Post-hack database inspection and cleanup

  • After cleaning up my core files from a base64 hack to recover from the white screen wp-admin page, I am now moving on to database inspection and cleanup. This is a mystery to me so far, since I did an automated original WP install in my ISP almost 3 years ago, and haven’t really been tracking the database side of things.

    Under the ISP’s MySQL control panel I find 3 databases, 2 of which look suspicious, the third of which is referenced/linked, password included, in my wp-config.php. Question 1: is that normal?

    The names of the last two databases seems a tad odd: they start with my username, followed by some gibberish, then ending in “.com” Question 2: Is that normal, or is this indicative that these are hacked versions? Question 3: Does the naming suggest the databases reside external to my ISP, making all my password changes pretty much irrelevant (i.e., known to the hacker)?

    Finally, I don’t see much that I can do through my ISP tools to really inspect the database and see whether it’s infected. I don’t even see a way to backup databases, or download them to my PC so that I can inspect and clean it offline. This link mentions that malicious code can reside in your database and re-infect your core files, but am at a loss as to how to implement its suggestions.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter eswrite-wp

    (@eswrite-wp)

    Here’s a related thread that seems to be dealing with something similar, but without the detail of how to examine/determine whether the database I’m looking at is hacked.

    EDIT: Here’s a more useful thread with some nice suggestions I will now follow…

    Thread Starter eswrite-wp

    (@eswrite-wp)

    More about the WP database than I ever wanted to know… but once I figure out how to examine the database, it should let me know what’s ‘odd’ and what isn’t.

    Thread Starter eswrite-wp

    (@eswrite-wp)

    I know, I’m boring you all, but for the 1 person who is following this exciting saga with bated breath…

    I think I’m in a lot better shape than I thought. Late night led to some faulty conclusions. It turns out the two funny looking databases I see are not suspicious in name at least. The first is from an aborted WP install back in 2009, and contains only default WP stuff. The second is in fact my current database. I’m in the process of using my ISPs web-based tools to snoop through it and see if I find anything suspicious. I did go through and through WordPress’ admin interface remove every user except me. Then I went back to the MySQL/phpMyAdmin interface and verified no rogue/hidden users in the actual database. That’s one less thing to worry about, but my blog users won’t be happy that they have to re-initiate their subscriptions. Oh, well. It was the only way I could think of id’ing a rogue user.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Post-hack database inspection and cleanup’ is closed to new replies.