scan very large database for malware - mysql

I have a very large database with over 20 years of customer data in it. We had some malicious form responses over the weekend that had integrated malware that infected the two people who just viewed the data's browsers. One of those people deleted all of the suspicious responses they could find and now they are both cleaning up their computers/browsers/etc.
I checked the htaccess file and all 1200+ rewriterule's seem to be accurate, but hard to tell. Now I'd like to do some general searching of the database, but don't know a relatively easy way. We have 110 tables. Any suggestions or recommendations? Also, what are things I should check for besides iframe?

dump the database and check text file with the dump.
check all writable files with extention php. we had similar situation where we used html extention and only affected files were some test php files.
if is php, check all files for base64_decode, gzdecode, exec and similar functions...
check google webmaster tools for exact snipped. however do not forget that almost always snippet shown in webmastertools is 'altered' e.g. you have mallitious snipped that sends redirect, that sends redirect and final snipped is shown in google.
chech image directory for uploaded php files with strange names, such something.jpg..spaces...php

If you have phpMyAdmin, open it up and use the search feature to look for the following terms:
eval
base64_decode
gzinflate
shell_exec
GLOBALS
error_reporting(0)
Their presence could indicate a malware infection.
See these for more info: 1, 2
Also you can use a Wordpress plugin to scan for malware. My favourite is Wordfence but there are others.

Related

MySql Workbench and Html Sublimetext 3

I have been writing SQL queries for a while now, but brand new to HTML.
I have been using Sublime text to code HTML and using Mysql - Workbench to code databases etc on local server.
I'm wondering..
How do I code HTML to return SQL queries onto a console (Google Chrome)? and connect the two together
I have searched all over google and You Tube, only thing I can find is something to do with PHP.. not sure what how it works, but don't think that is something I need.
All I want to do is create a text box inside HTML and input id value as an example 10 and return the id number along with the whole row from the database.
Using this query: select * from tableName where id = 10;
HTML is a document formatting language. While it supports JavaScript, said JavaScript is sandboxed in the browser: It cannot easily access files and the like even when that other stuff is running on the same computer as the browser. The main reason here is security. Imagine every web page on the Internet could look at every file on your disk, copy them or save new files on your disk or modify them.
So what you need is a "server software" of some kind. This software talks to the browser. It sends it all the HTML that the browser requests. The HTML can then ask for more (for example using JavaScript and AJAX). These requests go to the server which parses the parameters, collects the data (only the server talks to the database) and sends results back.
This is a pretty complicated and involved process. For this reason, everyone uses a framework to do it. The framework handles all the ugly stuff like converting query results from the database into the types and objects of the programming language and then again to HTML code which looks good.
Since you don't know any programming languages, yet, I suggest you start with Python. A good web framework for Python is called "Django". Django also contains modules to talk to databases. It also has many "widgets" like tables that display query results.
Google for "python django mysql" which should give you plenty of examples.

Search and Replace in PHPMyAdmin database for Wordpress (absolute beginner)

I apologise in advance for I know that this question has been asked several times already, but being a complete beginner at wordpress coding and database handling, I am still not sure about what those answers really meant.
So having just coded a website and converted it into WordPress, I now find myself having to change all of the localhost strings to the accurate ones, but with hundreds to go through, I just wanted to know if any of you were able to recommend a program or technique within PHPMyAdmin (that I may not be aware of) to avoid having to change them one at a time.
Thank you all in advance for your time and attention.
First, let me start by saying this is very dangerous, especially for an absolute beginner such as yourself. Please use this with extreme caution as you can potentially bring the entire site down by replacing values in your database with the wrong data.
With that said, there is a script specifically designed for doing search and replace on the WordPress MySQL database. http://interconnectit.com/products/search-and-replace-for-wordpress-databases/
Here's the direct download link: https://github.com/interconnectit/Search-Replace-DB/archive/master.zip
You will extract the folder from the donwloaded zip, then upload the folder to the root of your WordPress install. Once its uploaded just reference the folder in the browser. I always rename the folder to sr (shorthand for search and replace) so its easier to write out the full URL. So as an example, once its in the root of the WordPress install you'd access it like www.example.com/sr/.
After you access the script in the browser, you'll have a GUI with two boxes at the top. The first you'll enter the string you're searching for, and the replace string goes in the second box. Your MySQL details/login should already be populated. After entering your S&R terms scroll down and click "Update Details", then do the "Dry Run" option first. It'll run through the database and show you the values that will be changed. If you are satisfied with the changes, click "Live Run".
Depending on the database size it'll take just a short time to complete. This is the easiest way to S&R the WordPress database.
Important: for security reasons you'll want to delete this folder from your server after you have finished using it. You don't want a database S&R utility just lingering around for no reason.
Another possible option if you're familiar with WP-CLI is to use the wp search-replace command: https://developer.wordpress.org/cli/commands/search-replace/ This would be done through Terminal or another command line utility.
In phpMyAdmin open your table, choose Search > Find and replace. Then specify in which column you want to find and replace, and the original and replacement texts.
Without any doubt I would use http://interconnectit.com/products/search-and-replace-for-wordpress-databases/
This tool is especially designed for the situation you describe.
You upload the code to your server and then enter the "find" and "replace"
You can then do a dry run and the system will show you all the replaces that will be made across every single table in your Wordpress database.
Once you're happy then you can do a live run and the changes are made.
I have used this on probably one hundred Wordpress sites and it works a charm.

