TL;DR
SQL injection can leave hidden backdoors in your website. This guide shows you how to find and remove them, and importantly, prevent them happening again.
1. Understand the Risk
If an attacker successfully uses SQL injection, they might not just steal data. They could also:
- Create new user accounts with admin privileges.
- Modify existing website files directly through database updates (e.g., inserting malicious JavaScript).
- Install web shells – programs that give them remote control of your server.
These are all forms of backdoors.
2. Scan for Suspicious Files
Look for files that have been recently modified, especially those you don’t recognise. Common places to check:
- Website root directory: The main folder where your website files are stored.
- Includes/templates folders: Attackers often hide code in these areas.
- Upload directories: If users can upload files, this is a prime target.
Use file integrity monitoring tools (like AIDE or Tripwire) if you have them. Otherwise, manually check modification dates.
3. Review Database Tables
Attackers often create tables to store backdoors or malicious code. Look for:
- Unusual table names: Anything that doesn’t match your application’s structure.
- Unexpected data in existing tables: Check user tables, content management system (CMS) settings, and any other database areas where code might be injected.
Use a database administration tool like phpMyAdmin or DBeaver to browse the database schema.
4. Inspect Website Code
This is the most time-consuming step, but crucial. Look for:
- Obfuscated code: Code that’s deliberately hard to read (e.g., using base64 encoding).
- Backdoor scripts: Search for common backdoor filenames and functions (see section 7).
- Unexpected database queries: Queries that don’t seem related to your application’s functionality.
Use a code editor with syntax highlighting to make this easier.
5. Check Server Logs
Examine your web server logs (e.g., Apache access and error logs) for:
- Suspicious POST requests: Look for long or unusual data being sent to your website.
- Error messages related to SQL injection attempts: These can give you clues about where the attack occurred.
- Access to unknown files: If someone is trying to access files they shouldn’t be, it’s a red flag.
Log analysis tools (like GoAccess or Splunk) can help automate this process.
6. Remove Backdoors
Important: Before making any changes, back up your entire website and database!
- Delete suspicious files: Be careful not to delete legitimate files.
- Remove malicious code from existing files: Use a code editor to carefully edit the affected files.
- Drop or truncate attacker-created tables: In your database administration tool, remove any tables you identified as malicious.
DROP TABLE suspicious_table;
7. Common Backdoor Indicators
- Filenames: webshell.php, shell.php, cmd.php, backdoor.php
- Functions: eval(), base64_decode(), system(), exec(), passthru(), shell_exec()
These functions aren’t inherently malicious, but they are often used in backdoors to execute arbitrary code.
8. Prevent Future Attacks
- Use prepared statements: This is the most effective way to prevent SQL injection.
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?"); $stmt->execute([$username]); - Input validation and sanitisation: Validate all user input before using it in database queries.
- Least privilege principle: Grant database users only the permissions they need.
- Keep software up to date: Regularly update your CMS, plugins, and server software.
- Web Application Firewall (WAF): A WAF can help block SQL injection attempts before they reach your application.