Malicious WordPress Plugin Detection

# Legitimate plugins don't usually receive direct PHP requests from external IPs
# These are backdoor endpoints installed by malicious plugins
185.220.101.45 - - [10/Apr/2025:02:00:00 +0000] "POST /wp-content/plugins/super-cache-pro/cache.php HTTP/1.1" 200 512
185.220.101.45 - - [10/Apr/2025:02:00:01 +0000] "GET /wp-content/plugins/akismet-plus/update.php?token=abc123 HTTP/1.1" 200 1024

# Attacker installing plugin via admin (after successful login)
91.108.4.77 - - [10/Apr/2025:03:22:50 +0000] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 12100
91.108.4.77 - - [10/Apr/2025:03:22:55 +0000] "POST /wp-admin/update.php HTTP/1.1" 200 5400
# update.php POST after plugin-install = uploading a plugin zip = likely backdoor

# Legitimate user agents get normal page; search bot gets redirected to spam site
# Googlebot gets 302 to spam — very common "cloaking" infection pattern
66.249.66.1 - - [10/Apr/2025:08:00:01 +0000] "GET / HTTP/1.1" 302 0 "-" "Googlebot/2.1"
66.249.66.1 - - [10/Apr/2025:08:00:02 +0000] "GET /blog/ HTTP/1.1" 302 0 "-" "Googlebot/2.1"
# Real users using Chrome get 200 (cloaking). Googlebot gets redirected to pharma spam.
# Google Search Console will show "Page not indexed" or manual actions for this.

# Large response sizes for simple pages = injected content (spam links, iframes)
203.0.113.1 - - [10/Apr/2025:10:00:00 +0000] "GET / HTTP/1.1" 200 185420
# Normal homepage = 15-30KB. 185KB homepage = injected spam links

# List all plugins with their file modification dates — recently modified = suspicious
find /var/www/html/wp-content/plugins -maxdepth 1 -type d -exec sh -c 'echo "$(stat -c %y "$1" | cut -d. -f1) $1"' _ {} \; | sort

# Find PHP files in plugins modified in last 7 days (unexpected changes = red flag)
find /var/www/html/wp-content/plugins -name "*.php" -mtime -7 -ls

# Scan plugin files for obfuscation and backdoor functions
grep -rEl "(eval|base64_decode|str_rot13|gzinflate|gzuncompress|gzdecode)\s*\(" \
    /var/www/html/wp-content/plugins/ /var/www/html/wp-content/themes/

# Find plugins not in official WordPress repo (compare slugs)
ls /var/www/html/wp-content/plugins/

# Check for hidden/random-named PHP files mixed into plugin directories
find /var/www/html/wp-content/plugins -name "*.php" | grep -v "/[a-z-]*/[a-z_-]*\.php"

# Look for recently added cron jobs (common malware persistence)
crontab -l -u www-data 2>/dev/null
cat /var/spool/cron/crontabs/www-data 2>/dev/null
cat /etc/cron.d/* 2>/dev/null | grep -i "www-data\|curl\|wget\|php"

# Check wp-config.php for injected code (should start with <?php and have no evals)
grep -E "eval|base64_decode|exec|system" /var/www/html/wp-config.php

LOG=/var/log/nginx/access.log

# Direct PHP access to plugin files from external IPs
grep -E "/wp-content/plugins/[^/]+/[^/]+\.php" $LOG | grep -v "wp-cron\|load-styles\|load-scripts"

# Googlebot (or Bingbot) getting redirected — SEO cloaking detection
grep -iE "Googlebot|bingbot|yandexbot" $LOG | awk '$9=="302" {print $0}'

# Unusually large responses for simple pages (spam injection)
awk '$7=="/" && $10+0 > 100000 {print $0}' $LOG

# Plugin install sequence: plugin-install.php + update.php POST
grep -E "plugin-install\.php|POST /wp-admin/update\.php" $LOG | awk '{print $1, $4, $6, $7}'