SQL Injections

Giverny · May 6, 2016

Hi guys. Firstly, I'm sorry if this isn't an XF specific issue but it's certainly affected the forum on our site - the site we run (diabetes.co.uk) was recently infected by what I believe was an exploit kit for WordPress. We noticed it on the blog first, where users were being redirected to ClickBank links leading to a landing page for a product named Diabetes Destroyer. It's obviously a scam, but my concern lies with our users, who may have been conned as a result of malware on our site.

It's proving troublesome to remove and has now infected various areas of our forum. Initially, we discovered that it was redirecting people by infecting our local jQuery - this was resolved by changing the jQuery source to Google Ajax in the ACP. We figured the problem would be solved after that, but our users continued getting redirected when they clicked links in the discussion list. That was resolved by clearing the discussion list cache. Now we're really struggling and believe the intruders are using SQL injections to add strings of text & HTML into the notices at the top of the forum. The last time I was redirected personally was when I was trying to log into the ACP.

We're looking for a solution to what now seems to be a constant infiltration of our server. Any tips?

Mouth · May 6, 2016

Giverny said:
Any tips?

https://sucuri.net/website-security/malware-removal

Giverny · May 6, 2016

Would much rather not pay an external party for malware removal. Ideally, I'm looking for a solution to help the team I work with resolve this themselves.

wang · May 6, 2016

Seeing that this hack was originated through WP, I think it would be better if you asked at their support forums.

rainmotorsports · May 6, 2016

Attacks like this are not usually continuous it's one and done chances are they exploit it WordPress and screw with your server configuration. I would take a backup of the database collect all your files for xenforo and all the plugins are running install just that on a clean server. I would certainly check any Htaccess files or if you're running in nginx the main configs. If WordPress is the attack vector you should at least disable it for now. Chances are you're going to have better luck paying a service to find the problem and preventing future ones then finding it yourself

Robust · May 6, 2016

Always update WordPress. If your site is big enough, don't use WordPress. A general HTML site is fine, if you need PHP then get a custom site made. WordPress is so exploited, and it's olden software with old code standards with new features added here and there. Always keep it up to date if you absolutely must use it.

Giverny said:
Would much rather not pay an external party for malware removal. Ideally, I'm looking for a solution to help the team I work with resolve this themselves.

If updating it doesn't fix it, I don't recommend you trying to 'solve it yourself' if you lack knowledge in this sector - an experienced team or individual will do a much better job and knows what to look for. Visible symptoms aren't the only symptoms. Just because it isn't doing anything you see doesn't mean it's completely gone.

motowebmaster · May 10, 2016

Run queries within your database for anything that matches unique values to what the hackers had been inserting.

ManagerJosh · May 10, 2016

Question: Are you sure it is a SQL injection? If yes, how were you able to determine it was a SQL Injection?

Giverny · May 10, 2016

ManagerJosh said:
Question: Are you sure it is a SQL injection? If yes, how were you able to determine it was a SQL Injection?

I'm not entirely convinced myself but our server guy reckons so. There were snippets of code appearing in the notices table with no trace in XF admin logs. We went with Sucuri in the end who found a few infected PHP files in our XF install and a few holes in WordPress. Thanks for the recommendation, @Mouth - very helpful!

ManagerJosh · May 10, 2016

Giverny said:
I'm not entirely convinced myself but our server guy reckons so. There were snippets of code appearing in the notices table with no trace in XF admin logs. We went with Sucuri in the end who found a few infected PHP files in our XF install and a few holes in WordPress. Thanks for the recommendation, @Mouth - very helpful!

Out of curiosity, how did the server admin determine it was a SQL Injection? Could it be an unpatched Windows Server or IIS 7.0? Or weak username/password credentials (including service accounts)?

Giverny · May 10, 2016

ManagerJosh said:
I'm showing you're running a Microsoft Windows Server. Are you sure it was a result of SQL and not someone just hacking the Windows Server?

We did try that, but unfortunately the strings they were inserting all used different phrases. I'm not entirely sure of the ins and outs of it as I'm not a database/server person myself - I just ask for help here when my boss can't figure it out

... Sucuri's audit showed us where all our vulnerable files were and helped us take necessary measures to protect ourselves in future.

ManagerJosh · May 10, 2016

Giverny said:
We did try that, but unfortunately the strings they were inserting all used different phrases. I'm not entirely sure of the ins and outs of it as I'm not a database/server person myself - I just ask for help here when my boss can't figure it out ... Sucuri's audit showed us where all our vulnerable files were and helped us take necessary measures to protect ourselves in future.

I have a concern that something is overlooked here. Generally one can not escape a SQL environment leveraging a SQL Injection to modify and add code to PHP Files.

I strongly suspect something else is not being examined or looked at here - which lead to the compromise of your site.

wang · May 10, 2016

There was a major security issue dicovered with WP a few days ago.

https://blog.sucuri.net/2016/05/wordpress-redirect-hack-test0-default7.html

motowebmaster · May 11, 2016

Giverny said:
We did try that, but unfortunately the strings they were inserting all used different phrases. I'm not entirely sure of the ins and outs of it as I'm not a database/server person myself - I just ask for help here when my boss can't figure it out ... Sucuri's audit showed us where all our vulnerable files were and helped us take necessary measures to protect ourselves in future.

I'm curious how they managed to change your php files. If you don't mind sharing, was it in Wordpress or Xenforo?

TPerry · May 11, 2016

If I was abetting, I'd bet on WordPress.

WSWD · May 11, 2016

Yep...this stuff happens all the time with WordPress.

SQL Injections

Giverny

Member

Mouth

Well-known member

Giverny

Member

wang

Well-known member

rainmotorsports

Well-known member

Robust

Well-known member

motowebmaster

Well-known member

ManagerJosh

Well-known member

Giverny

Member

ManagerJosh

Well-known member

Giverny

Member

ManagerJosh

Well-known member

wang

Well-known member

motowebmaster

Well-known member

TPerry

Well-known member

WSWD

Well-known member

Similar threads

We value your privacy