- Malicious files are like mice. If you find one in your site, it’s not alone. This is especially true when dealing with phishing pages.
- When attempting to locate a malicious file, don’t assume any file is not the one you are looking for, even if you created it. In 2013, there was a massive outbreak of infections on WordPress sites where two very malicious files were named “wp-apps.php” and “wp-count.php”. For those of you who are not familiar with the WordPress naming schema, WordPress prepends it’s default configuration files with “wp-“. In fact, there is a file called “wp-app.php” that actually belongs there.
- Timestamps are your best friend. One of the simplest ways to locate files is by the timestamps. Most CMS software configuration files are created, edited once and then left alone for the rest of their existence. In the case of WordPress, the majority of “wp-includes/” should never change.
For many years, you have been running a standard CMS-based blog site where you discuss trends in animatronic ducks. You do not sell any products, take donations or do anything where storing potentially sensitive data is involved. All your content is purely about current events regarding robotic waterfowl. One day, you try to visit your site and notice a bunch of weird links in your page. Pretty soon, your anti-malware software pops up saying it has blocked malware from your website. You take look at the files on the site and discover several that were not there before, and several more that were modified. Upon further investigation it becomes apparent that the scripts are aimed to exploit well-known vulnerabilities in older versions of common web browsers.As you can see, the website is not the intended victim, it’s user base is. This is just one example of how attackers can use websites to facilitate more complicated attacks, which we will touch on with the next post! Regards, Zachary Wikholm Senior Security Engineer Security Incident Response Team (CARISIRT) CARI.net email@example.com