Looking at Recently Modified Files Isn’t a Good Way To Find Files Added or Modified by Hacker

We often find that companies that claim to have expertise (and often unique expertise) in dealing with hacked websites either don’t know what they are doing or are intentionally doing things improperly. That makes it hard to recommend to people in general that they should hire someone to clean up their hacked website (despite us actually doing that very type of work). But at the same time we often have people contact us that have tried to clean up their own website who clearly don’t know what they are doing and have gotten poor results. Those are not always unconnected issues as there is lots of content put out by security companies on how to clean up websites that is either intentionally poor and really intended to entice people to hire them to clean up the website or is poor because the companies really don’t know what they are doing.

An example of that we happened to run across recently involves a blog post from a company named WPHackedHelp that is supposed to tell you how to fix a “Japanese Keywords Hack” on a WordPress website, https://secure.wphackedhelp.com/blog/fix-wordpress-japanese-keywords-hack/. Considering that what we assume they are referring to by that actually encompasses a wide variety of different issues, trying to write an all encompassing article would be difficult to impossible. Instead they write one that is really of little use and could equally have been written about trying to deal with many different issues. But we wanted to focus on one obviously problematic piece of advice.

The post in part states you can find malicious files by checking for recently modified files:

Check Recently Modified Files

To search for the most recently modified files, use SSH to login to your web server account and then execute the following command:

find/path-of-www -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r

Navigate through the files and see if you find any doubtful changes made to the code.  If so, replace the files with the clean backup version of it.

For anyone that has even dealt with a few hacked websites there should obvious problem with that advice and for any company that claims to have expertise dealing with hacked websites there should be another obvious issue. WPHackedHelp certainly claims to have that level of expertise:

With over 15 years of experience, our WordPress security experts specialize in website malware removal & cleanup WordPress websites.

It’s worth noting though that WordPress itself is barely 15 years old, so we would assume that is referring to combined experience, though they are not upfront about that, which seems like a red flag.

The glaring problem with relying on the last modified date of files is that hackers frequently change the last modified date of files they have added or modified to have the dates match other files in the same directory. In some instances that occurs with some of the files and not others, so someone might think they have gotten the malicious files and really they have missed a lot of them.

The other issue with this is that often times people only become aware that their website has been hacked well after it has occurred, in some extreme instances the hackers originally got in years ago. So even if the hacker hasn’t changed the last modified dates, looking at recently modified files wouldn’t identify them.

At the end of WPHackedHelp’s post you get to the seeming insincerity of the whole thing as they write:

Having listed an array of methods requiring technical expertise, let’s consider an approach that is way smarter, consumes less time and takes the burden off your shoulders. WP Hacked Help deploys a systematic plan to clean up your WordPress website. The site is thoroughly scanned and the detected flaws are dealt by an expert team to provide you with a website free of malicious codes. Within a short span of time, your website will be live up again, running efficiently like before.

Why not be upfront about that, considering that it is supposed to be “way smarter, consumes less time and takes the burden off your shoulders”?

What is missing in that post or anywhere else that we looked on this company websites for that matter was any mention of one of the three key components of a proper hack cleanup, trying to determine how the website was hacked. Not only is that important to make sure that the hacker can’t just get back in after things are cleaned, but we have found that the work involved with that is important to make sure the hack is fully cleaned up. In almost every instance when we are hired to re-clean up a hacked website there had been no attempt to do that, so avoiding companies that don’t do that is something we would recommend.

If the focus of security companies was on figuring out how websites were being hacked and working to make sure that the instances of those things are lessened, security could be in much better shape than it is. That of course would mean less business for a lot of those security companies, so instead you have an arms race type situation where hackers figure out new ways to avoid detection (like changing the last modified date), which makes it harder to clean up hacked website, leading to more business for security companies, but a worse situation for their customers since the root cause isn’t being dealt with properly.