Exploit Scanner - Version 0.1

Version Description

Release Info

Developer	donncha
Plugin	Exploit Scanner
Version	0.1
Comparing to
See all releases

Version 0.1

Files changed (2) hide show

exploit-scanner.php +229 -0
readme.txt +29 -0

exploit-scanner.php ADDED Viewed

	@@ -0,0 +1,229 @@


1	+ <?php
2	+ /*
3	+ Plugin Name: WordPress Exploit Scanner
4	+ Plugin URI: http://ocaoimh.ie/exploit-scanner/
5	+ Description: Scans your WordPress site for possible exploits
6	+ Version: 0.1
7	+ Author: Donncha O Caoimh
8	+ Author URI: http://ocaoimh.ie/
9	+ */
10	+
11	+ function exploit_init() {
12	+ add_action('admin_menu', 'exploit_config_page');
13	+ }
14	+ add_action('init', 'exploit_init');
15	+
16	+ function exploit_config_page() {
17	+ if ( function_exists('add_submenu_page') )
18	+ add_submenu_page('index.php', __('Exploit Scanner'), __('Exploit Scanner'), 'manage_options', 'exploit-admin-page', 'exploit_admin_page');
19	+
20	+ }
21	+
22	+ function exploit_admin_page() {
23	+ global $suspicious_files, $md5_list, $wpdb, $wp_db_version;
24	+ if( !current_user_can( 'manage_options' ) )
25	+ wp_die( 'Not allowed here!' );
26	+ ?><div class="wrap">
27	+ <h2>Exploit Scanner</h2>
28	+ <p>This script searches through your WordPress install for text that is commonly used by spammers and hackers when a website is compromised.</p>
29	+ <span style='margin-left: 20%; float: left; padding: 5px;'><a href="?page=exploit-admin-page&search=all">Search Files and Database</a></span>
30	+ <span style='float: left; padding: 5px;'><a href="?page=exploit-admin-page&search=files">Search Files Only</a></span>
31	+ <span style='float: left; padding: 5px;'><a href="?page=exploit-admin-page&search=db">Search Database Only</a></span><br clear='all' />
32	+ <div style='margin-top: 10px; text-align:center'>Or search the files on your site for your own words: <form method='GET'><input type='hidden' name='page' value='exploit-admin-page' /><input type='hidden' name='search' value='files' /><input type='text' name='search_strings' /><input type='Submit' value='Search Files' /></form></div>
33	+ <?php
34	+ switch( $_GET[ 'search' ] ) {
35	+ case 'doall':
36	+ $search_strings = '';
37	+ if( $_GET[ 'search_strings' ] )
38	+ $search_strings = array_flip( explode( ',', $_GET[ 'search_strings' ] ) );
39	+ file_search( $search_strings );
40	+ db_search();
41	+ break;
42	+ case 'dofiles':
43	+ file_search();
44	+ break;
45	+ case 'all':
46	+ case 'files':
47	+ $search_strings = '';
48	+ if( isset( $_GET[ 'search_strings' ] ) )
49	+ $search_strings = $_GET[ 'search_strings' ];
50	+ loading_search( $_GET[ 'search' ], $search_strings );
51	+ break;
52	+ case 'db':
53	+ db_search();
54	+ break;
55	+ default:
56	+ ?>
57	+ <p><strong>DISCLAIMER</strong> Unfortunately it's impossible to catch every hack, and it's also too easy to catch "false positives" or things that aren't hacks. If you have been hacked, this script may help you track down what files, comments or posts have been modified. On the other hand, if this script indicates your blog is clean, don't believe it. This is far from foolproof. </p>
58	+ <p>If you're paranoid, to prevent someone hiding malicious code inside this plugin, here's the md5 hash of this file. Compare that with the one on the plugin homepage. If they match, this file is ok. You'll get extra points if you check this file has the actual md5() call.<p>
59	+ <?php
60	+ echo "<p>Version 0.1 md5: <code>" . md5( file_get_contents( ABSPATH . PLUGINDIR . "/exploit-scanner/exploit-scanner.php" ) ) . "</code></p>";
61	+ break;
62	+ }
63	+
64	+ if( $wp_db_version < "7796" ) {
65	+ die( "<p><strong>Warning!</strong> You <em>must</em> be running WordPress 2.5.1 for this plugin to work. Please upgrade. If there is a newer version of WordPress, please check the plugin homepage for an update.</p>" );
66	+ } elseif( $wp_db_version > "7796" ) {
67	+ echo "<p><strong>Warning!</strong> This version of the plugin was designed for WordPress 2.5.1. It uses checksums to verify that files have not been modified. You are using a newer version of WordPress and may see more false positive file results.</p>";
68	+ }
69	+ ?></div><?php
70	+ }
71	+
72	+ function search_install( $directory, $text ) {
