You are reading this article as you are witnessing odd behaviour on your website and wish to scan the database to check for any hidden malware.
An example of odd behaviour is: when you visit your website and are redirected to a different web page. It does not happen every time, it's seemingly random. You have checked all your local files and can find no code. You have even used a scanner like Wordfence and it has not detected anything either. |
If you have phpmyadmin, some kind of MySQL GUI or the ability to dump the database to local, search the database using the following terms:
- eval
- base64_decode
- gzinflate
- shell_exec
- GLOBALS
- error_reporting(0)
Their presence could indicate a malware infection.
Note: This is not an exhaustive list. You may research other PHP functions that commonly hackers use.
Some meanings of the terms above.
- base64_decode: This function is used to decode data encoded with base64. Since WordPress is open source, it is very unlikely to contain encoded information. This function in your DB would usually indicate that a hacker is trying to hide or mask their malicious code.
- What you should search for – “base64_decode( ” or “base64_decode (” – second one has a space before the opening bracket.
- gzinflate: This function is used to decode (inflate) data that is encoded (deflated). Same as above, an open source platform should not contain encoded sections. Presence of this function thus points to a hacker trying to hide their activity.
- What you should search for – “gzinflate(” or “gzinflate (”
- eval: This language construct tries to process any string as valid PHP code. Because this construct is very dangerous, php.net discourages its usage, and most programmers avoid it. If you find this construct in your DB, it is very likely infected.
- What you should search for – “eval(” or “eval (”
- error_reporting(0): When the zero parameter is used for this function, code errors will neither be displayed nor logged. This usage is very unlikely in any web application. If found, this may indicate a hacker testing out various codes but hiding the error reports so the site owner does not find out.
- What you should search for – “error_reporting(0)” or “error_reporting (0)
- shell_exec: The shell is the layer in a Unix operating system that processes commands. Using the shell_exec function, hackers can execute commands at the operating system (server level). Since this enables them to take over an entire server, it is a prime target for hackers.
- What you should search for – “shell_exec(” or “shell_exec (”