Today we released the brand new version 1.17.0 of our malware scanner ISPProtect. With this release we made our new feature available to the public: The database scan.

As currently seen in the media there are thousands of outdated wordpress installtions that are hacked and got foreign content injected into the database, either to the site’s title, page contents, etc.
Our new scanning level tries to search all databases of a server for known (and some heuristic) strings that might be an indication of hacked content, e. g. “0Wn3D By che69x” or “Hacked by w4l3XzY3” and a lot more.

To use the new (fully usable, although still marked as experimental) feature, there is an argument --db-scan introduced in 1.17.0 and here is how to use it.

This feature will scan your databases for suspect contents. This feature is still in *experimental* state, but it can’t do any harm to use it. On Debian-based servers it should be enough to use --db-scan because the tool uses the credentials from the /etc/mysql/debian.cnf config file. On servers that don’t have this file, you have to create your own and provide the path, e. g. --db-scan=”/root/myisppdatabase.cnf”
The file’s contents should look like this:

user = yourmysqluser
password = yourmysqlpassword
host = yourmysqlhost

The “host” entry is optional, default is “localhost”. Please make sure that the config file is not readable by unprivileged users! For security reasons you can create a special database user that has read-only privileges.

By default the tool scans up to 1.000.000 rows per database table. Your can set this value to a lower one, e. g. --db-scan-maxrows=10000
If you want to scan ALL rows (not recommended) you can set --db-scan-maxrows=0

If you only want to scan the databases but do not want to scan your server’s files for malware, you should use the --no-malware-scan and --no-version-scan arguments together with --db-scan.

ISPProtect database scan for hacked content