Follow for free plugins, new theme releases and theme news
Plugin Description
To un-obfuscate and run malicious code, a list of PHP functions are commonly used, such as: base64_decode(), str_rot13(), gzinflate(), fwrite(), and eval(). This plugin runs a command-line search through the entire WordPress file system to find each instance of these functions so that you can analyze them as genuine or problematic. Once verified, you can choose to ignore a harmless script so that it is no longer presented for your review.
What the FileChecker plugin does:
This plugin performs a search of all scripts in your WordPress installation directory, and presents the script, line number, and a small piece of the code, for your analysis. Currently, these functions include:
- base64_decode: can used to un-obfuscate malicious code from what appears to be a benign string of letters and numbers.
- str_rot13: can be used to un-obfuscate malicious code from what appears to be a benign string of letters and numbers.
- gzinflate: can be used to un-obfuscate malicious code (deflate data format) from what appears to be a benign hash of characters and symbols.
- gzuncompress: can be used to un-obfuscate malicious code (g-zip compression) from what appears to be a benign hash of characters and symbols.
- fwrite: can be used in conjunction with the above obfuscation functions to write to the file system a new (or temporary) script that contains malicious code.
- eval: can be used in conjunction with the above obfuscation functions to execute decoded or re-assembled code.
Some basic examples of these functions in use.
What the FileChecker plugin does not do:
The plugin does not repair or clean your scripts, but merely checks the file system for instances of these functions for your own individual analysis. It is our hope that it will provide insight and help identify attacks quickly, and before any permanent damage is done. Furthermore, it is recommended that you ask your host to maintain nightly backups of your site and database so that they may be restored in the event an attack occurs.
The Direction this Plugin is Heading:
It’s the collaborative nature of WordPress that has not only accelerated its growth, but also introduced some of the exploits that this plugin is designed to identify. In the future, the plugin will embrace this collective powerhouse, by giving users the ability to have their own site files checked against the code evaluations submitted by others. Advanced WordPress users who identify code as harmless can publish these results publicly so that others can probe the community to determine the integrity of their own site’s scripts.
Screenshots
After performing a search of your scripts, FileChecker shows the results arranged by function.
Click the function to see the individual scripts, line numbers, and a brief excerpt of the code.
The magnifying glass opens a modal showing the lines of code surrounding the function, so that you can analyze how it’s used, and determine if it’s harmless. Clicking “OK to Ignore This” will suppress the code from being included among the search results in the future.
