WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Simple Firewall
[resolved] Some SQL Injections Still Getting Through? (12 posts)

  1. ljmac
    Member
    Posted 2 months ago #

    Hi,

    Although this excellent and essential plug-in has certainly drastically reduced the incidence of SQL injections, it appears that some are still getting through. Here's an example from my logs - this one was timed out before it took down MySQL (hence the "MySQL server has gone away" messages), but others have taken it down in the past:

    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT option_value FROM as_options WHERE option_name = '_bbp_use_wp_editor' LIMIT 1 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), wp_head, do_action('wp_head'), call_user_func_array, wp_print_styles, do_action('wp_print_styles'), call_user_func_array, ippy_bcq_add_scripts, get_option
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT p.id FROM as_posts AS p  WHERE p.post_date < '2013-04-08 23:12:00' AND p.post_type = 'page' AND p.post_status = 'publish'  ORDER BY p.post_date DESC LIMIT 1 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), wp_head, do_action('wp_head'), call_user_func_array, adjacent_posts_rel_link_wp_head, adjacent_posts_rel_link, get_adjacent_post_rel_link, get_adjacent_post
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT p.id FROM as_posts AS p  WHERE p.post_date > '2013-04-08 23:12:00' AND p.post_type = 'page' AND p.post_status = 'publish'  ORDER BY p.post_date ASC LIMIT 1 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), wp_head, do_action('wp_head'), call_user_func_array, adjacent_posts_rel_link_wp_head, adjacent_posts_rel_link, get_adjacent_post_rel_link, get_adjacent_post
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT option_value FROM as_options WHERE option_name = 'collapsArchStyle' LIMIT 1 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), wp_head, do_action('wp_head'), call_user_func_array, collapsArch::get_head, collapsArch::set_styles, include('/plugins/collapsing-archives/collapsArchStyles.php'), get_option
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM as_terms AS t INNER JOIN as_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy = 'nav_menu' AND t.term_id = 7 LIMIT 1 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), th_header, do_action('th_header'), call_user_func_array, navbar_wrapper, th_navbar, do_action('th_navbar'), call_user_func_array, tarski_navbar, wp_nav_menu, wp_get_nav_menu_object, get_term
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM as_terms AS t INNER JOIN as_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy = 'nav_menu' AND t.slug = '7' LIMIT 1 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), th_header, do_action('th_header'), call_user_func_array, navbar_wrapper, th_navbar, do_action('th_navbar'), call_user_func_array, tarski_navbar, wp_nav_menu, wp_get_nav_menu_object, get_term_by
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM as_terms AS t INNER JOIN as_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy = 'nav_menu' AND t.name = '7' LIMIT 1 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), th_header, do_action('th_header'), call_user_func_array, navbar_wrapper, th_navbar, do_action('th_navbar'), call_user_func_array, tarski_navbar, wp_nav_menu, wp_get_nav_menu_object, get_term_by
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT * FROM as_posts  WHERE (post_type = 'page' AND post_status = 'publish')  AND ( ID <> 4  AND ID <> 3 )    ORDER BY menu_order ASC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_header, locate_template, load_template, require_once('/themes/tarski/header.php'), th_header, do_action('th_header'), call_user_func_array, navbar_wrapper, th_navbar, do_action('th_navbar'), call_user_func_array, tarski_navbar, wp_nav_menu, call_user_func, tarski_default_navbar, wp_list_pages, get_pages
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT a.*, u.user_email, u.user_nicename, u.user_login, u.display_name  FROM as_bp_activity a LEFT JOIN as_users u ON a.user_id = u.ID WHERE a.id IN (5252) AND a.type != 'activity_comment' ORDER BY a.date_recorded DESC LIMIT 0, 20 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), the_content, apply_filters('the_content'), call_user_func_array, bp_replace_the_content, apply_filters('bp_replace_the_content'), call_user_func_array, BP_Activity_Theme_Compat->single_dummy_content, bp_buffer_template_part, bp_get_template_part, bp_locate_template, load_template, require('/plugins/buddypress/bp-templates/bp-legacy/buddypress/activity/single/home.php'), bp_has_activities, BP_Activity_Template->__construct, bp_activity_get_specific, BP_Activity_Activity::get
