Skip to main content

Database Cleaner (SQL Scanner)

Introduction

The Database Cleaner module scans SQL databases for malware.

The module only works if the MalwareDetection module is enabled as well. It is recommended to run a full scan before using this module to make sure the scanner can connect to the SQL database.

How scanning works

The module scans SQL rows using the MalwareDetection module’s detectors. Scanning can be started when the module starts. Currently, scans can not be executed by other means.

Connecting to the SQL database

The MalwareDetection module must be running in order for this module to connect to the SQL database. Currently, it can only connect to local instances which are hosted on the same server.

The module calls the MalwareDetection module’s SearchFilesCommand. This command looks for wp-config.php files in the filesystem cache, then returns them for the SqlScanner module.

The wp config files are parsed and the database connection information is extracted from it. After that, the module connects to the database and starts the scan.

The flow

During the scan, the module does the following:

  1. Creates a list of all the tables in the database.
  2. Traverses the tables and all of their rows.
  3. Creates a string representation of the rows which looks like so: id column1 column2 column3 ...
  4. Runs the HEX detector on the strings.
  5. Logs the result.

Results

The results are logged in the /var/log/bitninja/mod.sql_scanner.log file.

The results have the following format: Malware found in db: [<database>] table: [<table>]

If the id (primary key) column can be found then the following will be logged as well: row id name = [<name_of_id_column>] row id value = <id>

Otherwise, the following will be logged: row id cannot be identified.

The match will be logged as well: Matched string: [<malware_snippet>]

Compatibility

Databases

The module is only compatible with MySQL.

Content Management Systems

WordPress and Joomla are both supported.

WordPress

wp-config.php must include the following:

    define("DB_NAME", "name");
    define("DB_HOST", "host");
    define("DB_PORT", "port");
    define("DB_USER", "user");
    define("DB_PASSWORD", "pass");

Joomla

configuration.php must include the following:

    public $dbtype = 'mysql'
    public $host = 'localhost'
    public $user = 'user'
    public $password = 'pass'
    public $db = 'name'

Configuration

In case the MySQL socket path is not the system default then the socket path can be added manually via the mysql_socket_path variable.

; By default it auto search the mysqld sock based on Debian and CentOs defaults ; mysql_socket_path = ''