73	+ global $suspicious_files, $md5_list;
74	+ set_time_limit( 60 );
75	+
76	+ if(is_dir($directory)) {
77	+ $directory = trailingslashit( $directory );
78	+ $entries = glob($directory. '*');
79	+ if( is_array( $entries ) && !empty( $entries ) ) foreach ($entries as $entry) {
80	+ if ($entry != '.' && $entry != '..') {
81	+ if( !is_dir( $entry ) ) {
82	+ $contents = file_get_contents( $entry );
83	+ reset( $text );
84	+ foreach( $text as $exploit ) {
85	+ if( $exploit == '' )
86	+ continue;
87	+ if( strpos( $contents, $exploit ) !== false ) {
88	+ if( !isset( $md5_list[ $entry ] ) \|\| ( isset( $md5_list[ $entry ] ) && md5( $contents ) == $md5_list[ $entry ] ) ) {
89	+ $suspicious_files[ $exploit ][] = $entry;
90	+ }
91	+ }
92	+ }
93	+ } else {
94	+ search_install($entry, $text);
95	+ }
96	+ }
97	+ }
98	+ }
99	+ }
100	+
101	+ function hilight_text( $contents, $text ) {
102	+ while( $contents ) {
103	+ $contents = substr( $contents, abs( strpos( $contents, $text ) - 50 ) );
104	+ echo "<p>" . nl2br( str_replace( wp_specialchars( $text ), "<span style='background: #ff0'>" . wp_specialchars( $text ) . "</span>", wp_specialchars( substr( $contents, 0, 300 ) ) ) ) . "</p>";
105	+ $contents = substr( $contents, strpos( $contents, $text ) + strlen( $text ) );
106	+ if( strpos( $contents, $text ) === false ) {
107	+ $contents = false;
108	+ } else {
109	+ echo "<hr>";
110	+ }
111	+ }
112	+ }
113	+
114	+ function file_search( $suspect_text = '' ) {
115	+ global $suspicious_files, $md5_list, $wpdb, $wp_db_version;
116	+ $suspicious_files = array();
117	+ if( $suspect_text == '' )
118	+ $suspect_text = array( "iframe src" => "iframes can sometimes be used by hackers to load their own adverts and code on your site.", "style=\"visibility:hidden" => "CSS styling to hide parts of a web page", "ShellBOT" => "This may be a script used by hackers to get control of your server.", "uname -a" => "Tells a hacker what operating system your server is running", "shell_exec" => "Executes a server command like ls, cd, wget, etc. This may be a script used by hackers.", "YW55cmVzdWx0cy5uZXQ=" => "Base64 encoded text found in PHP code that redirects visitors from Google.", "<u style='display:none'>" => "HTML code used to hide spammy links, but is also legitimate code.", "eval(unescape" => "Could be Javascript code used to hide code inserted by a hacker." );
119	+ $md5_list = array( ABSPATH . "wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php" => "85beaff6e84030e0d427482e514fa541",
120	+ ABSPATH . "wp-includes/js/tinymce/plugins/spellchecker/classes/TinyPspellShell.class.php" => "e37ab32ba86f80f9579d21d35c218203",
121	+ ABSPATH . "wp-admin/import/blogger.php" => "431480c421b56dc81c9c2d4c18bb57fa",
122	+ ABSPATH . "wp-admin/page.php" => "98c8be4fd819f852406af00e89258cc0",
123	+ ABSPATH . "wp-admin/post.php" => "ff46012ffe98ee40c0b7b8bb5e10eb70" );
124	+ search_install( ABSPATH, array_keys( $suspect_text ) );
125	+ if( !empty( $suspicious_files ) ) {
126	+ echo '<h3>Suspicious files:</h3><ol>';
127	+ foreach( $suspicious_files as $exploit => $files ) {
128	+ echo "<li><strong>\"" . wp_specialchars( $exploit ) . "\"</strong> <em>{$suspect_text[$exploit]}</em> <ol>";
129	+ foreach( $files as $file ) {
130	+ $contents = file_get_contents( $file );
131	+ echo "<li>" . wp_specialchars( $file ) . " <blockquote style='border: 1px solid #333; background: #eee;'><code>";
132	+ hilight_text( $contents, $exploit );
133	+ echo "</code></blockquote></li>";
134	+ }
135	+ ?></ol></li><?php
136	+ }
137	+ ?></ol><?php
138	+
139	+ echo "<p>Don't worry if <code>'" . ABSPATH . PLUGINDIR . "/exploit-scanner/exploit-scanner.php'</code> is listed above. That's a good sign because this script obviously has all the text to search for and it's working properly!</p>";
140	+ } else {
141	+ ?><h3>No suspicious files found</h3>
142	+ <p>That's unusual because you should at least see this plugin, <code>'<?php echo ABSPATH . PLUGINDIR ?>/exploit-scanner.php'</code>, in the list. Check your PHP error_log to make sure everything worked ok.</p><?php
143	+ }
144	+ }
145	+
146	+ function db_search() {
147	+ global $wpdb;
148	+ $active_plugins = get_option( 'active_plugins' );
