Malicious code in SQL file

  • Resolved philrp

    (@philrp)


    8 years, 3 months ago

    Hi,

    I recently encountered an issue where by my shared hosting provider identified some form of malicious code in the SQL file in the wp-snapshots folder. (The code was data recorded by the Wordfence security plugin)

    Their response to identifying the malicious code was to disable my Outbound Ports 80, 443, 587 and 465. (Port80 in Cpanel), which prevented many plugins from functioning properly: Analytics, SEO, Wordfence, etc.

    Since this SQL file seems to be identical to the Database.sql file that is created within the ZIP archive, would it be possible to somehow prevent (or remove) the separate SQL file?

    Thank you for such a great tool.
    Phil

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hey @philrp,

    Can you provide more details as to why WordFence thought the code to be malicious? If you have sensitive info to share just submit a ticket and refer to this thread.

    Thanks

    Thread Starter philrp

    (@philrp)

    Hi,

    Thank you for your response.

    My hosting provider runs some form of malicious code scan on a regular basis.

    The code they identified as malicious is the following, taken from the UA column of the wfHits table of Wordfence.

    }__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”\0\0\0disconnectHandlers”;a:1:{i:0;a:2:{i:0;O:9:”SimplePie”:5:{s:8:”sanitize”;O:20:”JDatabaseDriverMysql”:0:{}s:8:”feed_url”;s:119:”eval(chr(112).chr(104).chr(112).chr(105).chr(110).chr(102).chr(111).chr(40).chr(41).chr(59));Factory::getConfig();exit”;s:19:”cache_name_function”;s:6:”assert”;s:5:”cache”;b:1;s:11:”cache_class”;O:20:”JDatabaseDriverMysql”:0:{}}i:1;s:4:”init”;}}s:13:”\0\0\0connection”;b:1;}????

    According to the Wordfence person in their forum, wfHits stores referrers, user-agents and other data that any site visitor or attacker can modify.

    My first thought was to tell Duplicator to exclude the wfHits table, but wouldn’t that break Wordfence on restore or clone?

    According to my hosting company, the SQL file within the ZIP file would not raise an issue, hence my question about possibly preventing (or removing) the separate SQL file?

    Thanks for such a great tool and support.

    Phil

    Hey Phil,

    That section of code doesn’t look to be problematic to me in its current context. Sometimes scanners can have false flags. There is an overview of it in this FAQ.

    ? ? – A scanner says that a security issue/malware/threat was detected. Is this valid?
    ? ? – https://snapcreek.com/duplicator/docs/faqs-tech/#faq-trouble-070-q

    Hope this helps~

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Malicious code in SQL file’ is closed to new replies.