Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » Missed additional file in core integrity check

  • Resolved davewardlerules

    (@davewardlerules)


    Hello,

    Over the weekend, a client’s website was attacked. After cleaning it up, the injected code re-appeared. I eventually noticed a backdoor had been left behind but this file was not appearing in the list of added core files (so I didn’t notice it immediately). The file was named wp-rss.php. I suspect that since this was a file in older versions of WordPress, the scanner accepted it as legitimate?

    Thanks

    Dave

Viewing 5 replies - 1 through 5 (of 5 total)
  • Jonas Lundman

    (@jonas-lundman)

    Same problem here, but with another file indekz.php

    Plugin Contributor Daniel Cid

    (@ddsucurinet)

    Might be. Do you mind pasting the content of that file so we can see what is going on?

    thanks,

    Thread Starter davewardlerules

    (@davewardlerules)

    Hi Daniel,

    Sure, you can see the source code of the file here:
    https://gist.github.com/anonymous/6b29c99d44e4f7e702d4ef9c302a173e

    Thanks

    Dave

    The code that you found in your website is in fact malicious [1] and as you guessed in your original comment our plugin ignores the existence of the “wp-rss.php” file as well as other files that we consider irrelevant; you can see the complete list here [2].

    Please do not rely entirely in our plugin for the security of your website. The plugin is a security suite meant to complement your existing security posture. It is expected that you have a system besides or above (like a firewall) to prevent the wide range of attacks that your website might suffer.

    Also notice, even if we remove the exception of the “wp-rss.php” file, the plugin will not read its content, so it will never know if the file is infected or not. You will notice in the code that I linked below that a malicious user can also hide from the WordPress Integrity Checks by writing malware into a “503.php” file, or “404.php”, or “500.php” or even “wp-config.php” because the plugin ignores them all.

    A solution to this problem is to pay close attention to the “Audit Logs”. If a malicious user is able to create/write/update a “wp-rss.php” or any of the files ignored by the core integrity tool, the modifications will still appear in the audit logs. Be sure to check that section if you suspect of a new attack.

    [1] https://gist.github.com/anonymous/6b29c99d44e4f7e702d4ef9c302a173e
    [2] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/0d4189c/src/corefiles.php#L423-L447

    I have modified the code that ignores these files during the execution of the core integrity checks. From now on the plugin will ignore just a handful of files that we consider to be really irrelevant, the rest of the files that are in the list will be added (on startup) to a cache file, the website owner can delete one or more of these files from the cache and force the plugin to monitor them. There will be a panel in the scanner section of the settings page called “Core Integrity Checks – Marked As Fixed”.

    For this specific ticket, you can go to this section and delete the “wp-rss.php” file from the cache. The next time the core integrity checks are executed the plugin will not ignore the changes in this file.

    This was implemented with commit #9da5253 [1].

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/29/commits/9da5253

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Missed additional file in core integrity check’ is closed to new replies.