[wp-hackers] A tool to check whether the core files were tampered?

Mika A Epstein ipstenu at ipstenu.org
Fri Nov 15 18:10:49 UTC 2013 

Given the nature of most 'tampering' is to add in obfuscated code, I 
just search for that. Or if I even remotely suspect it, delete core and 
plugins, reinstall. it's not like it hurts my data.

It'd be nice if someone made a wp-cli-esque sort of scanner for this, 
though, since in theory if that was baked in, they couldn't mess with 
the scanner unless they had access to edit wp-cli (i.e. SU or root)

J.D. Grimes wrote:
>
> On Nov 15, 2013, at 11:42 AM, David Anderson<david at wordshell.net> wrote:
>
>>
>> Hi,
>>
>> Since I sell a solution in this area, I'm biased...
>>
>> ... but, as a long-time security pro, I'd say that a plugin which 
>> offers to check that your website hasn't been tampered with fails at 
>> the conceptual level. Useless. It's only good as long as you're sure 
>> that the plugin itself is intact. Altering the plugin is trivially 
>> easy (e.g. 1 line to short-circuit the tamper check, and 'return 
>> true;'). It's like asking your young son "you would tell me if you 
>> were lying, wouldn't you?". "Yeah dad, sure". "Thanks - I was almost 
>> worried for a moment there."
>>
>> Why would someone who tampers with your website *not* tamper with the 
>> security check? Basically, you're relying on the hacker being 
>> incompetent. Wordfence (for example), has had over 1 million 
>> downloads. Why would someone trying to break into WordPress sites 
>> have to be to not have "short-circuit WordFence's tamper checks" in 
>> his toolkit?
>>
>> Unless you're happy assuming that hackers will continue ignoring 
>> WordFence (etc.) so that their hacks can get cleaned up quicker, then 
>> the only way to verify your files is off-site, i.e. externally. 
>> Anything (not just a plugin) that you run within the same web-space 
>> could itself be tampered with. A service which has pristine versions 
>> of your plugins, and can compare them in a 'clean room' with what's 
>> installed.<Advert>I do this with my own tool (from the command line: 
>> "wordshell all --everything --checkmodifications"). It avoids this 
>> issue because it does not run any code on the webserver for that 
>> operation</Advert>. I'm sure there must be other functional solutions 
>> as well.
>>
>> Best wishes,
>> David
>
>
> Agreed that its usefulness in that regard is limited. But it is more 
> useful in this case, when checking if a site has been previously 
> tampered with before the plugin was installed.
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list