After a site of a friend has been hacked I told him he should just clean up the mess and restart from scratch so he know that no file has been altered.
I could scan the site for him with tools like grep an so on (For a start: Grep and Friends) but what I wondered about is, how to scan the database? What if some hacker has placed payload inside the database. Can be something simple like XSS or even PHP code in case there is some eval’ing still going on in core (or was at the time of the hack).
Any suggestions? I thought about using SQL-Queries with the LIKE comparison function or there is even some REGEX possible. But maybe someone has already done this or wants to do this an has some ideas to share.
2 s
I’ve read that dumping the database as text and searching in it is a good way to go. You can search with phpmyadmin, but it’s limited. Depends on the size of the database and a good text editor, but you can delete post/page revisions before dumping the database to bring it down in size. Or dump a few tables at a time.