[wp-hackers] A tool to check whether the core files were tampered?

Sat Nov 16 20:29:39 UTC 2013

Just make a git repository on your installation, the you run git status and
can see any changed files.

On Fri, Nov 15, 2013 at 9:22 PM, Roger Chen <developer at rogerhub.com> wrote:

> If you're concerned that your core files are corrupted or have been
> tampered with, you can always just do a find . -type f | xargs md5sum and
> compare (diff) it to a fresh copy from wordpress.org. On the other hand,
> the only parts of your installation that should differ from a clean install
> are your wp-config and wp-content. You should be able to replace all of the
> core files without an issue.
>
> Roger
>
>
> On Fri, Nov 15, 2013 at 10:10 AM, Mika A Epstein <ipstenu at ipstenu.org
> >wrote:
>
> > Given the nature of most 'tampering' is to add in obfuscated code, I just
> > search for that. Or if I even remotely suspect it, delete core and
> plugins,
> > reinstall. it's not like it hurts my data.
> >
> > It'd be nice if someone made a wp-cli-esque sort of scanner for this,
> > though, since in theory if that was baked in, they couldn't mess with the
> > scanner unless they had access to edit wp-cli (i.e. SU or root)
> >
> >
> > J.D. Grimes wrote:
> >
> >>
> >> On Nov 15, 2013, at 11:42 AM, David Anderson<david at wordshell.net>
> wrote:
> >>
> >>
> >>> Hi,
> >>>
> >>> Since I sell a solution in this area, I'm biased...
> >>>
> >>> ... but, as a long-time security pro, I'd say that a plugin which
> offers
> >>> to check that your website hasn't been tampered with fails at the
> >>> conceptual level. Useless. It's only good as long as you're sure that
> the
> >>> plugin itself is intact. Altering the plugin is trivially easy (e.g. 1
> line
> >>> to short-circuit the tamper check, and 'return true;'). It's like
> asking
> >>> your young son "you would tell me if you were lying, wouldn't you?".
> "Yeah
> >>> dad, sure". "Thanks - I was almost worried for a moment there."
> >>>
> >>> Why would someone who tampers with your website *not* tamper with the
> >>> security check? Basically, you're relying on the hacker being
> incompetent.
> >>> Wordfence (for example), has had over 1 million downloads. Why would
> >>> someone trying to break into WordPress sites have to be to not have
> >>> "short-circuit WordFence's tamper checks" in his toolkit?
> >>>
> >>> Unless you're happy assuming that hackers will continue ignoring
> >>> WordFence (etc.) so that their hacks can get cleaned up quicker, then
> the
> >>> only way to verify your files is off-site, i.e. externally. Anything
> (not
> >>> just a plugin) that you run within the same web-space could itself be
> >>> tampered with. A service which has pristine versions of your plugins,
> and
> >>> can compare them in a 'clean room' with what's installed.<Advert>I do
> this
> >>> with my own tool (from the command line: "wordshell all --everything
> >>> --checkmodifications"). It avoids this issue because it does not run
> any
> >>> code on the webserver for that operation</Advert>. I'm sure there must
> be
> >>> other functional solutions as well.
> >>>
> >>> Best wishes,
> >>> David
> >>>
> >>
> >>
> >> Agreed that its usefulness in that regard is limited. But it is more
> >> useful in this case, when checking if a site has been previously
> tampered
> >> with before the plugin was installed.
> >>
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>