FileChecker

Description

To un-obfuscate and run malicious code, a list of PHP functions are commonly used, such as: base64_decode(), str_rot13(), gzinflate(), fwrite(), and eval(). This plugin runs a command-line search through the entire WordPress file system to find each instance of these functions so that you can analyze them as genuine or problematic. Once verified, you can choose to ignore a harmless script so that it is no longer presented for your review.

What the FileChecker plugin does:

This plugin performs a search of all scripts in your WordPress installation directory, and presents the script, line number, and a small piece of the code, for your analysis. Currently, these functions include:

  • base64_decode: can used to un-obfuscate malicious code from what appears to be a benign string of letters and numbers. (more info)
  • str_rot13: can be used to un-obfuscate malicious code from what appears to be a benign string of letters and numbers. (more info)
  • gzinflate: can be used to un-obfuscate malicious code (g-zip compression) from what appears to be a benign hash of characters and symbols. (more info)
  • gzuncompress: can be used to un-obfuscate malicious code (g-zip compression) from what appears to be a benign hash of characters and symbols. (more info)
  • fwrite: can be used in conjunction with the above obfuscation functions to write to the file system a new (or temporary) script that contains malicious code. (more info)
  • eval: can be used in conjunction with the above obfuscation functions to execute decoded or re-assembled code. (more info)

Some basic examples of these functions in use.

What the FileChecker plugin does not do:

The plugin does not repair or clean your scripts, but merely checks the file system for instances of these functions for your own individual analysis. It is our hope that it will provide insight and help identify attacks quickly, and before any permanent damage is done. Furthermore, it is recommended that you ask your host to maintain nightly backups of your site and database so that they may be restored in the event an attack occurs.

Compare plugin scripts:

This feature iterates through all plugin scripts where these functions were found, and compares the line of code against the same script in the WordPress plugins repository, to verify the integrity of the code. If a mismatch is discovered, you’re given a side-by-side comparison of the two lines of code to further analyze for potential issues.

The Direction this Plugin is Heading:

It’s the collaborative nature of WordPress that has not only accelerated its growth, but also introduced some of the exploits that this plugin is designed to identify. In the future, the plugin will embrace this collective powerhouse, by giving users the ability to have their own site files checked against the code evaluations submitted by others. Advanced WordPress users who identify code as harmless can publish these results publicly so that others can probe the community to determine the integrity of their own site’s scripts.

NOTE: As of version 0.2.5, the Ask the Community feature has been introduced in Beta. Contribute your feedback to this new feature or visit the Community Site: www.filechecker.net

Screenshots

  • After performing a search of your scripts, FileChecker shows the results arranged by function.
  • Click the function to see the individual scripts, line numbers, and a brief excerpt of the code.
  • The magnifying glass opens a modal showing the lines of code surrounding the function, so that you can analyze how it's used, and determine if it's harmless. Clicking "OK to Ignore This" will suppress the code from being included among the search results in the future.
  • The "Compare" feature will indicate where your local plugin scripts match those in the WordPress plugin repository.

Installation

  1. Install FileChecker either via the WordPress.org plugin directory, or by uploading the files to your server (in the /wp-content/plugins/ directory).
  2. Activate the plugin.
  3. Access FileChecker in the Admin > Tools flyout.
  4. Expand each section to view search results by function, along with a brief excerpt of the function as it’s used.
  5. Click the magnifying glass to open the matching portion of the script in a modal for your analysis.
  6. Click “OK to Ignore This” from the modal, to suppress this script from being presented again.

FAQ

Installation Instructions
  1. Install FileChecker either via the WordPress.org plugin directory, or by uploading the files to your server (in the /wp-content/plugins/ directory).
  2. Activate the plugin.
  3. Access FileChecker in the Admin > Tools flyout.
  4. Expand each section to view search results by function, along with a brief excerpt of the function as it’s used.
  5. Click the magnifying glass to open the matching portion of the script in a modal for your analysis.
  6. Click “OK to Ignore This” from the modal, to suppress this script from being presented again.
Are there any new features planned?

Future versions of this plugin may introduce community-based analysis of the matched results, to help you to determine if these lines of code are harmless and for the effective function of the website’s core, theme or plugins, or if they have been injected into your scripts for malicious intent.

Can i propose a feature?

If you wish. Sure.

Contributors & Developers

“FileChecker” is open source software. The following people have contributed to this plugin.

Contributors

Translate “FileChecker” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

0.2.5

  • “Ask the Community” feature added to compare all instances of functions against community-sourced code evaluations.
  • Community Site Launched!: www.filechecker.net
  • To contribute your own evaluations, examine the code block and click the “Share your Evaluation” button to let other WordPress site owners if a function’s use is safe or malicious.

0.2.1

  • Updated the page layout to put all of the matching functions into tab panes.

0.2.0

  • “Compare” feature added to compare all instances of functions in local plugins against scripts in the WordPress repository.

0.1.0

  • Plugin released in Beta. Standby for official release.