1

Does VirusTotal detect malware in an SQL export? I have an infected WordPress site. I removed the malware with various tools, however I know from experience, that sometimes it hides itself somewhere deep in the database. I did a manual search for suspicious code in the database and didn't find anything. However, I'm just a novice in these kind of things and only know some basic functions to search for, that are typically used by malware.

Is VirusTotal actually able to find malware in sql export files? Or can I use some other software for that?

TheKidsWantDjent
  • 113
  • 3

2 Answers2

2

No, from VirusTotal support:

VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content.

If the attack you received was a SQL Injection, the best you could do is to fix the vulnerability that let the attacker to inject malicious code in your web page and of course deleting the malicious code that have been uploaded.

SQL Injections are usually easy to clean (removing the injected content) but hard to fix (avoiding that the injection to rehappen in the same way).

You could check for some very known and typical cross-site scripting attack strings here and here.

A good explanation of how and which settings let those attack work is given here.

Foxhole
  • 121
  • 2
1

No, it's not useful and I just tested it. Here's what I did.

I tried to find a couple of malicious URLs. I ended up picking one to an exe file from https://malc0de.com/database/ , and one to a js file that was mentioned in the news not long ago (about an ongoing attack to Magento). Here are the links that show VirusTotal clearly detects those files and their domains: exe file, exe domain, js file, js domain.

Then I found a sample WordPress database on GitHub (an SQL dump), I downloaded it, opened it in a text editor, and then injected the links to the malicious files into the content of a post. I included the links in the post in various ways: as simple text, as HTML links (in href attributes), and as scripts (in the src attribute). Then I uploaded the "infected" SQL dump to VirusTotal, and nothing was detected. I also tried renaming the file as html and exe, but it was still considered to be the same file because it had the same hash, and it was always considered to be plain text. So it looks like VirusTotal doesn't check for malicious URLs in database dumps.

If you have been hacked, the only safe way to clean your database is to restore a clean old copy from your backups. If you really want to check your database anyway, you can't rely on common antivirus software, but you need specific tools and analysis aimed at your specific web application. Changing a simple string or number in your database can be enough to compromise it, for example by changing the numbers that define user permissions, or replacing a simple email address so the attacker can reset a user's password, etc. To be able to spot such changes you need to understand every part of the database. If you search on Google you might be able to find several security services that offer to clean up WordPress sites, including scanning databases. They might check some specific tables, some specific parameters, and look for suspicious domains or strings. I don't know how good and how reliable they are, that of course may vary. As I said, if you really want to be sure to clean up your database, restore it from a clean backup.

reed
  • 15,398
  • 6
  • 43
  • 64