Cover Image by MilesAndryPrower on DeviantArt
Cover Image by MilesAndryPrower on DeviantArt

MySQL Database Vulnerability Scanning

Here is how to check MySQL databases for malware:

  • Open up PHPMyAdmin
  • Look for anything ‘weird’

It’s that simple.

What’s ‘weird’ you ask? Well, anything that’s ‘not supposed to be in the database’.

What to look for?

Here are some examples of items that are consistently malware-y (php functions that don’t belong in a database), including cases of executable php stored in the database.

  • eval()
  • base64_decode()
  • gzinflate()
  • error_reporting(0)
  • shell_exec()
  • str_rot13()

Most of these are functions that should be added to the php disable_functions setting for security, because they are generally unsafe (shell commands) or usually unnecessary (obfuscate code that is easily decrypted).

Searching the database for malicious files

The easiest way is to grep a database dump. So create a dump of the database that you want to search and use grep to output the name of the file if it matches any expression:

grep -l -Ei \
-e 'eval[ ]?\(' \
-e 'base64_decode[ ]?\(' \
-e 'gzinflate[ ]?\(' \
-e 'error_reporting[ ]?\((0|off)\)' \
-e 'shell_exec[ ]?\(' \
-e 'str_rot13[ ]?\(' \
$filename

and to loop through a list of files (in my case /root/db_dump):

for filename in $(ls /root/db_dump); do
grep -l -Ei \
-e 'eval[ ]?\(' \
-e 'base64_decode[ ]?\(' \
-e 'gzinflate[ ]?\(' \
-e 'error_reporting[ ]?\((0|off)\)' \
-e 'shell_exec[ ]?\(' \
-e 'str_rot13[ ]?\(' \
$filename
done

BONUS: Most common custom functions defined within PHP files that are responsible for malicious behavior such as file modifications, downloading, executing PHP, and scanning files:

restore(); file_man(); edit_file(); save_file(); save_norm(); delete_file(); delete_zpl(); exec_php(); suicide(); make_worker(); manage_file(); download000(); chmod_file(); renew_file(); manual_av(); manual_wp(); make_wp(); copy_zpl(); update_wordpress(); debug_wordpress(); delete_md5(); delete_name();

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.