The Database Cleaner module scans SQL databases for malware. Currently, it is an beta module and it only logs results if there are any.
The module only works if the MalwareDetection module is enabled as well. It is recommended to run a full scan before using this module to make sure the scanner can connect to the SQL database.
How scanning works
The module scans SQL rows using the MalwareDetection module’s detectors. Scanning can be started when the module starts. Currently, scans can not be executed by other means.
Connecting to the SQL database
The MalwareDetection module must be running in order for this module to connect to the SQL database. Currently, it can only connect to local instances which are hosted on the same server.
The module calls the MalwareDetection module’s SearchFilesCommand. This command looks for wp-config.php files in the filesystem cache, then returns them for the SqlScanner module.
The wp config files are parsed and the database connection information is extracted from it. After that, the module connects to the database and starts the scan.
During the scan, the module does the following:
- Creates a list of all the tables in the database.
- Traverses the tables and all of their rows.
- Creates a string representation of the rows which looks like so:
id column1 column2 column3 ...
- Runs the HEX detector on the strings.
- Logs the result.
The results are logged in the /var/log/bitninja/mod.sql_scanner.log file.
The results have the following format:
Malware found in db: [<database>] table: [<table>]
If the id (primary key) column can be found then the following will be logged as well:
row id name = [<name_of_id_column>] row id value = <id>
Otherwise, the following will be logged:
row id cannot be identified.
The match will be logged as well:
Matched string: [<malware_snippet>]
The module is only compatible with MySQL.
Content Management Systems
Currently, only WordPress is supported.
wp-config.php must include the following:
In case the MySQL socket path is not the system default then the socket path can be added manually via the mysql_socket_path variable.
; By default it auto search the mysqld sock based on Debian and CentOs defaults
; mysql_socket_path = ''