mysql - Scanning Database for malicious Data

admin管理员组

文章数量:1313151

After a site of a friend has been hacked I told him he should just clean up the mess and restart from scratch so he know that no file has been altered.

I could scan the site for him with tools like grep an so on (For a start: Grep and Friends) but what I wondered about is, how to scan the database? What if some hacker has placed payload inside the database. Can be something simple like XSS or even PHP code in case there is some eval'ing still going on in core (or was at the time of the hack).

Any suggestions? I thought about using SQL-Queries with the LIKE comparison function or there is even some REGEX possible. But maybe someone has already done this or wants to do this an has some ideas to share.

After a site of a friend has been hacked I told him he should just clean up the mess and restart from scratch so he know that no file has been altered.

I could scan the site for him with tools like grep an so on (For a start: Grep and Friends) but what I wondered about is, how to scan the database? What if some hacker has placed payload inside the database. Can be something simple like XSS or even PHP code in case there is some eval'ing still going on in core (or was at the time of the hack).

Any suggestions? I thought about using SQL-Queries with the LIKE comparison function or there is even some REGEX possible. But maybe someone has already done this or wants to do this an has some ideas to share.

• mysql
• sql
• hacked
• verification

Share Improve this question asked Jan 3, 2011 at 14:04 hakrehakre 12.9k66 gold badges4949 silver badges8585 bronze badges 2

• 1 I noticed, starting about 2 weeks ago, that the Google Analytic traffic for my WordPress site dropped dramatically. I finally realized that some hacker had gotten in and my blog was being forced to redirect to an assortment of spammy sites. Today I took a close look at the source code and found the page was calling up 2 javascripts that I didn't recognize. I went into my file manager and discovered that the dates on those 2 files had been changed about the day that my site was hacked. I ran my site thru the free site malware scan recommended above, sucuri and it also identified tho – user8936 Commented Sep 25, 2011 at 15:14
• @Pamela please do not use answers for discussion. You will be able to leave comments when you gain some reputation on site. – Rarst Commented Sep 25, 2011 at 15:22

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 6

I've read that dumping the database as text and searching in it is a good way to go. You can search with phpmyadmin, but it's limited. Depends on the size of the database and a good text editor, but you can delete post/page revisions before dumping the database to bring it down in size. Or dump a few tables at a time.

My sites on one account all got infected with a Decode_Base64 script that infected many php files, and despite cleaning up a site which took hours, it got re-infected just hours later.

I ended up downloading the wp-content/uploads folder and any other manually updated files using a secure ftp connection.

I also took notes/backups of the themes, plugins, and other customizations which I would need to re-apply.

Then I changed all the account/ftp passwords, manually changed the database/user passwords using phpMyAdmin, to deny access when the sites came back up.

Next I deleted ALL the Wordpress code from ALL the sites and uploaded instead a simple index.html file that said the sites were under maintenance.

I checked the WP-content/uploads folders for anything that was not an image or my own content, especially looking for scripts (which should not be there).

Next, download the latest version of WP, configure it for the existing database with new password, and upload to the server.

Access the site, which will have only Akismet active at this time. Check for and delete anything that should not be there (pages, posts, links etc).

Install a backup plugin to make sure you have backups of the database/folders.

Install the Bulletproof-Security plugin (or similar) which creates locked down .htaccess files for you and tells you how to secure your files/folders. Comply with it's recommendations.

Finally, gradually apply your customizations again.

If you have multiple domains, repeat as necessary.

In my situation, I was actually planning to move to a new host, so having done this, I then saved everything site by site and re-created them on the new host, once I was sure that the rebuilt old version was clean.

Good Luck and I hope this helps.

本文标签： mysqlScanning Database for malicious Data