149	+ if( is_array( $active_plugins ) && !empty( $active_plugins ) ) {
150	+ $suspect_plugins = array();
151	+ foreach( $active_plugins as $plugin ) {
152	+ if( strpos( $plugin, '..' ) !== false \|\| substr( $plugin, -4 ) != '.php' ) {
153	+ $suspect_plugins[] = $plugin;
154	+ }
155	+ }
156	+ if( !empty( $suspect_plugins ) ) {
157	+ ?><h3>Suspect Plugins</h3>
158	+ <p>These plugin files look suspect. Please verify they are files you uploaded.</p><?php
159	+ reset( $suspect_plugins );
160	+ echo "<ol>";
161	+ foreach( $suspect_plugins as $plugin ) {
162	+ if( $plugin == '' )
163	+ $plugin = "Blank entry found. Should be removed. It will look like 'i:0;s:0:\"\";' in the active_records field.";
164	+ echo "<li>$plugin</li>";
165	+ }
166	+ echo "</ol>";
167	+ } else {
168	+ ?><h3>No suspicious plugins found</h3>
169	+ <p>Hooray! No suspicious plugins found in the <code>active_plugins</code> database record.</p><?php
170	+ }
171	+ }
172	+ $comments = $wpdb->get_results( "SELECT * FROM {$wpdb->comments} WHERE comment_content LIKE '%ekibastos%' LIMIT 0,10" );
173	+ if( $comments ) {
174	+ echo "<h4>Ekibastos comments found</h4>";
175	+ echo "<p>Hackers have left a comment or trackback with the string \"Ekibastos\" on your blog. This may be a sign that they attacked your site in the past. Files or posts may be modified!</p>";
176	+ echo "<pre>" . print_r( $comments, 1 ) . "</pre>";
177	+ }
178	+ $suspect_posts = array();
179	+ $suspect_post_text = array( "ekibastos", "visibility:hidden", "<iframe ", "display:none" );
180	+ foreach( $suspect_post_text as $exploit_text ) {
181	+ $posts = $wpdb->get_results( "SELECT * FROM {$wpdb->posts} WHERE post_content LIKE '%{$exploit_text}%'" );
182	+ if( $posts )
183	+ $suspect_posts[ $exploit_text ] = $posts;
184	+ $comments = $wpdb->get_results( "SELECT * FROM {$wpdb->comments} WHERE comment_content LIKE '%{$exploit_text}%'" );
185	+ if( $comments )
186	+ $suspect_posts[ $exploit_text ] = $comments;
187	+ }
188	+ if( !empty( $suspect_posts ) ) {
189	+ echo "<h3>Suspect posts and comments found</h3>";
190	+ echo "<p>Some posts and comments on your blog have text that may have been placed by hackers.</p><p><ul>";
191	+ foreach( $suspect_posts as $exploit => $posts ) {
192	+ foreach( $posts as $post )
193	+ if( $post->post_content ) {
194	+ $edit_url = "Post: <a href='post.php?action=edit&post={$post->ID}'>{$post->post_title}</a>";
195	+ $contents = $post->post_content;
196	+ } else {
197	+ $edit_url = "Comment: <a href='comment.php?action=editcomment&c={$post->comment_ID}'>{$post->comment_author}</a>";
198	+ $contents = $post->comment_content;
199	+ }
200	+ echo "<li>{$edit_url}<br /><blockquote style='border: 1px solid #333; background: #eee;'><code>";
201	+ hilight_text( $contents, $exploit );
202	+ echo "</code></blockquote></li>";
203	+ }
204	+ echo "</ul>";
205	+ } else {
206	+ ?><h3>No suspicious posts or comments found</h3>
207	+ <p>Hooray! No suspicious text found in your posts or comments tables!</p><?php
208	+ }
209	+ }
210	+
211	+ function loading_search( $search, $search_strings = '' ) {
212	+ if( $search = 'all' ) {
213	+ $msg = "<strong>Searching your filesystem and database for spammy links, malicious Javascript and exploit code</strong><br /><br />Please wait while loading ...";
214	+ } else {
215	+ $msg = "<strong>Searching your filesystem for malicious Javascript and exploit code</strong><br /><br />Please wait while loading ...";
216	+ }
217	+ ?><div style='margin: 10px; padding: 10px; border: 1px solid #333; margin-top: 30px; text-align: center'><?php echo $msg; ?><br /><br />If your browser doesn't start loading, please <a href='?page=exploit-admin-page&search=do<?php echo $search; if( $search_strings != '' ) { echo '&search_strings=' . urlencode( $search_strings ); } ?>'>click here</a> to start the search.</div><?php
218	+ ?>
219	+ <script type='text/javascript'>
220	+ <!--
221	+ function nextpage() {
222	+ location.href = "?page=exploit-admin-page&search=do<?php echo $search; if( $search_strings != '' ) { echo '&search_strings=' . urlencode( $search_strings ); } ?>";
223	+ }
224	+ setTimeout( "nextpage()", 25 );
225	+ //-->
226	+ </script>
227	+ <?php
228	+ }
229	+ ?>