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT count(a.id) FROM as_bp_activity a USE INDEX (type) WHERE a.id IN (5252) AND a.type != 'activity_comment' ORDER BY a.date_recorded DESC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), the_content, apply_filters('the_content'), call_user_func_array, bp_replace_the_content, apply_filters('bp_replace_the_content'), call_user_func_array, BP_Activity_Theme_Compat->single_dummy_content, bp_buffer_template_part, bp_get_template_part, bp_locate_template, load_template, require('/plugins/buddypress/bp-templates/bp-legacy/buddypress/activity/single/home.php'), bp_has_activities, BP_Activity_Template->__construct, bp_activity_get_specific, BP_Activity_Activity::get
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT user_id, user_login, display_name, user_email, user_url, user_registered, meta_key, meta_value FROM as_users, as_usermeta WHERE as_users.ID = as_usermeta.user_id AND meta_key = 'as_capabilities' AND user_status = 0 AND(meta_value like '%featured%' or meta_value like '%featured_member%') made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, MultiWidget->widget_callback, AuthorAvatarsWidget->widget, UserList->output, UserList->get_output, UserList->get_users, UserList->get_blog_users
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT *    FROM as_links  INNER JOIN as_term_relationships AS tr ON (as_links.link_id = tr.object_id) INNER JOIN as_term_taxonomy as tt ON tt.term_taxonomy_id = tr.term_taxonomy_id WHERE 1=1 AND link_visible = 'Y'  AND ( tt.term_id = 3 ) AND taxonomy = 'link_category'    ORDER BY link_name ASC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, WP_Widget_MiniMeta->widget, minimeta_widget_display, call_user_func, MiniMetaWidgetParts::bookmarkscat_display, wp_list_bookmarks, get_bookmarks
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM as_terms AS t INNER JOIN as_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy IN ('category') ORDER BY t.name ASC  made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, WP_Widget_Categories->widget, wp_list_categories, get_categories, get_terms
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT as_terms.slug, as_posts.ID,
        as_posts.post_name, as_posts.post_title, as_posts.post_author,
        as_posts.post_date, YEAR(as_posts.post_date) AS 'year',
        MONTH(as_posts.post_date) AS 'month' ,
        as_posts.post_type
        FROM as_posts LEFT JOIN as_term_relationships ON as_posts.ID =
        as_term_relationships.object_id
    		LEFT JOIN as_term_taxonomy ON as_term_taxonomy.term_taxonomy_id =
    																			as_term_relationships.term_taxonomy_id
    		LEFT JOIN as_terms ON as_terms.term_id =
    		                          as_term_taxonomy.term_id
      WHERE post_status='publish' AND as_posts.post_type='post'
      GROUP BY as_posts.ID
      ORDER BY as_posts.post_date DESC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, collapsArchWidget->widget, collapsArch, list_archives
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT DISTINCT component FROM as_bp_activity ORDER BY component ASC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, BP_SWA_Widget->widget, bp_swa_list_activities, swa_get_base_component_scope, swa_get_recorded_components, BP_Activity_Activity::get_recorded_components
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT a.*, u.user_email, u.user_nicename, u.user_login, u.display_name  FROM as_bp_activity a LEFT JOIN as_users u ON a.user_id = u.ID WHERE a.is_spam = 0 AND a.component IN ( 'blogs' ) AND a.hide_sitewide = 0 AND a.type != 'activity_comment' ORDER BY a.date_recorded DESC LIMIT 0, 5 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, BP_SWA_Widget->widget, bp_swa_list_activities, bp_has_activities, BP_Activity_Template->__construct, bp_activity_get, BP_Activity_Activity::get
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT count(a.id) FROM as_bp_activity a USE INDEX (component) WHERE a.is_spam = 0 AND a.component IN ( 'blogs' ) AND a.hide_sitewide = 0 AND a.type != 'activity_comment' ORDER BY a.date_recorded DESC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, BP_SWA_Widget->widget, bp_swa_list_activities, bp_has_activities, BP_Activity_Template->__construct, bp_activity_get, BP_Activity_Activity::get
