Support » Fixing WordPress » nemonn – how to find malicious files

  • Hi, I’m trying to fix a nemonn hack.
    I’ve removed the extra code from header.php, but I have no idea how I would look for the backdoor files, reported to usually exist in wp-admin.

    Can I just totally replace the wp-admin folder with a clean version of it from a fresh wordpress download?

    If not, please advise how I can find these files.


Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator bcworkz


    As long as you have followed recommended practice and not altered any core files, it is safe to completely replace all files contained in a fresh download.

    I’m unfamiliar with this particular hack, but I know many hacks place backdoors somewhere in wp-content precisely because it is not overwritten with a fresh download. Replacing just the WP files may or may not plug all the holes.

    Thanks for your reply. I did in fact just replace the entire wp-admin folder and it seems to be working fine.
    Other posts on this particular hack said backdoors were most likely in wp-admin, though someone had found one in the plugins folder of wp-content.
    I did delete all inactive themes also.
    For now, I’ll wait and see if the problems stay fixed.
    Thanks again.

    Just one more thing…. If i wanted to find the potential backdoor files in question… would I need to search every file for base64_decode and decide if the file was malicious? Not sure how I would otherwise have done this.

    Moderator bcworkz


    That’s a good start and may do the job… or not. Take a look at this article to get an idea of what you could be up against:

    And that is a dated example. Many various obfuscation examples can exist by now. You’ll need to decide how much effort you want to put into this, or just wait and see. Of course the best response is restore from a known clean backup, but it sounds like that is not an option.

    Thanks for the link, that’s a really informative article.
    For now I’ll wait and see, and if further problems arise, I’ll definitely be using that information.
    Thanks again

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘nemonn – how to find malicious files’ is closed to new replies.