Malware infection type: SQL injection
What does it mean to have pages marked with the malware infection type "SQL injection" in Google Search Console?
The SQL injection type means that the site’s database is likely compromised. For example, the hacker may have programmatically inserted malicious code into every record of a database table. Later, when the server loads a page that requires information from the database, the malicious code is now embedded in the page’s content and can potentially harm the site's visitors.
For more general information on malware, see Assess the damage (hacked with malware).
How do I investigate the "SQL injection" malware type?
First, avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer.
Consider confirming the behavior by using cURL or Wget to perform HTTP requests (for example, to fetch a page). These freely available tools are helpful in diagnosting redirects, and have the flexibility to include referrer or user-agent information. By serving malicious content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and malware scanners. (Your site will need to be online to use these tools.)For example:
$curl -v --referer <referer-field> --user-agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" <your-url>such as:
$curl -v --referer "http://www.google.com" --user-agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" http://www.example.com/page.html
In the output from Wget or cURL, check for words like "iframe" or "eval" that may have been included by the cybercriminal.
Next, login to your database server or view your database through a tool like phpMyAdmin. If you used Wget or cURL, try to correlate the damage found in the page's source code through Wget or cURL with the actual database entries. For example, if you noticed your pages included a dangerous iframe, you could perform a SQL query searching for iframe code. For example:
SELECT * FROM blog_posts WHERE post_text LIKE '%>iframe%';
You may also want to check database log and error files on your server for unusual activity, such as unexpected SQL commands that seem abnormal for regular users or errors.
How do I clean my site of the "SQL injection" malware type?
When ready to clean your site , you can either update each infected database record or you can restore your last known database backup.
Please be aware that removing the malicious code doesn't address the underlying vulnerability that allowed the hacker to initially compromise your site. Without correcting the root cause, your site may be compromised again in the future. For more information on cleaning a hacked site, see Help for hacked sites.