WordPress Exploit Scanner plugin

 Posted by (Visited 10017 times)  Misc  Tagged with: ,
Jun 292008
 

For those who recall the whole “blog gets hacked” odyssey, and my subsequent request for a plugin that would do security scans, check this out:

WordPress Exploit Scanner 0.1

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.

What WordPress needs

 Posted by (Visited 9495 times)  Misc  Tagged with: ,
Apr 162008
 

A plugin that

  • Greps every file in your public web directory, recursively, looking for “base64” and tells you about them. The default WP install has none of these.
  • Warns you on modification date of any file in the install, plus in any themes.
  • Checks header and footer for unusual size changes.
  • Warns you on any files added to install directories that are not something in the vanilla install — e.g., any new php files in wp-admin that aren’t part of the install.
  • Warns you on any .htaccess redirects.
  • Pulls out the list of administrators by querying in wp_usermeta for wp_metavalue containing %administrator% — not whatever the dashboard uses, which appears to correlate to other tables and therefore misses hacked accounts.
  • Generates a table of everything in wp_options that is not a part of the vanilla WP install, so you can check it. Sure, a whole bunch of plugins will show up, but maybe you can check that manually.

Doing all this by hand is getting old. 🙂 The saga continues at the other post, which continues to get updates.

More on the blog hacking

 Posted by (Visited 14272 times)  Game talk  Tagged with: , , , , , , ,
Apr 152008
 

I keep updating this post as I learn more. So if you’re affected, there’s new material at the bottom. I am currently running this full sweep every day, because each day I find something different. But three days ago there were twenty things, yesterday five, and today only one, so maybe I am getting closer.

Latest news 4/25/08: blog seems secure again. But be sure to do the “secret key” thing newly listed at the bottom as well!

So, I mentioned before that I was a victim of a hack. It was a spam injection attack — the one known as the Goro injection attack. But my symptoms were slightly different from some of the ones I have seen on the net, so here’s some war stories even though I suspect the blog is STILL not clean.

First, read these two posts:

Also read the advice from Jeff Freeman in the last post on this.

OK, in addition to that advice, I also had the following problems:

Continue reading »