FileChecker

Run a search of your WordPress scripts to find all instances of functions commonly used for malicious intent.

Author:era404 (profile at wordpress.org)
WordPress version required:3.2.1
WordPress version tested:5.2.6
Plugin version:0.3.1
Added to WordPress repository:05-07-2017
Last updated:29-12-2019
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
Rating, %:0
Rated by:0
Plugin URI:http://wordpress.org/plugins/filechecker/
Total downloads:506
plugin download
Click to start download

To un-obfuscate and run malicious code, a list of PHP functions are commonly used, such as: base64_decode(), str_rot13(), gzinflate(), fwrite(), and eval(). This plugin runs a command-line search through the entire WordPress file system to find each instance of these functions so that you can analyze them as genuine or problematic. Once verified, you can choose to ignore a harmless script so that it is no longer presented for your review.

What the FileChecker plugin does:

This plugin performs a search of all scripts in your WordPress installation directory, and presents the script, line number, and a small piece of the code, for your analysis. Currently, these functions include:

  • base64_decode: can used to un-obfuscate malicious code from what appears to be a benign string of letters and numbers. (more info)
  • str_rot13: can be used to un-obfuscate malicious code from what appears to be a benign string of letters and numbers. (more info)
  • gzinflate: can be used to un-obfuscate malicious code (g-zip compression) from what appears to be a benign hash of characters and symbols. (more info)
  • gzuncompress: can be used to un-obfuscate malicious code (g-zip compression) from what appears to be a benign hash of characters and symbols. (more info)
  • fwrite: can be used in conjunction with the above obfuscation functions to write to the file system a new (or temporary) script that contains malicious code. (more info)
  • eval: can be used in conjunction with the above obfuscation functions to execute decoded or re-assembled code. (more info)

Some basic examples of these functions in use.

What the FileChecker plugin does not do:

The plugin does not repair or clean your scripts, but merely checks the file system for instances of these functions for your own individual analysis. It is our hope that it will provide insight and help identify attacks quickly, and before any permanent damage is done. Furthermore, it is recommended that you ask your host to maintain nightly backups of your site and database so that they may be restored in the event an attack occurs.

Compare plugin scripts:

This feature iterates through all plugin scripts where these functions were found, and compares the line of code against the same script in the WordPress plugins repository, to verify the integrity of the code. If a mismatch is discovered, you’re given a side-by-side comparison of the two lines of code to further analyze for potential issues.

The Direction this Plugin is Heading:

It’s the collaborative nature of WordPress that has not only accelerated its growth, but also introduced some of the exploits that this plugin is designed to identify. In the future, the plugin will embrace this collective powerhouse, by giving users the ability to have their own site files checked against the code evaluations submitted by others. Advanced WordPress users who identify code as harmless can publish these results publicly so that others can probe the community to determine the integrity of their own site’s scripts.

NOTE: As of version 0.2.5, the Ask the Community feature has been introduced in Beta. Contribute your feedback to this new feature or visit the Community Site: www.filechecker.net