Now that we’ve reinstalled the old database, the next step is to sanitize it. We’re going to finish the install by moving all the images and things like that that are here now but before we do that, we just want to sanitize the database.
Sanitizing the database means that we’re going to search and we’re going to search all tables. But we’re going to start off by searching posts table. Search posts and we’re going to wrap this in wildcard, we’re going to search for iframes, wildcard and hit Go. Okay, there were 353 matches, that’s very odd.
Leah: Could some of the iframes be the embedded youtube videos on the website?
Rick: Yes, they absolutely could be. So instead of searching for iframe we’re going to search for that Sucuri stuff. Remember that Sucuri found iframe src http equals this? So instead of searching for iframe we’re going to search for that. We’re going to search posts, we’ve got to select the whole thing then we’re going to search. Okay, this actually exists in all of these posts. Let’s see, let’s look in post_content.
Leah: Would it be easier if everything was pulled that once because I can go back and re-embed every youtube video if that would be faster.
Rick: Well, it might be but I just want to look at this for just a second. Post data’s publish. Okay so here’s a publish post, let’s check it. No, this does not have it in it. Okay, I did something wrong in the search.
We’re going to search post_content where post_content is…let’s try that one. Okay, I just have done the wrong thing because right now we’re getting an empty result. SELECT ‘post-content’ FROM ‘wp3_posts’ WHERE ‘post_content’ contains this iframe LIKE with the wildcards means contains. So this is a wildcard, this percent sign wrapping this line of text makes it a wildcard. Essentially the question is whether or not it contains it.
We don’t have that anywhere there. What we’re going to do now is to search the whole thing for the same thing. Again it’s percent (%) and then that and percent (%) and then we’re going to search everything. Okay, it must be looking for any of the words in that search so find the exact phrase instead of at least one of the words and now you have zero.
So this phrase right here does not exist anywhere in your database and this phrase is the one that was the evidence of the hack so your database is clean of that and that’s essentially what we want to do.
Let’s come back and take a look again at Sucuri. We’ve got iframe=. What we could do here is just search for this also which I think we will do just to make sure that there isn’t any other reference that was similar.
So again we’re going to search at least one of the words. In this case, else, it’s only that word we can search at least one of them. Okay, there’s one example of it here under wp3_options. Oh, so it’s the BackupBuddy malware skin that found this malware so we’re safe there. So the database is clean then, now what we have to do is finish restoring the site.