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT user_id, user_login, display_name, user_email, user_url, user_registered, meta_key, meta_value FROM as_users, as_usermeta WHERE as_users.ID = as_usermeta.user_id AND meta_key = 'as_capabilities' AND user_status = 0 AND(meta_value like '%administrator%' or meta_value like '%author%') made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, MultiWidget->widget_callback, AuthorAvatarsWidget->widget, UserList->output, UserList->get_output, UserList->get_users, UserList->get_blog_users
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM as_terms AS t INNER JOIN as_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy IN ('post_tag') AND tt.count > 0 ORDER BY tt.count DESC LIMIT 45 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, WP_Widget_Tag_Cloud->widget, wp_tag_cloud, get_terms
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM as_terms AS t INNER JOIN as_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy IN ('link_category') AND ( t.term_id = 2 ) AND tt.count > 0 ORDER BY t.name ASC  made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, WP_Widget_Links->widget, wp_list_bookmarks, get_terms
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT *    FROM as_links  INNER JOIN as_term_relationships AS tr ON (as_links.link_id = tr.object_id) INNER JOIN as_term_taxonomy as tt ON tt.term_taxonomy_id = tr.term_taxonomy_id WHERE 1=1 AND link_visible = 'Y'  AND ( tt.term_id = 2 ) AND taxonomy = 'link_category'    ORDER BY link_name ASC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_sidebar, locate_template, load_template, require_once('/themes/tarski/sidebar.php'), th_sidebar, do_action('th_sidebar'), call_user_func_array, tarski_sidebar, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, WP_Widget_Links->widget, wp_list_bookmarks, get_bookmarks
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT DISTINCT component FROM as_bp_activity ORDER BY component ASC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_footer, locate_template, load_template, require_once('/themes/tarski/footer.php'), th_fmain, do_action('th_fmain'), call_user_func_array, tarski_footer_main, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, BP_SWA_Widget->widget, bp_swa_list_activities, swa_get_base_component_scope, swa_get_recorded_components, BP_Activity_Activity::get_recorded_components
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT DISTINCT component FROM as_bp_activity ORDER BY component ASC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_footer, locate_template, load_template, require_once('/themes/tarski/footer.php'), th_fmain, do_action('th_fmain'), call_user_func_array, tarski_footer_main, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, BP_SWA_Widget->widget, bp_swa_list_activities, swa_activity_filter_links, swa_get_activity_filter_links, swa_get_base_component_scope, swa_get_recorded_components, BP_Activity_Activity::get_recorded_components
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT a.*, u.user_email, u.user_nicename, u.user_login, u.display_name  FROM as_bp_activity a LEFT JOIN as_users u ON a.user_id = u.ID WHERE a.is_spam = 0 AND a.component IN ( 'activity' ) AND a.hide_sitewide = 0 AND a.type != 'activity_comment' ORDER BY a.date_recorded DESC LIMIT 0, 5 made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_footer, locate_template, load_template, require_once('/themes/tarski/footer.php'), th_fmain, do_action('th_fmain'), call_user_func_array, tarski_footer_main, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, BP_SWA_Widget->widget, bp_swa_list_activities, bp_has_activities, BP_Activity_Template->__construct, bp_activity_get, BP_Activity_Activity::get
    [06-May-2014 18:27:26 UTC] WordPress database error MySQL server has gone away for query SELECT count(a.id) FROM as_bp_activity a USE INDEX (component) WHERE a.is_spam = 0 AND a.component IN ( 'activity' ) AND a.hide_sitewide = 0 AND a.type != 'activity_comment' ORDER BY a.date_recorded DESC made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), include('/themes/tarski/index.php'), get_footer, locate_template, load_template, require_once('/themes/tarski/footer.php'), th_fmain, do_action('th_fmain'), call_user_func_array, tarski_footer_main, dynamic_sidebar, call_user_func_array, WP_Widget->display_callback, BP_SWA_Widget->widget, bp_swa_list_activities, bp_has_activities, BP_Activity_Template->__construct, bp_activity_get, BP_Activity_Activity::get

