WordPress › Support » Possible SQL injection

yiorgos
Member
Posted 8 months ago #

There seems to be a vulnerability on the current 2.7.1 version of WP.
Someone has been injecting code in the WP database. Take a look at the screenshot below
[url=http://www.imagehosting.com/][img]http://img440.imageshack.us/img440/4403/sqlinjection.jpg[/img][/url]

I search my database and found inside this piece of code (i have replace my domain name with "mywebsite.com"):

<!--
				top.location="http://www.wpskinbase.com/?h=mywebsite.com";
				/*
			-->
							<script type="text/javascript">
				<!--
					function applyFrameKiller()
					{
						if(window.top != self)
						{
							window.top.location = "http://www.wpskinbase.com/?h=mywebsite.com&cifr=1";
						}
					}
					applyFrameKiller();
				// -->
				</script>
								<frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
					<frame src="http://www.wpskinbase.com/?h=mywebsite.com&foiffs=in100fweg" >
					</frameset>
					<noframes>
					<body bgcolor="#ffffff" text="#000000">
					<a href="http://www.wpskinbase.com/?h=mywebsite.com&foiffs=in100fweg">Click here to proceed</a>.
					</body>
					</noframes>
				<!--
			*/
			-->

I deleted it once yesterday and it appeared again today.

I have noticed that many other websites have this
Any idea what it is and how to prevent it?

Thanks

yiorgos
Member
Posted 8 months ago #

This happened again today
Anyone can help?
t31os
Member
Posted 8 months ago #

Where is it being inserted (in the database - is so vague) and have you changed the database password to be safe? If not, why not?

Does you host offer logs via the CPanel, if so have you checked them to see if there is anything of help there...

One of a few things likely happened....

1. If WP has a security hole, and the code was injected via the exploit.
2. Your host has not properly secured the server.
3. You have an easy to guess passwords and the injection was done by simply accessing the account and adding the code.

First things first though, change your passwords.....

Could be a few other things, but you've given very little information to go on, so it's just about anyones best guess at the moment.
yiorgos
Member
Posted 8 months ago #

Thanks for the help. It's definitely not an easy to guess password of the style 1234. I think that if someone had the password, they'd do much more damage than just adding a piece of code which is so obvious to see.

The sql is injected in table wp-options

Any other info I can provide?
Thanks again
t31os
Member
Posted 8 months ago #

Yes but how is it being injected..

You need to check your access logs to see how the code is being inserted..

I've had several pre 2.5 SQL Injections attacks on my site already and they all get logged. Suffice to say they never work and nothing gets injected.

I would have given an example of an injection attempt but i've not got the old logs any more... (and the IPs have been blocked)

It could be something as silly as an unsecure plugin...

Heck the person(s) trying to hit my site tried an array of URLs for various plugins with known exploits... most i didn't recognise and i know i don't have, so i know they were attempts to gain access... plus it's fairly obvious when looking at the URL...

Hosts give you access logs for a reason.

Also, to be on the side of caution, whether your passwords are unique or not, change them and that's one factor ruled out... Don't just guess/assume they are secure, change them anyway, then it's ruled out as being a possible problem. Then move onto the next thing... once you rule another thing out, move to the next...

If you assume anything, you just stand to have it happen again... never assume something is secure...
wolly
Member
Posted 8 months ago #

I found many of this code in themes downloaded from many sites that offer free themes for wordpress.
Look for strange functions in header.php, footer.php and functions.php.
Delete the theme you have downloaded and choose a theme from wordpress.org or directly from the author's website.
utpalvaishnav
Member
Posted 2 months ago #

I am facing a strange problem with applyFrameKiller code. When I try to validate RSS feed of my blog RSS, it gives me the following error. I checked it on FeedValidator site at

Strange part is that, it does not happen always. For e.g. if I test it for 10 times, this may occur for 3 or 4 times.

I have checked through the database and found that the code is not placed in any of table.

---- Here is what FeedValidator Says ---
Sorry

This feed does not validate.

line 5, column 0: Undefined root element: script [help]

<script type="text/javascript">
line 35, column 9: XML parsing error: <unknown>:35:9: junk after document element [help]

</script><frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
^
In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendation.

Feeds should not be served with the "text/html" media type [help]

Source: http://utpal.net/blog/rss


<script type="text/javascript">

</script><frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
<frame src="http://utpal.net/?fp=4iydXZvQTD3Aa8PZsHQhxow3cp8UyrG2Jh%2BLo91taJuua9DYvokTSE5EVr6LGRoO7STJBXxZPxe5ZxF%2BmJKofg%3D%3D">
</frameset>
<noframes>
<body bgcolor="#ffffff" text="#000000">
Click here to proceed.
</body>
</noframes>

Any help on this is highly appreciated.
utpalvaishnav
Member
Posted 2 months ago #

It redirects to the following:

h ttp://www 2.s earchresultsdirect.com/parking.php4?domain=utpal.net&registrar=348972....

Reply

You must log in to post.

WordPress.org

Forums

Possible SQL injection (8 posts)

Reply

About this Topic

Tags

Code is Poetry