Joomla Website was hacked, the hacked URLs are in the database

A client's Joomla 3.6.5 website was hacked. After running a virus scan and malware scan on the entire directory, nothing came up. When I searched for the malicious URLs, they appear in the database, but nowhere in the code of the website files. I'm not sure how to find the hack, or how to clean out the malicious URLs.
(11216,'http://xxxx.com/cache/j.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11217,'http://xxxx.com/cache/jq.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11218,'http://xxxx.com/cache/layout.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:50:57','0000-00-00 00:00:00',301),
(11219,'http://xxxx.com/cache/ssc.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301),
(11220,'http://xxxx.com/cache/jq.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301)
Since the malicious URLs are in the database, was the database hacked? How do I remove the malicious URLs and how do I fix the hack? I know I have to change the passwords, but I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips? Thanks!
Q: Since the malicious URLs are in the database, was the database hacked?
A: Not possible to tell with the information provided.
https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
The term "hacked" is very broad. Have credentials been fraudulently obtained? Was the website defaced? Was valid data stolen from the database? Has valid data has been removed or changed? Has new fraudulent data been added?
There are several ways any of those could have happened. One possibility is that database modifications were made through normal operation of the website, by a malicious actor who obtained credentials (login and password) to perform those operations.
Or, a malicious actor could have exploited a vulnerability in the website code. Given the predominance of XSS and SQL Injection vulnerabilities, and the relative ease of exploiting those, this is the most likely scenario. (A lot of website "plugins" are known to be vulnerable.)
Or, some other program connected to the database and performed database operations.
Q: How do I remove the malicious URLs?
A first step would be to restore a copy of the database from a known good backup.
And with a saved copy of the suspect database, we could do a comparison, to help identify data that has been removed, changed or added. (What makes a URL "malicious"? How are you defining that? All we see in the question is what appears to be some rows from a database table. How are these rows more "malicious" than other rows?)
Q: How do I fix the hack? I know I have to change the passwords ...
If an unauthorized actor has obtained login credentials, then yes, you need to change the passwords. And figure out how they obtained the credentials, and take steps to prevent that from happening again.
And close up the vulnerabilities, to prevent that from happening again.
Q: I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips?
Restore the database from a known good backup.
And again, mitigate the vulnerabilities to prevent (or make it less likely) that this will happen again. Cross site scripting (XSS) and SQL Injection are always in the OWASP Top 10.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
https://www.owasp.org/index.php/SQL_Injection
What you are experiencing is a database hack, which is the worst kind of Joomla hacks.
Reverting to a backup may be a good solution if you are running a semi-static website, however, if your website has new content every day (or had new content since the hack), then you can't revert to a backup without losing data. In this case, you will need to use MySQL's REPLACE function to replace the hacked strings with an empty value.
Once you fix the database hack, you will need to run an internal scan on your website to ensure to find if there are hacked/backdoor files anywhere. Once that is done, you will need to uninstall all the unused extensions, and you will need to uninstall all the extensions that are on Joomla's VEL list. Any extension that you have must be updated to the latest version.
Once you are done with the above, then you will need to do the following:
Change all the passwords of the website: including Joomla passwords, FTP/sFTP, database passwords (avoid using FTP if you can), cPanel passwords, etc...
Restrict Apache's access of PHP files to the 'index.php' file (that can be done in the htaccess file).
Move the website to a VPS or a dedicated server if you are on a share hosting.
This seems to be a pretty bad one! A few tips:
Be sure to check Google blacklisting status & also do a 'fetch as google' to check if there's malware showing up in search results.
It is recommended to find all the external calls from the website to other domains (usually hackers point credit card details to their own domains or emails).
A diff command would go a long way:
$ mkdir joomla-3.6.4
$ cd joomla-3.6.4
$wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz
$ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz
$ diff -r joomla-3.6.4 ./public_html
There are more steps which can be checked from this URL: https://www.getastra.com/blog/cms/joomla-security/joomla-admin-security/

