Searching for content within a database can be a little trickier than searching files, but the options are pretty similar. Below, we talk about how to look for malware in databases and what types of things you should be looking for.
Database Admin Tool
In most cases, a web host will offer a web-based database administration tool that makes it relatively easy to search through the contents of a database. Further, the most widespread offering in this arena is called phpMyAdmin. If your host offers a different tool, you may want to check their local knowledge base for further support.
Now that we know how to look for files and content related to a recent hack, let’s take a closer look at what exactly we’re looking for. The following is a short list of common syntax used by hackers when they inject malware in a site. While it is not comprehensive, and may very well turn up a number of false positives, it is a great start when trying to perform a manual search.
This is a PHP function that attempts to process any string as valid PHP itself. It becomes dangerous when user-defined variables are included within it. It’s also dangerous as most fail-safes included within the code of an application are disregarded within an “eval” statement. For these reasons, they are not only a prime target for hackers, but also a common destination of their injected code.
This PHP function is used to decode base64-encoded text for further processing within the PHP engine. Open source applications do not typically have encoded text within their source code as that then makes them not open source. More importantly, it’s an easy way for hackers to disguise their nefarious code. If this function is found and shouldn’t be there, you may have found your culprit.
Very similar to “base64_decode”, the “gzinflate” function is used to inflate (decode) a deflated (encoded) string of text. Again, if this function is being used to disguise code and isn’t a typical part of your site’s code, chances are it’s a problem.
This function can be particularly dangerous if a server is not properly locked down. In short, it allows PHP to run commands at the server level and then feed their output into the PHP code of the site. Hackers are more interested in taking over a server than just one site, so this is a prime vector for them to leverage.
Disabled by default in versions of PHP since 2002 (v. 4.2.0), “GLOBALS” can pose a security risk when not implemented thoughtfully and carefully. If used in conjunction with user input, there is a much higher risk of unintended variable manipulation, which can lead to a compromised site. As a result, most applications and sites these days do not use global variables.
When set to “0”, the “error_reporting” directive in PHP will effectively disable any code errors from being displayed in the browser or log. It is very unlikely that a stable release of an application or site would require such a directive. Instead, this exact directive might be used by a hacker who is testing out different bits of code within your site to see what might work.
Please note that this is by no means a comprehensive or complete list, but it does briefly outline some of the most common bits of PHP code that can be found in web site hacks today.
SiteLock offers a couple of different daily scanning options designed to find malware and vulnerabilities in sites. The first is a Daily Malware Scan that essentially browses all of a site’s pages similar to an automated web browser, but with the sole intent of finding any known malware through various identification methods. If a problem is found, the site’s owner is notified to advise further action be taken.
While that daily option is fantastic for being notified about problems, it’s important to ensure you have a clear path to getting those problems cleared up as quickly as possible. This is where the Secure Malware Alert & Removal Tool (SMART) comes into play. SMART will actually download a copy of your live site to the SiteLock servers, scan every line of code for any problems and fix them right there on the spot. And of course, SiteLock will also notify you of any events that fall into this category. This is one of the quickest and easiest ways to ensure your site stays clean of malware.
Want to learn more about malware? Check out these additional resources from SiteLock: