Using Access Logs to Find Rogue Files When WordPress is Hacked

I have received some requests from WP users (following up from this article) about how exactly to use access logs to track down rogue php files on their server which can be used to reinfect their blogs after they thought they were nice and clean.  This write-up is from my experience using Godaddy as a host, but the process would be nearly identical on any host where you have access to your access logs.

I unfortunately did not save a copy of my access log from when I was hacked.  However, I can try to describe a bit better what I did/found.  I had never seen an access log before being hacked either, and so it was a bit daunting.  But here is what I found. 

First off, here is a sample line from an access log (This is a legitimate log entry, not from a hack….I’m just using it to try to explain what you are looking at a bit):

208.106.281.6 – – [01/Mar/2010:02:26:53 -0700] “POST www.rvoodoo.com/empire/wp-cron.php?doing_wp_cron HTTP/1.0″ 200 0 “-” “WordPress/2.9.2; http://www.rvoodoo.com

So that’s a possible line from an access log.  First in that line is an IP address (208.106.281.6) you can kind of ignore that for now, it’s not important to this investigation.

Next up, we have the timestamp ([01/Mar/2010:02:26:53 -0700]) this is pretty important, it’ll help you match things up, I’ll explain that in a minute

Next up, the method (POST), it’ll be HEAD, POST, or GET……frequently for a hack, you are looking for the POST method

Then we have the url of the file being affected (www.rvoodoo.com/empire/wp-cron.php?doing_wp_cron ) – this is important, helping us find things which I’ll explain momentarily

Then there is this stuff between the urls, which isn’t so important for us, its user agents and whatnot (HTTP/1.0″ 200 0 )

And finally, the second url, (WordPress/2.9.2; http://www.rvoodoo.com) this tells us which file is doing the action, it’s also important…..this could point to your rogue file if you have one

So now you have a pretty basic understanding of what the lines in your access log look like, and how to read them…..how to use this info to investigate for rogue files?

It’s pretty simple really.  When your files get hacked, some code is added to them…..well, when  that happens…the timestamp of the file changes in your godaddy file manager.  So, find a file that has been hacked.  Check the timestamp.  Now, open your access log for that date.  Cross reference in your access log for the time and date that your hacked file was changed.  Especially look, at that date and time, for any requests using the POST method.  Then, in the first url find the path to your file that was changed.  When you find the url to the file that had been changed, take a look at the second url in that line of your log.  The second url will be the path to the file which was used to change the hacked file.  For instance for me it was (http://www.rvoodoo.com/shop/includes/products/2008/06/images/settings.php).  This file is totally outside of my WordPress install, but it was accessing my WP install for some reason.  When I went to that folder and took a look at the code from that file from within Godaddy’s file editor, it was just a bunch of gibberesh.  So I deleted the file, and along with the other cleanup steps in the reading links I provided, that took care of my problem!

Hopefully this can help you track down whether or not you have any rogue files sitting around, or at least give you a bit of a better understanding on how to use your access logs!  Good luck!

css.php
%d bloggers like this: