Catch WordPress Hackers with the AIDE Viewer

Posted by abefroman on Aug 17, 2015 11:33 AM EDT
White Hat Linux; By Larry Shelby
Mail this story
Print this story

WordPress is a popular favorite among web site owners and its also a favorite among hackers. We reached out to WordPress.org as well as Automattic for comment on why they think this is the case and any future plans they have to make it more secure, particularly for themes and plugins created by 3rd parties, which is where the majority of the exploits are. Automattic has not responded to our request. WordPress.org got in touch with us stating they do review any plugins hosted by WordPress, but have no control over plugins not hosted by them. He also stated he didn’t have any information if any thing would be done differently by WordPress as far as how they handle non-hosted 3rd party themes and plugins in the future.

This was not a very promising reply as far as WordPress site becoming more security in the future. A couple ideas I have in mind are a scanner for insecure coding statements when your installing a theme or plugins, or a warning or option to disable an existing theme or plugin when an exploit is found and made public, or maybe an XML file on a developers site that WordPress can read to verify a version. Currently WordPress may report everything is up to date, even though you have a plugin installed that is out of date with a known security exploit. This leads to a false sense of security and confusion among some WordPress users.

By default WordPress doesn’t have all the tools to properly secure and monitor your site, which is why we bring you today the PHP AIDE Viewer, a GUI for the Advanced Intrusion Detection Environment (AIDE) file integrity scanner.

AIDE is a powerful scanner, which tracks all your files in a database and, on demand, scans for any new files, deleted files, or changed files by looking at the md5sum. Its common to setup AIDE to run via a crontab, at least once per day, preferably more often depending on the specs of your server, and how many files you have. For example if you have Solid State Drives (SSD) the scan will go much faster.

If you need to install the AIDE binary, you can either install it from source, or your OS may have it available already, for example on CentOS you can run: yum install aide

One problem with AIDE is the reports can be difficult to manage and read, currently you can save the reports as txt files, or emails them to you, but there’s not a good way to combine them, or search through them, and to our knowledge no other GUI to process them.

Our AIDE viewer is two parts, one a shell script, which runs AIDE, parses the log, and also handles the rotation of the logs, it also supports email reporting when a change is detected. And the second is a PHP script which will read the parsed data, and display it in a GUI for you, complete with robust instant searching, including complex regular expressions.

This is a must for any WordPress site, however it will work and is recommend for any type of site. A WordPress site can typically contain thousands, if not tens of thousands of files. Trying to keep track of those without a file integrity scanner would be futile. If your WordPress site gets hacked, the hackers will usually change files and/or added files (we won’t get into other types of attacks such as SQLi in this article). To see what files the hacker added, you can search by modification time, but that’s easy to fake, you can also look in each directory, but there could be hundreds of directories, and hackers often use files names that will appear as legitimate files. So the best way to do that is by keeping track of, and looking at changes in the md5sum hash for each file.

Lets take a look at the shell script first. You can download that as follows:

Full Story

  Nav
» Read more about: Story Type: Editorial, News Story, Security, Tutorial

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.