Support » Fixing WordPress » Malware in DB – how to identify

  • After cleaning my site entirely and changing db-user and its password to 50 random chars, as well as the ONLY account, admin, to another 50 random chars, deleting the entire old installation and all plugins and the theme as well, and of course new salt-code and then reinstalling everything fresh AND adding very, very strict .htaccess-files in ALL folders and root – the fu***ng malwarecode again appeared in my root htaccess and in the themes header code. This must mean that something must be stored somewhere in my DB, of course encoded, but how on earth am I supposed to find this shit and kill it once for all??
    I am willing to crawl into every single row in order to get rid of this pest, but I really do not kinow what I am looking after.
    Any ideas?

Viewing 15 replies - 1 through 15 (of 17 total)
  • The back door might not be in the database but hidden in your uploads folder. See

    Thanks for your reply. Sadly, my upload dir is clean as water. All years. Each month… I have checked everything. It has to be something in the database.

    Have you spoken to your hosts? This could be a server security issue – not a WP one – especially since the root .htaccess was targeted.

    Yes, I have spoken to them, but they are not willing to take any responsibility.
    By the way, the code inserted into my .htaccess and my themes header are easy to find, it always start with: #336988# with the code between and ends with a trailing slash.
    In htaccess this entry is cleared: RewriteRule ^(.*)$ [R=301,L]

    The malware code in the header template is a php ecoing a javascript which starts like this: dbshre=220;try{window.document.body*=2}catch(gdsgsdg){if(dbshre){zaq=0;try{v=document.createElement(\"div\");}catch(agdsg){zaq=1;}if(!zaq){e=eval;}ss=String;asgq=new Array(31,94,11 etc etc.

    I have spoken to them, but they are not willing to take any responsibility.

    Time to change hosts, perhaps? Have you changed all of your ftp and hosting account management passwords in case you had an ftp leak?

    From what you describe above, I can’t see how anything in the database could be responsible for this. It really does smack of a compromised server but just to be on the safe side, so you have any pre-hack database backups?

    Yes, I do have an old DB backup, but I miss of course some entries in it. And yes, I have changed all passwords – everything.

    After googling myself to death I have found somthing that might be a very, very odd row in my OPTIONS table:

    SELECT *
    FROM <code>my_damn_database</code>.<code>my_damn_database_options</code>
    WHERE (
    CONVERT( <code>option_id</code>
    USING utf8 ) LIKE 'ftp_credentials'
    OR CONVERT( <code>option_name</code>
    USING utf8 ) LIKE 'ftp_credentials'
    OR CONVERT( <code>option_value</code>
    USING utf8 ) LIKE 'ftp_credentials'
    OR CONVERT( <code>autoload</code>
    USING utf8 ) LIKE 'ftp_credentials'
    LIMIT 0 , 30

    Should I delete this row? Now?

    The information wordpress need in order to update plugins, themes and core are stored in the wp-config. The information I found in my DB (Options-table) (the row with ftp_credentials) is actually the complete information needed to get full ftp access to my server…! This cannot be a standard wordpress insert?

    Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    This cannot be a standard wordpress insert?

    I’ve never looked myself as FTP is a horrible protocol for me but if you can setup a second instance of WordPress with a separate table prefix (so you don’t use the old installation) you can easily check.

    Can I just clarify that this was an option called ftp_credentials in the wp_option table? Just checked a couple of my sites & there’s nothing like this in the databases.

    Yes, Esmi. In the OPTIONS table I have a row with option_name: ftp_credentials

    The value is (almost – but it is straight forward the real ftp address and the real ftp login name and yes, it is marked autoload YES):

    I wonder if this came from a plugin? It’s definitely not in any of the the databases that I’ve looked at.

    [EDIT: I’ve asked for some more eyes on this.]

    Yes…because, it might be easy just to query the db and get this very, very important information…

    Do you use filezilla client?

    That ftp client store without encriptiom all data so if you have a Trojan in you PC, someone can access all your username, password and website.

    No, José, I am using another FTP client, and yes, I have recently found a trojan on my PC and killed it. I have not checked if this client stores the login information un-encrypted as Filezilla does (as a very visible text file).
    But still: The table row I found in my options really do look suspicious.

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Malware in DB – how to identify’ is closed to new replies.