WordPress.org

Ready to get started?Download WordPress

Forums

nemonn - how to find malicious files (6 posts)

  1. bennyk
    Member
    Posted 1 year ago #

    Hi, I'm trying to fix a nemonn hack.
    I've removed the extra code from header.php, but I have no idea how I would look for the backdoor files, reported to usually exist in wp-admin.

    Can I just totally replace the wp-admin folder with a clean version of it from a fresh wordpress download?

    If not, please advise how I can find these files.

    Thanks

  2. bcworkz
    Member
    Posted 1 year ago #

    As long as you have followed recommended practice and not altered any core files, it is safe to completely replace all files contained in a fresh download.

    I'm unfamiliar with this particular hack, but I know many hacks place backdoors somewhere in wp-content precisely because it is not overwritten with a fresh download. Replacing just the WP files may or may not plug all the holes.

  3. bennyk
    Member
    Posted 1 year ago #

    Thanks for your reply. I did in fact just replace the entire wp-admin folder and it seems to be working fine.
    Other posts on this particular hack said backdoors were most likely in wp-admin, though someone had found one in the plugins folder of wp-content.
    I did delete all inactive themes also.
    For now, I'll wait and see if the problems stay fixed.
    Thanks again.

  4. bennyk
    Member
    Posted 1 year ago #

    Just one more thing.... If i wanted to find the potential backdoor files in question... would I need to search every file for base64_decode and decide if the file was malicious? Not sure how I would otherwise have done this.
    Thansk

  5. bcworkz
    Member
    Posted 1 year ago #

    That's a good start and may do the job... or not. Take a look at this article to get an idea of what you could be up against:
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    And that is a dated example. Many various obfuscation examples can exist by now. You'll need to decide how much effort you want to put into this, or just wait and see. Of course the best response is restore from a known clean backup, but it sounds like that is not an option.

  6. bennyk
    Member
    Posted 1 year ago #

    Thanks for the link, that's a really informative article.
    For now I'll wait and see, and if further problems arise, I'll definitely be using that information.
    Thanks again

Topic Closed

This topic has been closed to new replies.

About this Topic