I am working on a forensics course, with which I have been looking into an attack on a blog server. I have found a number of deleted WordPress files, and I have managed to figure out which ones contained blog posts.
The one file I cannot figure out contains information beginning with the following:
wordpress#UPDATE wp_options SET option_value = ‘O:9:\”MagpieRSS\”:19:{s:6:\”parser\”;i:0;s:12:\”current_item\”;a:0:{}s:5:\”items\”;a:10:{i:0;a:9:{s:5:\”title\”;s:37:\”India Vs Pakistan: Now Cyber Terror? \”;s:6:\”author\”;s:8:\”chinchak\”;s:4:\”link\”;s:59:\”http://feeds09.technorati.com/~r/trarticles/~3/sxlCqi2M9aE/\”;s:4:\”guid\”;s:74:\”http://technorati.com/politics/article/india-vs-pakistan-now-cyber-terror/\”;s:11:\”description\”;s:182:\”The India-Pakistan relations could very well be termed the greatest mystery ever of mankind.\”;s:7:\”pubdate\”;s:31:\”Tue, 21 Aug 2012 00:03:41 +0000\”;s:8:\”category\”;s:51:\”PoliticsAssam ViolenceCyber TerrorIndia Vs Pakistan\”;s:10:\”feedburner\”;a:1:{s:8:\”origlink\”;s:74:\”http://technorati.com/politics/article/india-vs-pakistan-now-cyber-terror/\”;}
It continues in this way for a while, but I haven’t had too much luck trying to use Google to tell me what the “wp_options” means. It looks like someone was trying to spam the blog with commments but I can’t be sure without a source which can confirm my view is correct. Can anybody help please?
The wp_option table stores key-value information in the columns option_name and option_value. When storing arrays they get serialized, to decode them you can use PHP’s unserialize function. It looks like you’re dealing with an SQL injection that tries to mess with WordPress’ user options. The purpose is not obvious, because they are rarely displayed. Just used internally. If there’s a where clause somewhere in that SQL statement that tells you which option name it’s trying to edit you could perhaps match it using this list:
http://codex.wordpress.org/Option_Reference