CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax > error or access violation: 1142 CREATE VIEW command denied to user ‘itpixiec_admin’@’localhost’ > for table ‘itpx_osefirewall_aclipmap’. The SQL statement executed was: CREATE > VIEW `itpx_osefirewall_aclipmap` AS select `acl`.`id` AS `id`,`acl`.`name` > AS `name`,`acl`.`status` AS `status`,`acl`.`datetime` AS `datetime`,`acl`.` > score` AS `score`,`acl`.`visits` AS `visits`, `acl`.`country_code` AS `country_code`,` > acl`.`host` AS `host`,`acl`.`notified` AS `notified`,`acl`.`referers_id` AS` > referers_id`,`acl`.`pages_id` AS `pages_id`,`ip`.`id` AS `ipid`,`ip`.`ip32_start` > AS `ip32_start`,`ip`.`ip32_end` AS `ip32_end`,`ip`.`iptype` AS `iptype` from(` > itpx_osefirewall_acl` `acl` left join `itpx_osefirewall_iptable` `ip` on((` > acl`.`id` = `ip`.`acl_id`))); (/home/itpixiec/public_html/wp-content/plugins/ > ose-firewall/framework/db/CDbCommand.php:541)
> ``` > #0 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/db/CDbCommand.php(376): CDbCommand->queryInternal('', 0, Array) #1 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/oseframework/db/oseDB2.php(58): CDbCommand->query() #2 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/protected/library/oseFirewallInstaller.php(100): oseDB2->query() #3 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/protected/models/DashboardModel.php(196): oseFirewallInstaller->createACLIPView('/home/itpixiec/...') #4 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/protected/models/DashboardModel.php(86): DashboardModel->createACLIPView() #5 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/protected/controllers/DashboardController.php(34): DashboardModel->actionCreateTables() #6 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/web/actions/CInlineAction.php(49): DashboardController->actionCreateTables() #7 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/web/CController.php(308): CInlineAction->runWithParams(Array) #8 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/web/CController.php(286): CController->runAction(Object(CInlineAction)) #9 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/web/CController.php(265): CController->runActionWithFilters(Object(CInlineAction), Array) #10 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/web/CWebApplication.php(282): CController->run('createTables') #11 /home/itpixiec/public_html/wp-content/plugins/ose-firewall/framework/oseframework/ajax/oseAjax.php(28): CWebApplication->runController('dashboard/creat...') #12 [internal function]: oseAjax::runAction('') #13 /home/itpixiec/public_html/wp-includes/plugin.php(406): call_user_func_array('oseAjax::runAct...', Array) #14 /home/itpixiec/public_html/wp-admin/admin-ajax.php(72): do_action('wp_ajax_createT...') #15 {main} > ``` > * And Admin Email mapping is still not working for me… My WP user id still doesn’t show up in the drop-down list, and I am unable to save any mapping even if I manually type in my user id. * Thanks, itpixie * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Centrora WordPress Security™] Database Initialization and Admin Email Mapping issues](https://wordpress.org/support/topic/database-initialization-and-admin-email-mapping-issues/) * Thread Starter [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [12 years, 7 months ago](https://wordpress.org/support/topic/database-initialization-and-admin-email-mapping-issues/#post-4134526) * Hello Helix, * Thank you so much for the Firebug info. One of the sites that I’m having problem initializing the database has the following SQL error: * >CDbCommand failed to execute the SQL statement: SQLSTATE[ > HY000]: General error: 1005 Can’t create table ‘fireflys_wordpressdb.ffsd_osefirewall_acl’( > errno: 121). The SQL statement executed was: > CREATE TABLE IF NOT EXISTS `ffsd_osefirewall_acl` ( > `id` INT(11) NOT NULL > AUTO_INCREMENT , `name` VARCHAR(300) NOT NULL , `status` TINYINT(1) NOT NULL,` > datetime` DATETIME NOT NULL , `score` TINYINT(3) NOT NULL , `country_code` > CHAR(2) NULL DEFAULT NULL , `host` VARCHAR(300) NULL DEFAULT NULL , `notified` > TINYINT(1) NULL DEFAULT NULL , `referers_id` INT(11) NOT NULL , `pages_id` > INT(11) NOT NULL , `visits` INT(11) NOT NULL , PRIMARY KEY (`id`) , INDEX ` > idx1_oseacl` (`referers_id` ASC) , INDEX `idx2_oseacl` (`pages_id` ASC) , CONSTRAINT` > fk1_oseacl` FOREIGN KEY (`referers_id` ) REFERENCES `ffsd_osefirewall_referers`(` > id` ) ON UPDATE CASCADE, CONSTRAINT `fk2_oseacl` FOREIGN KEY (`pages_id` ) > REFERENCES `ffsd_osefirewall_pages` (`id` ) ON UPDATE CASCADE) ENGINE = InnoDB > AUTO_INCREMENT = 1 DEFAULT CHARACTER SET = utf8 (/home/fireflys/public_html/ > dealers/wp-content/plugins/ose-firewall/framework/db/CDbCommand.php:541)
