Missed additional file in core integrity check

  • Resolved davewardlerules

    (@davewardlerules)


    8 years, 6 months ago

    Hello,

    Over the weekend, a client’s website was attacked. After cleaning it up, the injected code re-appeared. I eventually noticed a backdoor had been left behind but this file was not appearing in the list of added core files (so I didn’t notice it immediately). The file was named wp-rss.php. I suspect that since this was a file in older versions of WordPress, the scanner accepted it as legitimate?

    Thanks

    Dave

Viewing 5 replies - 1 through 5 (of 5 total)

  • Same problem here, but with another file indekz.php

    Might be. Do you mind pasting the content of that file so we can see what is going on?

    thanks,

    Thread Starter davewardlerules

    (@davewardlerules)

    Hi Daniel,

    Sure, you can see the source code of the file here:
    https://gist.github.com/anonymous/6b29c99d44e4f7e702d4ef9c302a173e

    Thanks

    Dave

    The code that you found in your website is in fact malicious [1] and as you guessed in your original comment our plugin ignores the existence of the “wp-rss.php” file as well as other files that we consider irrelevant; you can see the complete list here [2].

    Please do not rely entirely in our plugin for the security of your website. The plugin is a security suite meant to complement your existing security posture. It is expected that you have a system besides or above (like a firewall) to prevent the wide range of attacks that your website might suffer.

    Also notice, even if we remove the exception of the “wp-rss.php” file, the plugin will not read its content, so it will never know if the file is infected or not. You will notice in the code that I linked below that a malicious user can also hide from the WordPress Integrity Checks by writing malware into a “503.php” file, or “404.php”, or “500.php” or even “wp-config.php” because the plugin ignores them all.

    A solution to this problem is to pay close attention to the “Audit Logs”. If a malicious user is able to create/write/update a “wp-rss.php” or any of the files ignored by the core integrity tool, the modifications will still appear in the audit logs. Be sure to check that section if you suspect of a new attack.

    [1] https://gist.github.com/anonymous/6b29c99d44e4f7e702d4ef9c302a173e
    [2] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/0d4189c/src/corefiles.php#L423-L447

    I have modified the code that ignores these files during the execution of the core integrity checks. From now on the plugin will ignore just a handful of files that we consider to be really irrelevant, the rest of the files that are in the list will be added (on startup) to a cache file, the website owner can delete one or more of these files from the cache and force the plugin to monitor them. There will be a panel in the scanner section of the settings page called “Core Integrity Checks – Marked As Fixed”.

    For this specific ticket, you can go to this section and delete the “wp-rss.php” file from the cache. The next time the core integrity checks are executed the plugin will not ignore the changes in this file.

    This was implemented with commit #9da5253 [1].

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/29/commits/9da5253

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Missed additional file in core integrity check’ is closed to new replies.