[resolved] Google says "This site may harm your computer" (7 posts)

  1. Jerry
    Posted 7 years ago #

    I just figured i'd google my sites to see where they stand.... and omg I got the "This site may harm your computer" listed under my sites... all of them, so I began to trail through my access logs on the server. I found the following: - - [31/Jan/2009:07:51:10 -0500] "GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1" 200 2698 "-" "Mozilla/4.0" - - [31/Jan/2009:07:51:11 -0500] "GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1" 200 2698 "-" "Mozilla/4.0"

    This is the only entry of its type throughout the whole access log. It seems that they're trying to pass sql through the index. I'm wondering if this is a security problem and where else I should check. Furthermore all sites associate with the "Phyrax" name have the same warning, even my site on deviantart... is it a link or something??? Anyone experienced in this thing?

    System Specs:
    OS - Linux 2.6.9-023stab048.6-smp
    Version - psa v8.3.0_build83080131.20 os_CentOS 5
    Type - Virtual Private Server
    Host - 1and1 Hosting (U.S.)

    Protected dir's:

    Hosting dir's

  2. Jerry
    Posted 7 years ago #

    On a side note, I filed for a second review to all the sites, the warning was removed... I still have no idea why huge GET request though... I did double check all the user tables and changed my passwords but still have not found any adverse effects.

  3. mrmist
    Forum Janitor
    Posted 7 years ago #

    This was an issue with Google earlier today and nothing to do with WordPress or your site. (Unless it's still happening of course...)

  4. Jerry
    Posted 7 years ago #

    I figured it as much, but I still have no idea why the statements coming into the index file.

  5. mrmist
    Forum Janitor
    Posted 7 years ago #

    The requests are a hacking attempt, but WordPress should not be vunerable to that sort of hack.

  6. justinratwebtek
    Posted 7 years ago #

    I suggest you check the raw DB entry for the offending post. You may also find one line in each entry. Sometimes they don't show up in the WYSIWYG editor - look at the raw HTML of your entries.

    I'd point you to an entry on my own site, but I'm upgrading my own install right now.

  7. Jerry
    Posted 7 years ago #

    No it wasn't vulnerable but I did report the IP to the host and changed my password to be safe. However I did run the query myself in the URL as attempted by the hacker, nothing, I got a 404 with the url ending in /cat

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.