WordPress.org

Ready to get started?Download WordPress

Forums

Hacked by SQL injection?! (14 posts)

  1. alvanweb
    Member
    Posted 8 years ago #

    My personal blog powered by WordPress 2.0.1 (latest version) hacked today! (SQL injection probably) As I was watching the tab of the browser to loading my blog, a frame appeared in sidebar and mutilated blog design.
    This frame added to last category. It was getting from this address: http:// www. pragma.ru/ ~dch/ inc/

    It added to a lot of field such as blog description in options section and Category name too. I have been looking at it for the last four hour and still can't understand what it is about? How resolve this bug? All plugins are secure!

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    DO NOT CLICK the link in the post above. It leads to a site that tries the .wmf exploit that you should be patched against if you run Windows and you update.

    alvanweb - this has been seen before and it is not a vulnerability.
    Your theme files are very probably writable.
    Someone has let loose a script on your host's server that looks for writable files (and WP themes are in a predictable place and could be left writable) and those links are written into the theme.

    Download the theme folder.
    Examine every part of it and clean it up
    CHMOD your theme files to 644 AT MOST

  3. alvanweb
    Member
    Posted 8 years ago #

    Mr Podz, thanks
    but this html tag (frame) adding in database records no theme files!

  4. Mark (podz)
    Support Maven
    Posted 8 years ago #

    If it was in the db, it would affect every file.

    Put the bad theme back, post here and let us look ?

  5. alvanweb
    Member
    Posted 8 years ago #

    Theme files didn't change just in database records such as:
    blogdescription in wp_options table and cat_name in wp_categories table added frame html tag.

    value in these rows: "<iframe name="poz" src="URL" width=5 height=5 style="display:none">"

  6. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I shall ask the hackers...

  7. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Is there any chance at all that your blog password could have been guessed ?

  8. alvanweb
    Member
    Posted 8 years ago #

    Let me discussion more about it.
    This HTML tag put in database row (just in certain tables)
    Look like cat_name in wp_categories!
    When wp_list_cats() function attempt to return values from db, this value is returned in sidebar! because this function can't filter html codes!

    My problem resolved. I remove these values and edited again.
    But I've been founding this matter: "how this value entered to DB?"

  9. Dougal Campbell
    Member
    Posted 8 years ago #

    What plugins do you have running on your site?

  10. alvanweb
    Member
    Posted 8 years ago #

    1- Recent Links
    2- Click Counter
    3- WordPress Database Backup [defult version]

  11. Dougal Campbell
    Member
    Posted 8 years ago #

    Hrm. It appears that somebody could make a malformed link in a comment that could allow SQL injection via the Click Counter plugin...

    It appears that the go.php script passes the $url variable to the wp_ozh_click_increment() function, which in turn uses it in a SQL query without doing any validation.

  12. alvanweb
    Member
    Posted 8 years ago #

    Thanks, dougal
    In my opinion this attack relate with you said ...

  13. Ozh
    Member
    Posted 8 years ago #

    I couldn't reproduce anything harmful, but better safe than sorry : upgrade ! :)

  14. Dougal Campbell
    Member
    Posted 8 years ago #

    Hmmm... You know, after further investigation, this might not have been the entry point after all.

    I didn't bother to trace down exactly where it happens, but after including wp-blog-header.php, the $_SERVER['QUERY_STRING'] variable is escaped. So the value of the $url variable should be safe before it's used in the db query.

    So alvanweb's security problem is probably still there. :-/

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags