April 2024 holidays Philippines.Claim Your Free 999 Pesos Bonus Today

Reply To: What malicious actions can be made with a “search and replace” in a WP database?

cubecolour — Sun, 30 Jul 2017 10:23:50 +0000

The searchreplacedb2 tool exposes the database connection details.

Although the screen that shows the db connection details only displays the value of the database password field as asterisks, the source of the page does list the password in plain text.

If the attacker used the connection details to access the database remotely they could have changed anything in the database.

Reply To: What malicious actions can be made with a “search and replace” in a WP database?

appleaday — Sun, 30 Jul 2017 12:36:45 +0000

I do appreciate your remark, thanks. That was enough for me to change the database user and password anyway, though actually that user had no remote access, and the new user has no remote access, as well.

That’s why, if I got your remark correctly, it’s worth questioning just about possible “searching and replacing” via the searchreplacedb2.php script. I wouldn’t throw away an entire installation just because I suspect something evil might still hide in the database, should I?

I assume such an attack is not an act of vandalism, i.e. with the aim of destroying or spoil the contents – with evident outstanding effects – but instead aims to achieve some profit – redirecting to some other page was what I saw – without being noticed for the longest time possible.

There’s no use to specify I’m not a security expert – if I was I wouldn’t confess such a mistake like the one I made – but I assumed a deeper knowledge of WP tables and their roles would help in “guessing” what kind of substitutions would be useful for an attacker in tables other than “posts”. That’s the real target of my request for help.

It’s worth specifying the website is now apparently in good order, though of course to feel completely safe I have to go further with investigations: how? ??

Thanks in advance!

Reply To: What malicious actions can be made with a “search and replace” in a WP database?

rening1964 — Fri, 04 Aug 2017 22:34:45 +0000

They use /wp-admin/admin-ajax.php to place the malware

Reply To: What malicious actions can be made with a “search and replace” in a WP database?

appleaday — Wed, 16 Aug 2017 10:37:23 +0000

@rening1964 I’m afraid I didn’t get what you mean. As far as I could see it was enough to use the script seachreplacedb2.php to inject some javascript code in posts (by simply using the script in the way it is normally used). I cannot see how the php file you mentioned could be involved.