What malicious actions can be made with a “search and replace” in a WP database?

  • I was that stupid to neglect the importance of removing searchreplacedb2.php immediately after usage, that way I forgot it where I placed it. As a result, it has been recently found and exploited.

    So far I could easily get rid of some code added in the posts table.

    <script src=’https://xxxxxxxxxxxxxxxx&#8217; type=’text/javascript’></script>

    That produced redirections.

    My knowledge about the other WP tables is limited for the moment, so I cannot yet tell for sure what else could have been done elsewhere in the database with a “search and replace”. I hope somebody will tell me that before I figure it out on my own, since it may possibly require a long time.

    Thanks in advance!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator cubecolour

    (@numeeja)

    The searchreplacedb2 tool exposes the database connection details.

    Although the screen that shows the db connection details only displays the value of the database password field as asterisks, the source of the page does list the password in plain text.

    If the attacker used the connection details to access the database remotely they could have changed anything in the database.

    Thread Starter appleaday

    (@appleaday)

    I do appreciate your remark, thanks. That was enough for me to change the database user and password anyway, though actually that user had no remote access, and the new user has no remote access, as well.

    That’s why, if I got your remark correctly, it’s worth questioning just about possible “searching and replacing” via the searchreplacedb2.php script. I wouldn’t throw away an entire installation just because I suspect something evil might still hide in the database, should I?

    I assume such an attack is not an act of vandalism, i.e. with the aim of destroying or spoil the contents – with evident outstanding effects – but instead aims to achieve some profit – redirecting to some other page was what I saw – without being noticed for the longest time possible.

    There’s no use to specify I’m not a security expert – if I was I wouldn’t confess such a mistake like the one I made – but I assumed a deeper knowledge of WP tables and their roles would help in “guessing” what kind of substitutions would be useful for an attacker in tables other than “posts”. That’s the real target of my request for help.

    It’s worth specifying the website is now apparently in good order, though of course to feel completely safe I have to go further with investigations: how? ??

    Thanks in advance!

    They use /wp-admin/admin-ajax.php to place the malware

    Thread Starter appleaday

    (@appleaday)

    @rening1964 I’m afraid I didn’t get what you mean. As far as I could see it was enough to use the script seachreplacedb2.php to inject some javascript code in posts (by simply using the script in the way it is normally used). I cannot see how the php file you mentioned could be involved.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘What malicious actions can be made with a “search and replace” in a WP database?’ is closed to new replies.