• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SQL Injections

#1
Hi guys. Firstly, I'm sorry if this isn't an XF specific issue but it's certainly affected the forum on our site - the site we run (diabetes.co.uk) was recently infected by what I believe was an exploit kit for WordPress. We noticed it on the blog first, where users were being redirected to ClickBank links leading to a landing page for a product named Diabetes Destroyer. It's obviously a scam, but my concern lies with our users, who may have been conned as a result of malware on our site.

It's proving troublesome to remove and has now infected various areas of our forum. Initially, we discovered that it was redirecting people by infecting our local jQuery - this was resolved by changing the jQuery source to Google Ajax in the ACP. We figured the problem would be solved after that, but our users continued getting redirected when they clicked links in the discussion list. That was resolved by clearing the discussion list cache. Now we're really struggling and believe the intruders are using SQL injections to add strings of text & HTML into the notices at the top of the forum. The last time I was redirected personally was when I was trying to log into the ACP.

We're looking for a solution to what now seems to be a constant infiltration of our server. Any tips?
 
#3
Would much rather not pay an external party for malware removal. Ideally, I'm looking for a solution to help the team I work with resolve this themselves.
 

wang

Well-known member
#4
Seeing that this hack was originated through WP, I think it would be better if you asked at their support forums.
 

rainmotorsports

Well-known member
#5
Attacks like this are not usually continuous it's one and done chances are they exploit it WordPress and screw with your server configuration. I would take a backup of the database collect all your files for xenforo and all the plugins are running install just that on a clean server. I would certainly check any Htaccess files or if you're running in nginx the main configs. If WordPress is the attack vector you should at least disable it for now. Chances are you're going to have better luck paying a service to find the problem and preventing future ones then finding it yourself
 

Robust

Well-known member
#6
Always update WordPress. If your site is big enough, don't use WordPress. A general HTML site is fine, if you need PHP then get a custom site made. WordPress is so exploited, and it's olden software with old code standards with new features added here and there. Always keep it up to date if you absolutely must use it.

Would much rather not pay an external party for malware removal. Ideally, I'm looking for a solution to help the team I work with resolve this themselves.
If updating it doesn't fix it, I don't recommend you trying to 'solve it yourself' if you lack knowledge in this sector - an experienced team or individual will do a much better job and knows what to look for. Visible symptoms aren't the only symptoms. Just because it isn't doing anything you see doesn't mean it's completely gone.
 
#9
Question: Are you sure it is a SQL injection? If yes, how were you able to determine it was a SQL Injection?
I'm not entirely convinced myself but our server guy reckons so. There were snippets of code appearing in the notices table with no trace in XF admin logs. We went with Sucuri in the end who found a few infected PHP files in our XF install and a few holes in WordPress. Thanks for the recommendation, @Mouth - very helpful!
 

ManagerJosh

Well-known member
#10
I'm not entirely convinced myself but our server guy reckons so. There were snippets of code appearing in the notices table with no trace in XF admin logs. We went with Sucuri in the end who found a few infected PHP files in our XF install and a few holes in WordPress. Thanks for the recommendation, @Mouth - very helpful!
Out of curiosity, how did the server admin determine it was a SQL Injection? Could it be an unpatched Windows Server or IIS 7.0? Or weak username/password credentials (including service accounts)?
 
#11
I'm showing you're running a Microsoft Windows Server. Are you sure it was a result of SQL and not someone just hacking the Windows Server?
We did try that, but unfortunately the strings they were inserting all used different phrases. I'm not entirely sure of the ins and outs of it as I'm not a database/server person myself - I just ask for help here when my boss can't figure it out :rolleyes:... Sucuri's audit showed us where all our vulnerable files were and helped us take necessary measures to protect ourselves in future.
 

ManagerJosh

Well-known member
#12
We did try that, but unfortunately the strings they were inserting all used different phrases. I'm not entirely sure of the ins and outs of it as I'm not a database/server person myself - I just ask for help here when my boss can't figure it out :rolleyes:... Sucuri's audit showed us where all our vulnerable files were and helped us take necessary measures to protect ourselves in future.
I have a concern that something is overlooked here. Generally one can not escape a SQL environment leveraging a SQL Injection to modify and add code to PHP Files.

I strongly suspect something else is not being examined or looked at here - which lead to the compromise of your site.
 
#14
We did try that, but unfortunately the strings they were inserting all used different phrases. I'm not entirely sure of the ins and outs of it as I'm not a database/server person myself - I just ask for help here when my boss can't figure it out :rolleyes:... Sucuri's audit showed us where all our vulnerable files were and helped us take necessary measures to protect ourselves in future.
I'm curious how they managed to change your php files. If you don't mind sharing, was it in Wordpress or Xenforo?