• Resolved Jamie Gill

    (@patchgill)


    Hi There,

    I have a couple of sites which seem to be getting the same SQL injection over and over.

    First time I ran a scan and all files showed fine in wordfence. So I updated wordpress/plugins, removed my FTP account and changed the SQL password etc usual stuff.

    However a week later the same thing happened every wp_posts table row a script is inject in the post_content column for every page/post on the site which trigger popups. The last one was a sub domain of pvclouds/com.

    They are very light sites a blank theme brochure site with 4 additional plugins :-

    Advanced Custom Fields PRO
    Contact Form 7
    Redirection
    Yoast SEO

    Is there anything I can do in wordfence to help target this or stop this, it is like someone has direct access to the DB and is just injecting with a script. Not something I have come across before especially not recurring after I have applied updates etc.

    Many Thanks

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author WFSupport

    (@wfsupport)

    Hi

    Did you change the cPanel/hosting password as well? Is the firewall running in extended protection mode? And are all scan options checked on the Scan > Scan Options and Scheduling page?

    Tim

    Hi Jamie,
    Who is hosting your websites? I have had the same issue and mine are hosted with TSO Host on their cloud hosting. I have come across this page which suggests that it might be more to do with the hosting than the actual website https://guides.magefix.com/2019/10/repeated-sql-injection-malicious-javascript/

    I hope this helps,
    Tim

    Yup, me too. Dealing with this at the moment. After wasting days trying to clean everything up, we finally moved site to another host so keeping watch to see if it reappears.

    Get the feeling this really is a TSOHOST / cloud hosting server issue. I know they were hacked earlier this year, but we have had very little info or response from them about the impact and consequences.

    Our TSOHOST cloud server was 10.169.0.247

    HTH

    Just as a follow-up. We had a site on the tsohost cloud hosting which was repeatedly infected with malware re-direct script which was tacked on to the end of all the site pages, posts and images. Unable to find a point of entry, we installed all the various security plugins we could find, cleaned the site, but was repeatedly re-infected within a week or so.

    Did a lot more research into this and yes, it all does seem to point to tshost having databases hacked / infected.

    As an experiment, we took an exact copy and moved the whole site to another host, leaving the original files on the TSOHOST servers as well. And sure enough, the new site continues clean, but the copy left with tsohost has again been infected……

    Hi @speedyp,

    So you’re saying the point of entry was TSOHost’s database. Unfortunately for cases like this, there’s not much Wordfence can do – as the attacker has full control of the site (short of direct FTP access).

    Dave

    This exact thing is happening to me. The site just keeps getting infected. I even got a company to look st it and clean it but they said its the server. TSO support has said it a legacy server/package and they are not supporting it anymore. Their solution is to move to CPanel package or move to a new host which is what I’m doing

    Just to add my TSO Host based site was hacked very other day with the redirect malware.

    It was extremely stressful, TSO were adamant that no files or database entries were being modified. I tried everything to stop the Malware but it just kept coming back. I used Wordfence and Malware, Wordfence never detected the injections while Malcare did but it could only clean the site and not prevent it.

    After following the advice from Magefix I migrated my site to site ground and my site has now been clean for months.

    https://guides.magefix.com/2019/10/repeated-sql-injection-malicious-javascript/

    Get your sites off the TSO servers. I now pay way more for Siteground but the site is so quick and the support is exceptional, oh and no more Malware……yay!

    • This reply was modified 1 year, 4 months ago by dougfatheruk.
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘SQL Injection’ is closed to new replies.