Professional Web Applications Themes

Extract worm from MySQL db - MySQL

I have a worm on my web site, it displays on my site an iframe that opens a remote page with a virus. I searched recursively inside all files on the server, and I didn't find anything. Some one told me he had the same problem on a phpBB forum, and the malicious code was inside a table of the database. My database is 2.4GB big and I just can't search for it manually. I have no idea where in the database this malicious code can be. How can I search in all tables recursively to find out where it's ...

  1. #1

    Default Extract worm from MySQL db

    I have a worm on my web site, it displays on my site an iframe that
    opens a remote page with a virus. I searched recursively inside all
    files on the server, and I didn't find anything. Some one told me he
    had the same problem on a phpBB forum, and the malicious code was
    inside a table of the database.

    My database is 2.4GB big and I just can't search for it manually. I
    have no idea where in the database this malicious code can be. How can
    I search in all tables recursively to find out where it's located?

    Thanks.

    Charles Guest

  2. #2

    Default Re: Extract worm from MySQL db

    Charles A. Landemaine wrote:
     

    If you have a worm on your system, it is possible that there is already a
    rootkit installed, so you have no chance to find it (or it will be very,
    like booting a rescue system and checking all binaries and the kernel etc.)
    and you should install the system from scratch.

    Malicious code inside a table of a database sounds strange, but maybe some
    innocent looking data triggers a crash in the program which reads the data.
    To find such a bug will be very difficult, but a starting point would be to
    yze which functions are called when the iframe is displayed, if it uses
    the database. If you install the system from scratch and the malicious code
    is still in the database, your system will be infected again.

    --
    Frank Buss, de
    http://www.frank-buss.de, http://www.it4-systems.de
    Frank Guest

  3. #3

    Default Re: Extract worm from MySQL db

    On Jul 14, 3:48 pm, Frank Buss <de> wrote: 


    Thanks Frank. I actually ran the rootkit hunter and clamavscan but
    found nothing. Isn't there a way to seach for a string inside the
    whole database?

    Charles.

    Charles Guest

  4. #4

    Default Re: Extract worm from MySQL db

    Charles A. Landemaine wrote:
     

    Did you run it from a rescue system? Maybe I'm paranoid, but a rootkit can
    hide itself from rootkit scanners and the rootkit scanner has to know the
    rootkit or at least you need the MD5 hashs from a clean system to compare
    with your system.
     

    I just tried it with MySQL 5.0.32 and looks like at least varchars are just
    stored in the MYD tables. A "grep string *.MYD" in
    /var/lib/mysql/your-database should do it.

    But I don't understand why do you want to search for text inside the whole
    database. If you know the text and the worm, which is used, you can search
    it from within mysql and repair it. If you don't know how the worm works,
    then a string search is useless.

    --
    Frank Buss, de
    http://www.frank-buss.de, http://www.it4-systems.de
    Frank Guest

  5. #5

    Default Re: Extract worm from MySQL db

    On Jul 15, 12:34 am, Frank Buss <de> wrote: 

    Thanks Frank, yes I know what to search, I need to search for
    msiesettings.com, this is the location the iframe the worm is
    pointing. I had the same problem on a Wordpress site, but there are
    far less tables on Wordpress and I searched manually. In this case
    there are a lot more tables and data :(


    Charles Guest

Similar Threads

  1. [pgsql-advocacy] MySQL worm attacks Windows servers
    By Chris Travers in forum PostgreSQL / PGSQL
    Replies: 11
    Last Post: March 7th, 02:35 PM
  2. Extract unicode data from MySQL db
    By JJ in forum PHP Development
    Replies: 2
    Last Post: February 11th, 08:23 AM
  3. MySQL Extract BUG??
    By Don in forum PHP Development
    Replies: 4
    Last Post: January 6th, 01:48 PM
  4. Replies: 0
    Last Post: September 9th, 07:11 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139