type f -mtime -3 | grep -v "/Maildir/" | grep -v "/logs/“

Notice the files towards the end are most recent, that’s the hack date.

It appears my site was hacked on the 6th at 02:59 and again on the 20th at 07:13.

Search logs for suspicious activity

With the date of the hack in hand, review your site logs looking for suspicious activity during that time. Depending on your hosting provider you may or may not be able to view the log from this time (your logs are in /logs//http). If you have the access logs, you can view them using with the more command (” more filename”).

This didn’t work for me since I did not have the access logs during the hack.  Lacking that, you can see which webpages your site has been serving and look for clues or or odd files.

gunzip -c ~/logs/DOMAIN.COM/http/access.log.* | gawk '{a[$7]++}END{for (i in a) {print a[i]"\t"i}}' | sort -n | more
accessed files

My accessed files.

In my case this didn’t provide much info.  There were hundreds of entries and nothing stood out.  Reviewing my wife’s hacked files was a different story. On her site I could see many calls to bogus webpages promoting drugs. I found hundreds of pages like this one.  Once I finish fixing socialmktgtech.com, I’m going to start fixing thefairlyoddmother.com.

thefairlyoddmother.com, now dealing in drugs?

thefairlyoddmother.com, now dealing in drugs?

This is part two in the WordPress security series. In the next post I’ll share how to clear out malicious files.

[important]I’m not a WordPress security expert; have some advice? Put it in the comments.[/important]

Want to hear the rest of the story? Subscribe via email!


Credit Dreamhost for their wiki on this topic.
Photo credit: Flickr