This is a theoretical question, at the moment (fortunately) no website of mine appears to be affected. However, as the saying goes, "know your enemy".
On http://blog.sucuri.net/2011/09/ask-sucuri-what-about-the-backdoors.html , while I was documenting myself on backdoor patterns, I found a mention in particular that puzzled me :
A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)
Simply said, I don't manage to understand how this precise database-centered backdoor works ?!?
Please, if you see the gist of it, could you enlighten me ?
I only understand the basical stuff, that's it's about executing "as is" a string of text stored under the name "blogopt1" in the database.
However, it will require for something within the blog itself to query this option, won't it ?
- Can it be queried from an oooooold post edited with an appropriate code, possibly the return @eval(database option) ? And then opening this post as a visitor would be enough to trigger the eval scripted action ?
- Or would it require more stuff to be executed, like a visible change, not in the posts, but in one of the template's files ? (an option I would very much prefer, comparing backups against a fresh FTP-mass-download is easy)
- Or, to the contrary, could it be simply parsed through something inside the URL after our blog's domain ?
(for the last case, "enriched" URL, for instance, I know it is technically feasible under certain circumstances, I know it has been done with timthumb attacks, I've had a blog flooded with "/?pingnow=eval&file=URL" attack attempts, at a time)
These may be newbie AND candid questions, however, since I have no idea, precisely, I would need to be able to understand it...
Thank you very much if you can have the patience to clarify this case to me, I'll be very grateful :)