Support » Fixing WordPress » Google says “This site may harm your computer”

  • Resolved Jay

    (@phyrax)


    I just figured i’d google my sites to see where they stand…. and omg I got the “This site may harm your computer” listed under my sites… all of them, so I began to trail through my access logs on the server. I found the following:


    200.46.235.154 - - [31/Jan/2009:07:51:10 -0500] "GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1" 200 2698 "-" "Mozilla/4.0"
    200.46.235.154 - - [31/Jan/2009:07:51:11 -0500] "GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1" 200 2698 "-" "Mozilla/4.0"

    This is the only entry of its type throughout the whole access log. It seems that they’re trying to pass sql through the index. I’m wondering if this is a security problem and where else I should check. Furthermore all sites associate with the “Phyrax” name have the same warning, even my site on deviantart… is it a link or something??? Anyone experienced in this thing?

    System Specs:
    OS – Linux 2.6.9-023stab048.6-smp
    Version – psa v8.3.0_build83080131.20 os_CentOS 5
    Type – Virtual Private Server
    Host – 1and1 Hosting (U.S.)

    Protected dir’s:
    /usr/local/psa
    /var/lib/mysql
    /var/www/vhosts
    /var/qmail/mailnames
    /var/named/run-root

    Hosting dir’s
    /var/www/vhosts/www/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter Jay

    (@phyrax)

    On a side note, I filed for a second review to all the sites, the warning was removed… I still have no idea why huge GET request though… I did double check all the user tables and changed my passwords but still have not found any adverse effects.

    This was an issue with Google earlier today and nothing to do with WordPress or your site. (Unless it’s still happening of course…)

    Thread Starter Jay

    (@phyrax)

    I figured it as much, but I still have no idea why the statements coming into the index file.

    The requests are a hacking attempt, but WordPress should not be vunerable to that sort of hack.

    I suggest you check the raw DB entry for the offending post. You may also find one line in each entry. Sometimes they don’t show up in the WYSIWYG editor – look at the raw HTML of your entries.

    I’d point you to an entry on my own site, but I’m upgrading my own install right now.

    Thread Starter Jay

    (@phyrax)

    No it wasn’t vulnerable but I did report the IP to the host and changed my password to be safe. However I did run the query myself in the URL as attempted by the hacker, nothing, I got a 404 with the url ending in /cat

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Google says “This site may harm your computer”’ is closed to new replies.