Last Revised: October 2, 2021
One of the biggest concerns of WordPress users is to have an attack and that goes unnoticed, mainly by downloading a theme or plugin that may have some vulnerability or downloads of improper sites.
Although there are plugins that do it, they are still another opportunity and security problem, so we will use an external tool to help us analyze the possibility of encountering undue files.
AMWScan (PHP Antimalware Scanner) is a tool written in PHP and that analyzes PHP code, so it comes perfect when analyzing WordPress. In addition, it has an integration when it detects WordPress that performs some extra tasks, such as the checksum of plugins and themes in the official repository.
This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.
In addition, you have the possibility to create your VPS with the WordPress image in one click.
PARTNERSHIP
Requirements
- WordPress
Installation and configuration
To make it easier to use, we will install and configure PHP Antimalware Scanner so that it can be used as a command anywhere on the system
First we download the main file
wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner --no-check-certificate -O /usr/bin/awscan.phar
We will create the executable system
vim /usr/bin/awscan
and we will include the following content
#!/bin/bash
php /usr/bin/awscan.phar $@
Once we have the file, we will give it permissions and configure it for future execution.
chmod u+x,g+x /usr/bin/awscan.phar
chmod u+x,g+x /usr/bin/awscan
export PATH=$PATH":/usr/bin"
Analysis
Right now, we can launch it to test that it works. We will do a complete analysis, although it allows some configurations:
- -e: only looks for exploits
- -l: reduced analysis
In any case, the recommendation is to first launch an analysis without parameters, to review everything. We can go to the folder where we have the WordPress or run it indicating where it is.
awscan /webs/example.com/
This will return us, in the case of a WordPress, something like this:
█████╗ ███╗ ███╗██╗ ██╗███████╗ ██████╗ █████╗ ███╗ ██╗
██╔══██╗████╗ ████║██║ ██║██╔════╝██╔════╝██╔══██╗████╗ ██║
███████║██╔████╔██║██║ █╗ ██║███████╗██║ ███████║██╔██╗ ██║
██╔══██║██║╚██╔╝██║██║███╗██║╚════██║██║ ██╔══██║██║╚██╗██║
██║ ██║██║ ╚═╝ ██║╚███╔███╔╝███████║╚██████╗██║ ██║██║ ╚████║
╚═╝ ╚═╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
Github: https://github.com/marcocesarato/PHP-Antimalware-Scanner
version 0.7.5.177
PHP Antimalware Scanner
Created by Marco Cesarato
Start scanning...
Scan date: 07-01-2021 09:22:35
Scanning /webs/example.com
Mapping and retrieving checksums, please wait...
Found WordPress 5.6 (en_US) at "/webs/example.com"
Found WordPress Plugin Akismet Anti-Spam 4.1.8
Found WordPress Plugin Gutenberg 9.7.0
Found WordPress Plugin Health Check & Troubleshooting 1.4.5
Found WordPress Plugin Jetpack by WordPress.com 9.2.1
Found WordPress Plugin Two Factor 0.7.0
Found WordPress Plugin Wordfence Security 7.4.14
Retrieving checksums of WordPress Plugin Health Check & Troubleshooting 1.4.5
Retrieving checksums of WordPress Plugin Jetpack by WordPress.com 9.2.1
Retrieving checksums of WordPress Plugin Two Factor 0.7.0
Retrieving checksums of WordPress Plugin Wordfence Security 7.4.14
Verifying files checksum...
[===============================] 100% 2385/2385 [10 sec/0 sec]
Found 51 files to check
Checking files...
[=============================> ] 98% 50/51 [11 sec/0 sec]]
Scan finished!
SUMMARY
Files scanned: 51
Files edited: 0
Files quarantined: 0
Files whitelisted: 0
Files ignored: 0
Malware detected: 0
Malware removed: 0
Finding malicious content
In the event that you find malicious content, the analysis will return some extra data to us. first it will indicate which file is the one that has the problem, then a preview of its content and what functions or lines could be the one that gives the problems.
With this a series of options of what we want to do:
[1] Delete file
[2] Move to quarantine
[3] Dry run evil code fixer
[4] Dry run evil line code fixer
[5] Open with vim
[6] Open with nano
[7] Add to whitelist
[8] Show source
[-] Ignore
The system has integrated some possibilities to correct the problem, although in this case it is best to analyze and know what is failing, if it is really a problem or not.
An example of the outcome that a possible backdoor would give is this.
█████╗ ███╗ ███╗██╗ ██╗███████╗ ██████╗ █████╗ ███╗ ██╗
██╔══██╗████╗ ████║██║ ██║██╔════╝██╔════╝██╔══██╗████╗ ██║
███████║██╔████╔██║██║ █╗ ██║███████╗██║ ███████║██╔██╗ ██║
██╔══██║██║╚██╔╝██║██║███╗██║╚════██║██║ ██╔══██║██║╚██╗██║
██║ ██║██║ ╚═╝ ██║╚███╔███╔╝███████║╚██████╗██║ ██║██║ ╚████║
╚═╝ ╚═╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
Github: https://github.com/marcocesarato/PHP-Antimalware-Scanner
version 0.7.5.177
PHP Antimalware Scanner
Created by Marco Cesarato
Start scanning...
Scan date: 07-01-2021 09:27:57
Scanning /PHP-Malware-Collection/shell/php-backdoor.php
Mapping and retrieving checksums, please wait...
Found 1 files to check
Checking files...
[> ] 0% 0/1 [0 sec/0 sec]
PROBABLE MALWARE FOUND!
/PHP-Malware-Collection/shell/php-backdoor.php
=================================== PREVIEW ====================================
27 | if(isset($_REQUEST['c'])){
28 | echo "<pre>";
29 | system($_REQUEST['c']);
30 | die;
31 | }
================================================================================
Checksum: 2b5cb105c4ea9b5ebc64705b4bd86bf7
File path: /PHP-Malware-Collection/shell/php-backdoor.php
Evil code found:
[!] Exploit `execution` [line 29]
- RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP
=> system($_REQUEST['c'])
[!] Function `system` [line 28]
- Encoded Function `system`
=> ";
system($_REQUEST['c'])
[!] Sign `100` [line 29]
- Definition sign `100`
=> system($_REQUEST[
[!] Sign `110` [line 28]
- Definition sign `110`
=> echo "<pre>";
system($_REQUEST['c']);
die;
OPTIONS:
[1] Delete file
[2] Move to quarantine
[3] Dry run evil code fixer
[4] Dry run evil line code fixer
[5] Open with vim
[6] Open with nano
[7] Add to whitelist
[8] Show source
[-] Ignore
amwscan > What is your choice? -
File '/PHP-Malware-Collection/shell/php-backdoor.php' skipped!
Scan finished!
SUMMARY
Files scanned: 1
Files edited: 0
Files quarantined: 0
Files whitelisted: 0
Files ignored: 1
Malware detected: 1
Malware removed: 0
Files ignored:
/PHP-Malware-Collection/shell/php-backdoor.php
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.