Read the original article: SQL Triggers Used by Hackers to Compromise User Database
Over the past year, a broader pattern of WordPress malware with SQL triggers has occurred within infected databases to mask intrusive SQL queries. Whenever the trigger condition is fulfilled, these queries insert an admin level user into a contaminated database. Users can use a MySQL database to store essential data, including CMS settings and a common CMS is used on their website (such as WordPress). Something that might change the MySQL database, is whether injecting harmful code or removing the content of your Website, could also do severe harm to the website.
Potential for protection is one factor why the MySQL database has its own unique username and password , which will deter someone from checking the MySQL database manually without the required login details. Unfortunately, if attackers have unauthenticated access, they can also read a wp-config.php file to understand the website’s database authentication credentials — which can then be used to connect to the database using code from the attacker and malicious adjustments.
An intruder with unwanted access to a website, who would like to create a permanent loophole if the files of the Website are washed, is indeed an example from real life.
An intruder’s approach is to set an admin user in the CMS database of the website. Usually these can be conveniently found in the administrative dashboard or SQL client. The unauthorized admin account is a loophole outside of the website and in the directory of the web server. This knowledge is critical since owners of a compromised website will also forget the index. However, exclusion of suspected users from the data base of the website does not entail removal of any potential backdoors.
A SQL trigger is an automatically stored process that runs when certain database modifications are introduced. While there have been a number of useful implementations, that bad actors use SQL triggers to retain unwanted access after a compromise. To achieve this, attackers are placing a SQL trigger in a compromised website database and malicious activity is performed if specific conditions have been reached or an incident happens.
If attackers breach a site, they will bet on any data base passwords that are stored in wp-config or other CMS configuration files — and once the hacker has obtained the data at any post-infection period, it can be extremely hard to identify if the hacker has harvested any valuable information. Users must change passwords, including the databases if a breach occurs. Failure to pursue this post-hack phase will allow an attacker to enter and change the web even after the user has assumed the infection was removed.
Read the original article: SQL Triggers Used by Hackers to Compromise User Database