Here is how to check MySQL databases for malware:
- Open up PHPMyAdmin
- Look for anything ‘weird’
It’s that simple.
What’s ‘weird’ you ask? Well, anything that’s ‘not supposed to be in the database’.
What to look for?
Here are some examples of items that are consistently malware-y (php functions that don’t belong in a database), including cases of executable php stored in the database.
- eval()
- base64_decode()
- gzinflate()
- error_reporting(0)
- shell_exec()
- str_rot13()
Most of these are functions that should be added to the php disable_functions setting for security, because they are generally unsafe (shell commands) or usually unnecessary (obfuscate code that is easily decrypted).
Searching the database for malicious files
The easiest way is to grep a database dump. So create a dump of the database that you want to search and use grep to output the name of the file if it matches any expression:
grep -l -Ei \
-e 'eval[ ]?\(' \
-e 'base64_decode[ ]?\(' \
-e 'gzinflate[ ]?\(' \
-e 'error_reporting[ ]?\((0|off)\)' \
-e 'shell_exec[ ]?\(' \
-e 'str_rot13[ ]?\(' \
$filenameand to loop through a list of files (in my case /root/db_dump):
for filename in $(ls /root/db_dump); do
grep -l -Ei \
-e 'eval[ ]?\(' \
-e 'base64_decode[ ]?\(' \
-e 'gzinflate[ ]?\(' \
-e 'error_reporting[ ]?\((0|off)\)' \
-e 'shell_exec[ ]?\(' \
-e 'str_rot13[ ]?\(' \
$filename
doneBONUS: Most common custom functions defined within PHP files that are responsible for malicious behavior such as file modifications, downloading, executing PHP, and scanning files:
restore(); file_man(); edit_file(); save_file(); save_norm(); delete_file(); delete_zpl(); exec_php(); suicide(); make_worker(); manage_file(); download000(); chmod_file(); renew_file(); manual_av(); manual_wp(); make_wp(); copy_zpl(); update_wordpress(); debug_wordpress(); delete_md5(); delete_name();
