WordPress Malware hack cleanup

Posted by & filed under Security, Web Development.

A few handy commands to cut to the chase and find the crap spammers/skiddies have added to a WP install:

Find files containing text recursively:

A good use of this is to search for the below. It canĀ return false positives, but finds a function commonly used to obsfucate code:

Diff two installations. If you have a clean copy of WP, you can compare it to a compromised version to find the differences. Here I am excluding the error_log file, and sending the output to diff.txt for review:

Find php files (and other filetypes that should not be present in the uploads directory. This is typically one if the first places things are placed:

Grep the DB. Sometimes things get hidden in the databaseĀ in an effort to hide malware. Considering that a WordPress database is tiny in the grand scheme of things, a simple way to quickly review what is in the database is to use mysqldump, phpmyadmin or whatever tool you would like to export the entire database to SQL. Then you can review the contents easily. Be on the lookout for base64 encoded strings, they are a good giveaway.

Find recently modified PHP files:



OpenSSL – Extracting a crt and key from a pkcs12 file

Posted by & filed under Linux, Server Admin.

Quick and dirty way to pull out the key and crt from a pkcs12 file:

If you are using this for Apache and need to strip the password out of the certificate so Apache does not ask for it each time it starts: