Analysis of Potentially Hacked WordPress Site

Looking for the most recently modified files:

find . -type f -print0 | xargs -0 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head
2018-01-26 11:27:28.977527587 -0700 ./google1c870a472b1e6d13.html
2018-01-26 02:44:49.793751734 -0700 ./wp-content/plugins/error_log
2018-01-18 16:36:11.218282982 -0700 ./wp-includes/error_log
2018-01-16 16:48:03.515070150 -0700 ./wp-includes/version.php
2018-01-16 16:48:03.514070139 -0700 ./wp-admin/about.php
2018-01-16 16:48:02.635059740 -0700 ./wp-admin/includes/update-core.php
2018-01-10 13:28:07.283660340 -0700 ./wp-content/plugins/jetpack/modules/tiled-gallery/tiled-gallery/templates/partials/error_log
2018-01-10 13:28:04.195636695 -0700 ./wp-content/plugins/jetpack/modules/minileven/theme/pub/minileven/error_log
2018-01-10 13:27:59.609601585 -0700 ./wp-content/plugins/jetpack/modules/tiled-gallery/tiled-gallery/templates/error_log
2018-01-10 13:27:58.054589680 -0700 ./wp-content/plugins/jetpack/modules/theme-tools/site-logo/inc/error_log

Nothing obvious there.

Install the Securi plugin.

What OS is running here?

$ cat /etc/issue
CentOS release 6.9 (Final)
Kernel \r on an \m

Install and run MalDetect server side scanner by Ryan MacDonald.

Install wp-cli as root, making it available to all users.

Become another user sudo -i -u someuser. And $ wp --info works. Nice.

Okay got a report back from Maldet:

maldet --scan-all /home/userdirectory
Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <>
            (C) 2017, Ryan MacDonald <>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(10156): {scan} signatures loaded: 15218 (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)
maldet(10156): {scan} building file list for /home/inttennisacademy, this might take awhile...
maldet(10156): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(10156): {scan} file list completed in 0s, found 6488 files...
maldet(10156): {scan} scan of /home/inttennisacademy (6488 files) in progress...
maldet(10156): {scan} 6488/6488 files scanned: 6 hits 0 cleaned

maldet(10156): {scan} scan completed on /home/inttennisacademy: files 6488, malware hits 6, cleaned hits 0, time 819s
maldet(10156): {scan} scan report saved, to view run: maldet --report 180126-1240.10156
maldet(10156): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 180126-1240.10156
maldet(10156): {alert} sent scan report to config default
maldet(10156): {alert} send scan report to an alternate address with: maldet --report 180126-1240.10156

Following files had some ugly code in them. A bunch of Joomla documentation:

{HEX} : /home/useraccount/public_html/wp-xmlrpc.php
{HEX} : /home/useraccount/public_html/wp-content/plugins/revslider/temp/update_extract/temp.php
{HEX} : /home/useraccount/public_html/wp-content/plugins/revslider/release_log.php
{HEX}php.cmdshell.unclassed.368 : /home/useraccount/public_html/wp-includes/js/tinymce/themes/modern/locale.php
{HEX} : /home/useraccount/public_html/wp-includes/class-wp-smtp-bar.php
{HEX}php.cmdshell.Err0R.246 : /home/useraccount/public_html/wp-admin/css/colors/light/profile.php

So I either replaced or removed them. Will install Wordfence and Bullet Proof Security now with at least minimal configuration.