Support » Fixing WordPress » Hacked by SQL injection?!

  • My personal blog powered by WordPress 2.0.1 (latest version) hacked today! (SQL injection probably) As I was watching the tab of the browser to loading my blog, a frame appeared in sidebar and mutilated blog design.
    This frame added to last category. It was getting from this address: http:// www. ~dch/ inc/

    It added to a lot of field such as blog description in options section and Category name too. I have been looking at it for the last four hour and still can’t understand what it is about? How resolve this bug? All plugins are secure!

Viewing 13 replies - 1 through 13 (of 13 total)
  • DO NOT CLICK the link in the post above. It leads to a site that tries the .wmf exploit that you should be patched against if you run Windows and you update.

    alvanweb – this has been seen before and it is not a vulnerability.
    Your theme files are very probably writable.
    Someone has let loose a script on your host’s server that looks for writable files (and WP themes are in a predictable place and could be left writable) and those links are written into the theme.

    Download the theme folder.
    Examine every part of it and clean it up
    CHMOD your theme files to 644 AT MOST

    Thread Starter alvanweb


    Mr Podz, thanks
    but this html tag (frame) adding in database records no theme files!

    If it was in the db, it would affect every file.

    Put the bad theme back, post here and let us look ?

    Thread Starter alvanweb


    Theme files didn’t change just in database records such as:
    blogdescription in wp_options table and cat_name in wp_categories table added frame html tag.

    value in these rows: “<iframe name=”poz” src=”URL” width=5 height=5 style=”display:none”>”

    I shall ask the hackers…

    Is there any chance at all that your blog password could have been guessed ?

    Thread Starter alvanweb


    Let me discussion more about it.
    This HTML tag put in database row (just in certain tables)
    Look like cat_name in wp_categories!
    When wp_list_cats() function attempt to return values from db, this value is returned in sidebar! because this function can’t filter html codes!

    My problem resolved. I remove these values and edited again.
    But I’ve been founding this matter: “how this value entered to DB?”

    What plugins do you have running on your site?

    Thread Starter alvanweb


    1- Recent Links
    2- Click Counter
    3- WordPress Database Backup [defult version]

    Hrm. It appears that somebody could make a malformed link in a comment that could allow SQL injection via the Click Counter plugin…

    It appears that the go.php script passes the $url variable to the wp_ozh_click_increment() function, which in turn uses it in a SQL query without doing any validation.

    Thread Starter alvanweb


    Thanks, dougal
    In my opinion this attack relate with you said …

    I couldn’t reproduce anything harmful, but better safe than sorry : upgrade ! 🙂

    Hmmm… You know, after further investigation, this might not have been the entry point after all.

    I didn’t bother to trace down exactly where it happens, but after including wp-blog-header.php, the $_SERVER[‘QUERY_STRING’] variable is escaped. So the value of the $url variable should be safe before it’s used in the db query.

    So alvanweb’s security problem is probably still there. :-/

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Hacked by SQL injection?!’ is closed to new replies.