readme.txt ADDED Viewed

	@@ -0,0 +1,29 @@


1	+ === WordPress Exploit Scanner ===
2	+ Contributors: donncha
3	+ Tags: hacking, spam, hack, crack, exploit, vulnerability
4	+ Tested up to: 2.5.1
5	+ Stable tag: 0.1
6	+ Requires at least: 2.5.1
7	+
8	+ Search the files and database of your WordPress install for malicious code or spammy links left by a hacker.
9	+
10	+ == Description ==
11	+ This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
12	+
13	+ It does not remove anything. That is left to the user to do.
14	+
15	+ MD5 for version 0.1: 6a88a18a37c4add7dabd72fc97be13b6
16	+
17	+ See the [WordPress Exploit Scanner homepage](http://ocaoimh.ie/exploit-scanner/) for further information.
18	+
19	+ == Installation ==
20	+ 1. Download and unzip the plugin.
21	+ 2. Copy the exploit-scanner directory into your plugins folder.
22	+ 3. Visit your Plugins page and activate the plugin.
23	+ 4. A new menu item called "Exploit Scanner" will be made off the Dashboard.
24	+
25	+ == Frequently Asked Questions ==
26	+ None yet.
27	+
28	+ == Updates ==
29	+ Updates to the plugin will be posted here, to [Holy Shmoly!](http://ocaoimh.ie/) and the [WordPress Exploit Scanner](http://ocaoimh.ie/exploit-scanner/) will always link to the newest version.