    Are you able to come up with a way to stop this completely?

    https://wordpress.org/plugins/wp-simple-firewall/

  2. Paul G.
    Member
    Plugin Author

    Posted 2 months ago #

    The only way really to address it is to look for patterns that are funky and update the firewall checks.

    In this case, you have some PHP code. The injection would have failed in this case because the MySQL syntax was all over the place and would never have completed.

    However, I've decided to add an option to the firewall to block PHP include code.

    It's a first step, but it can and likely will interfere with the WordPress file editor for plugins and themes, but really, this should be disabled anyway.

    I'll update the plugin a little bit to include this extra option which is not enabled by default.

  3. Paul G.
    Member
    Plugin Author

    Posted 2 months ago #

    Done. v2.5.8 includes an option to check and block php include code.

  4. ljmac
    Member
    Posted 2 months ago #

    So fast - you guys are awesome!

    These attacks have never been successful in terms of getting anything out of my database, but the bigger ones do send my loads through the roof and make my server run out of memory, killing MySQL temporarily. It would be nice not to have to subjected to this.

  5. Paul G.
    Member
    Plugin Author

    Posted 2 months ago #

    Happy to help! :)

    Hope this helps resolve this for you... keep me posted.

  6. ljmac
    Member
    Posted 2 months ago #

    Judging from two huge load spikes lasting 2 minutes each, it appears I have been attacked on each of the last two days, as I have been every day for a week or so now. But this time there were no PHP errors, and neither MySQL nor the server itself ran out of memory - there weren't even any dropped MySQL connections (normal traffic is cached).

    So it appears this does indeed work - I assume the load spikes are simply due to the fact that the magnitude of these attacks amounts to DoSing the server. But at least now I'm not getting PHP errors or getting MySQL knocked out.

  7. Paul G.
    Member
    Plugin Author

    Posted 2 months ago #

    Great to hear! :)
    Thanks for coming back in and letting me know how you got on.

    Cheers,
    Paul.

  8. ljmac
    Member
    Posted 2 months ago #

    Thank YOU! I already gave you a five star review months ago - all I can say is that you provide the best support experience I've had with anything WordsPress related. Most of the time when I report issues I'm told that I'm doing something wrong (which I'm not), but you treat your users with respect and really fix things - fast!

  9. Paul G.
    Member
    Plugin Author

    Posted 2 months ago #

    Yea, I hear ya. I get the same style of support when I ask service providers and I can't stand it, so the last thing I want to do is pass that along.

    That kind of support just comes from the fantasy that what you've created is infallible.

    I know, without a shadow of a doubt, that what I create will have issues, but I also know I can fix them, so I gotta let users tell you what's wrong and get on it :)

    If you like our support, check out our iControlWP service and if that isn't a fit for you, any help you can do to spread the word is much appreciated :D

    Cheers!
    Paul.

  10. ljmac
    Member
    Posted 2 months ago #

    Hi Paul,

    Unfortunately it looks like I spoke too soon: today's attack did knock out the database. I could send you the logs, but they're huge (literally thousands of lines).

    Interestingly, each of these attacks seems to last exactly two minutes - I'm not sure why that is. Indeed, I'm not sure why I'm copping these attacks at all (I thought it was hackers trying to get into my database, but as you say their code is a mess). It could just be a simple DoS attack I guess, but why do that for exactly two minutes each day?

    Anyway, if there's any further info I can give you to try and block these attacks, please let me know.

  11. Paul G.
    Member
    Plugin Author

    Posted 2 months ago #

    It depends on the php that's attempted to be included.

    the current "filter" works on include(_once) and require(_once). Much more than that you risk a lot more false positives.

    Can you zip up a portion of your logs and send it along to me?
    support ]at[ icontrolwp.com

  12. ljmac
    Member
    Posted 2 months ago #

    Hi Paul,

    I just sent the logs over. FYI, it's ticket 1954.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.