Unwanted code being inserted into pages

Some of our ColdFusion sites are having the words "coupon" inserted into their footer with a link to another site. Is there anything I can do to prevent this? Is there any software I can run to help detect any vulnerabilities? It doesn't seem to be SQL injection as the databases seem fine and nothing unusual is showing up in the logs.
There are several variations of attacks that produce this sort of result (appending a link to some malicious or nefarious site). For example, this one (Script Injection) uses the latency between a file upload and checking to insert executable code on your server.
Other attack vectors include FTP (which is why you should not use it), or other file transfer protocols. In your case the infected machine may not be the server. It could be a client machine with access to the server - a developer who has set up FTP to the server for example.
Let me know if you need formal help - we have a good track record fixing this sort of thing. If you get more clues post them and I'll try to help. I will warn you that if this is a server infectionit is at the root level and is so pervasive your only option is to start with a pristine install and reinstall your code. Bad news I know - sorry :(
We had something similar happen when one of our servers was hit by the hack Charlie Arehart describes here:
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
Have you had these patches?
Another option that I would recommend is searching your site(s) for any use of the <cffile> tag that isn't expected. I had a customer that somehow got a single file that was a backdoor to their site. It was particularly dangerous because it could upload files to any location on the server as well as execute any SQL command against any datasource on the server. In other words, this single file opened the door to all of the sites and databases that were running on that server.
This backdoor file (which was named vision.cfm) was often used to update footers with links to coupon and spam sites. vision.cfm was only 210 lines of code.
The entire server had to be sanitized after this was discovered.

Uploading a Website

This is my first time building a website and using CodeIgniter for a school project. I was wondering whether you have any tips on uploading CI to a free web host , my database, free webhosting and basic security tips.
Can I just upload the entire CI folder? Or do I have to upload individual files (God no!)? What are my options?
What about my MySQL database - do I just upload my mysqldump to the webhost?
Also, can you recommend a good free webhost. I was thinking about 000webhost.
Any basic tips on security would also be appreciated (I've implemented many of the form_validation rules like xss_clean for starters)
Any other suggestions will be more than welcome. Thanks!
I used 000webhost.com long time ago and remembered having minor inconvenient here and there (i.e.: slow connection, server unreachable sometime). I don't have any suggestion on a good free webhost because in most situation the words "good" and "free webhost" do not belong in the same sentence. You get what you paid for.
Now, onto the uploading itself.
You need to upload the entire CI folder and your app as well
You can either zip them all and extract the zip if you have shell access to the server
You can use FTP to upload all files at once
MySQL DB: if you have SQL scripts, you can execute them in phpMyAdmin interface if the web host provider gives you access to it. Please read phpMyAdmin documentation for ways to upload your MySQL data.
In terms of security:
http://codeigniter.com/user_guide/installation/index.html
http://codeigniter.com/user_guide/general/security.html
Sanitize user input if you're using SQL expression directly
If you are using CI ORM/database library, make sure you keep yourself up to date to any security issues by checking CI mailing-list, IRC, or whichever the preferred communication channel the CI people use.
For simplicity, avoid HTML tags (as a user) input, treat them as literal
Instead of uploading individual files make the entire directory into a zip folder (or any compressed folder) to save bandwidth and time.
Also most webhosts will have an uploader, but im not sure about free hosts supporting database services, you would have to look into that.