[wp-hackers] A tool to check whether the core files were tampered?

Roger Chen developer at rogerhub.com
Sat Nov 16 04:22:17 UTC 2013 

If you're concerned that your core files are corrupted or have been
tampered with, you can always just do a find . -type f | xargs md5sum and
compare (diff) it to a fresh copy from wordpress.org. On the other hand,
the only parts of your installation that should differ from a clean install
are your wp-config and wp-content. You should be able to replace all of the
core files without an issue.

Roger


On Fri, Nov 15, 2013 at 10:10 AM, Mika A Epstein <ipstenu at ipstenu.org>wrote:

> Given the nature of most 'tampering' is to add in obfuscated code, I just
> search for that. Or if I even remotely suspect it, delete core and plugins,
> reinstall. it's not like it hurts my data.
>
> It'd be nice if someone made a wp-cli-esque sort of scanner for this,
> though, since in theory if that was baked in, they couldn't mess with the
> scanner unless they had access to edit wp-cli (i.e. SU or root)
>
>
> J.D. Grimes wrote:
>
>>
>> On Nov 15, 2013, at 11:42 AM, David Anderson<david at wordshell.net> wrote:
>>
>>
>>> Hi,
>>>
>>> Since I sell a solution in this area, I'm biased...
>>>
>>> ... but, as a long-time security pro, I'd say that a plugin which offers
>>> to check that your website hasn't been tampered with fails at the
>>> conceptual level. Useless. It's only good as long as you're sure that the
>>> plugin itself is intact. Altering the plugin is trivially easy (e.g. 1 line
>>> to short-circuit the tamper check, and 'return true;'). It's like asking
>>> your young son "you would tell me if you were lying, wouldn't you?". "Yeah
>>> dad, sure". "Thanks - I was almost worried for a moment there."
>>>
>>> Why would someone who tampers with your website *not* tamper with the
>>> security check? Basically, you're relying on the hacker being incompetent.
>>> Wordfence (for example), has had over 1 million downloads. Why would
>>> someone trying to break into WordPress sites have to be to not have
>>> "short-circuit WordFence's tamper checks" in his toolkit?
>>>
>>> Unless you're happy assuming that hackers will continue ignoring
>>> WordFence (etc.) so that their hacks can get cleaned up quicker, then the
>>> only way to verify your files is off-site, i.e. externally. Anything (not
>>> just a plugin) that you run within the same web-space could itself be
>>> tampered with. A service which has pristine versions of your plugins, and
>>> can compare them in a 'clean room' with what's installed.<Advert>I do this
>>> with my own tool (from the command line: "wordshell all --everything
>>> --checkmodifications"). It avoids this issue because it does not run any
>>> code on the webserver for that operation</Advert>. I'm sure there must be
>>> other functional solutions as well.
>>>
>>> Best wishes,
>>> David
>>>
>>
>>
>> Agreed that its usefulness in that regard is limited. But it is more
>> useful in this case, when checking if a site has been previously tampered
>> with before the plugin was installed.
>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list