Knowledgebase
Knowledgebase
Portal Home > Knowledgebase > Articles Database > Hackers injecting backdoor shell into SQL
Hackers injecting backdoor shell into SQL
Posted by WeWatch, 04-09-2012, 02:18 PM Weve seen this for awhile now, but recently it seems to be a growing trend. Many of the websites weve been cleaning have the backdoor scripts injected into the SQL database so that when the webpage is accessed, the backdoor is available, but invisible to the visitor. To a hacker who knows what page or which website is carrying their code, its easy for them to send a string of code and on their screen the backdoor shell script appears. When we have the access logs available to us, we have analyzed them and it does not appear to be a regular SQL injection (SQLi), but it does appear that the hackers find a point of entry to the website, then search for the file that contains the database information. They upload a shell that provides them with something like phpmyadmin, then they add their infectious code to selective fields in the database. We know that many people believe that moving their wp-config.php file outside of the public_html folder keeps their database login information safe. This is not true. When a hacker infects a website, they typically have full access to the hosting account. This includes the areas outside of public_html. Weve seen this thousands of times. At times the code has been an infectious iframe or other javascript string, however, finding full backdoor shells buried in the SQL database is even more alarming. The hackers have created various ways of hiding this so when a legitimate user visits the website they dont see any suspicious code. When a hacker sends their code to the specific webpage, it opens their backdoor shell. This will hide their code from many of the online scanners. We still feel these online scanners are helpful, but the hackers are finding various methods to hide their activities. This makes repeat infections extremely easy for the hackers. As a website owner you could be searching all the code on your site and find nothing. To find this malicious code, youll have to export your database and then scan it for any script tags and for any php tags. If you find any, youll have to analyze the string to determine if its malicious or not. One key weve found is that their backdoor shells need a field in the database thats large enough to contain their lengthy code at least for the backdoor shell scripts. Smaller javascript or iframe infections could be anywhere in the database. Youll have to be familiar enough with the database layout for your website to know where to look. If youve been subjected to repeat infections, you might want to look in your database. Even if you havent been subjected to repeat website infection, you might still want to look in your database to see what might be lurking.
Posted by hussein, 04-09-2012, 05:10 PM Thanks for this information. Is there a plugin, theme, or Wordpress version you have noticed this happening with?
Posted by WeWatch, 04-09-2012, 05:16 PM No. There's no common factor other than the website has a database. We've seen custom written websites (I didn't know those still existed) that had a MySQL backend and they had backdoors in the tables. It's like the latest way to present infectious code.
Posted by enigma-1, 04-11-2012, 04:22 PM Actually the logs can provide useful info. Unfortunately they're not setup to log everything. So for example you have posted log entries that show the basics url accessed, UA etc but not what was posted. Of course when you have that knowledge level to administer a site you're not going to face this kind of hack. And many site owners will just install an application and leave it without security updates for ages. Also many may create plugins for a CMS and publish them, later on they proved to have all kinds of security issues. Yes it's easy to install with a couple of clicks but you need to review the code before installing. Another problem is "convenience" installing multiple packages on the same root folder. Just one script is hacked and then pretty much everything else (blog, ecommerce, forum etc) are going down and it's much harder to track and rectify the code.
Add to Favourites 
Print this Article
Also Read
