SQL injections on websites carrying backdoor scripts

We’ve seen this for awhile now, but recently it seems to be a growing trend.

Many of the websites we’ve been cleaning have the backdoor scripts injected into the SQL database so that when the webpage is accessed, the backdoor is available, but invisible to the visitor.

To a hacker who knows what page or which website is carrying their code, it’s easy for them to send a string of code and on their screen the backdoor shell script appears.

When we have the access logs available to us, we have analyzed them and it does not appear to be a regular SQL injection (SQLi), but it does appear that the hackers find a point of entry to the website, then search for the file that contains the database information. They upload a shell that provides them with something like phpmyadmin, then they add their infectious code to selective fields in the database.

We know that many people believe that moving their wp-config.php file outside of the public_html folder keeps their database login information safe. This is not true. When a hacker infects a website, they typically have full access to the hosting account. This includes the areas outside of public_html. We’ve seen this thousands of times.

At times the code has been an infectious iframe or other javascript string, however, finding full backdoor shells buried in the SQL database is even more alarming. The hackers have created various ways of hiding this so when a legitimate user visits the website they don’t see any suspicious code. When a hacker sends their code to the specific webpage, it opens their backdoor shell. This will hide their code from many of the online scanners. We still feel these online scanners are helpful, but the hackers are finding various methods to hide their activities.

This makes repeat infections extremely easy for the hackers. As a website owner you could be searching all the code on your site and find nothing. To find this malicious code, you’ll have to export your database and then scan it for any script tags and for any php tags. If you find any, you’ll have to analyze the string to determine if it’s malicious or not.

One key we’ve found is that their backdoor shells need a field in the database that’s large enough to contain their lengthy code – at least for the backdoor shell scripts. Smaller javascript or iframe infections could be anywhere in the database. You’ll have to be familiar enough with the database layout for your website to know where to look.

If you’ve been subjected to repeat infections, you might want to look in your database. Even if you haven’t been subjected to repeat website infection, you might still want to look in your database to see what might be lurking.

If you need help analyzing your database, please send an email to: traef@wewatchyourwebsite.com.

If you have any more insight to this infection, or have additional questions, please leave a comment.

Thank you.