1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SQL Injections

Discussion in 'Server Configuration and Hosting' started by Giverny, May 6, 2016.

  1. Giverny

    Giverny Member

    Hi guys. Firstly, I'm sorry if this isn't an XF specific issue but it's certainly affected the forum on our site - the site we run (diabetes.co.uk) was recently infected by what I believe was an exploit kit for WordPress. We noticed it on the blog first, where users were being redirected to ClickBank links leading to a landing page for a product named Diabetes Destroyer. It's obviously a scam, but my concern lies with our users, who may have been conned as a result of malware on our site.

    It's proving troublesome to remove and has now infected various areas of our forum. Initially, we discovered that it was redirecting people by infecting our local jQuery - this was resolved by changing the jQuery source to Google Ajax in the ACP. We figured the problem would be solved after that, but our users continued getting redirected when they clicked links in the discussion list. That was resolved by clearing the discussion list cache. Now we're really struggling and believe the intruders are using SQL injections to add strings of text & HTML into the notices at the top of the forum. The last time I was redirected personally was when I was trying to log into the ACP.

    We're looking for a solution to what now seems to be a constant infiltration of our server. Any tips?
  2. Mouth

    Mouth Well-Known Member

  3. Giverny

    Giverny Member

    Would much rather not pay an external party for malware removal. Ideally, I'm looking for a solution to help the team I work with resolve this themselves.
  4. wang

    wang Well-Known Member

    Seeing that this hack was originated through WP, I think it would be better if you asked at their support forums.
  5. rainmotorsports

    rainmotorsports Well-Known Member

    Attacks like this are not usually continuous it's one and done chances are they exploit it WordPress and screw with your server configuration. I would take a backup of the database collect all your files for xenforo and all the plugins are running install just that on a clean server. I would certainly check any Htaccess files or if you're running in nginx the main configs. If WordPress is the attack vector you should at least disable it for now. Chances are you're going to have better luck paying a service to find the problem and preventing future ones then finding it yourself
  6. Robust

    Robust Well-Known Member

    Always update WordPress. If your site is big enough, don't use WordPress. A general HTML site is fine, if you need PHP then get a custom site made. WordPress is so exploited, and it's olden software with old code standards with new features added here and there. Always keep it up to date if you absolutely must use it.

    If updating it doesn't fix it, I don't recommend you trying to 'solve it yourself' if you lack knowledge in this sector - an experienced team or individual will do a much better job and knows what to look for. Visible symptoms aren't the only symptoms. Just because it isn't doing anything you see doesn't mean it's completely gone.
  7. motowebmaster

    motowebmaster Active Member

    Run queries within your database for anything that matches unique values to what the hackers had been inserting.
  8. ManagerJosh

    ManagerJosh Well-Known Member

    Question: Are you sure it is a SQL injection? If yes, how were you able to determine it was a SQL Injection?
  9. Giverny

    Giverny Member

    I'm not entirely convinced myself but our server guy reckons so. There were snippets of code appearing in the notices table with no trace in XF admin logs. We went with Sucuri in the end who found a few infected PHP files in our XF install and a few holes in WordPress. Thanks for the recommendation, @Mouth - very helpful!
    Mouth likes this.
  10. ManagerJosh

    ManagerJosh Well-Known Member

    Out of curiosity, how did the server admin determine it was a SQL Injection? Could it be an unpatched Windows Server or IIS 7.0? Or weak username/password credentials (including service accounts)?
  11. Giverny

    Giverny Member

    We did try that, but unfortunately the strings they were inserting all used different phrases. I'm not entirely sure of the ins and outs of it as I'm not a database/server person myself - I just ask for help here when my boss can't figure it out :rolleyes:... Sucuri's audit showed us where all our vulnerable files were and helped us take necessary measures to protect ourselves in future.
  12. ManagerJosh

    ManagerJosh Well-Known Member

    I have a concern that something is overlooked here. Generally one can not escape a SQL environment leveraging a SQL Injection to modify and add code to PHP Files.

    I strongly suspect something else is not being examined or looked at here - which lead to the compromise of your site.
  13. wang

    wang Well-Known Member

    Glockie likes this.
  14. motowebmaster

    motowebmaster Active Member

    I'm curious how they managed to change your php files. If you don't mind sharing, was it in Wordpress or Xenforo?
  15. Tracy Perry

    Tracy Perry Well-Known Member

    If I was abetting, I'd bet on WordPress.
    WSWD likes this.
  16. WSWD

    WSWD Well-Known Member

    Yep...this stuff happens all the time with WordPress.
    Glockie and Tracy Perry like this.

Share This Page