> > ``` > #0 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/db/CDbCommand.php(376): CDbCommand->queryInternal('', 0, Array) > #1 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/oseframework/db/oseDB2.php(58): CDbCommand->query() > #2 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/oseframework/installer/wordpress.php(43): oseDB2->query() > #3 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/protected/models/DashboardModel.php(159): oseInstaller->createTables('/home/fireflys/...') > #4 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/protected/models/DashboardModel.php(56): DashboardModel->createTables() > #5 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/protected/controllers/DashboardController.php(34): DashboardModel->actionCreateTables() > #6 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/web/actions/CInlineAction.php(49): DashboardController->actionCreateTables() > #7 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/web/CController.php(308): CInlineAction->runWithParams(Array) > #8 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/web/CController.php(286): CController->runAction(Object(CInlineAction)) > #9 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/web/CController.php(265): CController->runActionWithFilters(Object(CInlineAction), Array) > #10 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/web/CWebApplication.php(282): CController->run('createTables') > #11 /home/fireflys/public_html/dealers/wp-content/plugins/ose-firewall/framework/oseframework/ajax/oseAjax.php(28): CWebApplication->runController('dashboard/creat...') > #12 [internal function]: oseAjax::runAction('') > #13 /home/fireflys/public_html/dealers/wp-includes/plugin.php(406): call_user_func_array('oseAjax::runAct...', Array) > #14 /home/fireflys/public_html/dealers/wp-admin/admin-ajax.php(72): do_action('wp_ajax_createT...') > #15 {main} > ``` > * There are 2 WordPress installs using the same database, though each has their own set of tables (with different table prefix). Would that be the reason (2 WP installs using the same database) I’m encountering the sQL error? I had no problem initializing OSE Firewall database/tables on the 1st WP install. * My other question is: Is there a way to force database initialization again, other than deleting the existing OSE Firewall tables? * Thanks, itpixie * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Centrora WordPress Security™] Updated to 2.0.2, getting fatal PHP error on site](https://wordpress.org/support/topic/updated-to-202-getting-fatal-php-error-on-site/) * Thread Starter [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [12 years, 8 months ago](https://wordpress.org/support/topic/updated-to-202-getting-fatal-php-error-on-site/#post-4115404) * Hello Helix, * Thank you so much for the update and all the information. I apologize for not being able to provide the info you asked for in time. * After making some adjustment to my PHP environment, I was able to use the most updated version of OSE Firewall without any issue. * I do have 1 additional question: As I was initializing the database for the first time, the process stopped/got stuck (or so it seems) half way through. As I closed the pop-up window and the page refreshed, it said everything was ready to do. How can I tell that all the database tables got created and initialized correctly? Or is there a way for me to re-initialize everything? * Thank you so much again for all your and your team’s help! * itpixie * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown logged in successfully as "systemwpadmin"](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 4 months ago](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/#post-3218572) * So it looks like GoDaddy has not really solved the issue on their end like they told me. * I still have not been able to get GoDaddy to provide any more info in regards to what exploit(s) (they think) was used to hack the site. I definitely think those of you who are hosted on GoDaddy should contact them to let them know about the issue. * In the meanwhile, here are some things I think that helped locking down the site, beside the usual WP clean up ([http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)): 1. updated the salt values in wp-config.php 2. updated my WP database password 3. got rid of any unused themes and plugins — I suspect some kind of user creation script might have been added there in my case 4. I use Wordfence to get alerted when admin level users login so I can better monitor who’s accessing the site. It also help scanning for malicious stuff. 5. Ultimate Security Checker scans for malicious stuff in post and comments too, if you need a scanner for that. 6. If you still have the default WP user “admin”, delete that ASAP. If that’s your username, set up a new admin user with a new username for yourself and delete the “admin” username * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[IDB Ecommerce (wpStoreCart 5)] Version 3.0.8 Update Error – File Not Found](https://wordpress.org/support/topic/version-308-update-error-file-not-found/) * Thread Starter [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/version-308-update-error-file-not-found/#post-3239477) * Hi jquindlen, just want verify that I was able to update to 3.0.12. * Thank you so much for all your help! * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown logged in successfully as "systemwpadmin"](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/#post-3218563) * Ugh! WP removed the YouTube link and the exploit info link that I included… * **For the video:** [http://www.youtube.com/watch?v=eQxHtW9_6fE](http://www.youtube.com/watch?v=eQxHtW9_6fE) or Google “_I-CEH.COM – WordPress 3.3.2 ADD ADMIN Exploit { Advisory } – Disclosure and Demonstration_“ * **For more info on the exploit:** [http://www.exploit-db.com/exploits/18791/](http://www.exploit-db.com/exploits/18791/) or Google “_WordPress 3.3.1 Multiple CSRF Vulnerabilities_“ * By the way, I did hear from GoDaddy again and they gave absolutely nothing other than saying the site was hacked back in August via Uploadify (which I already know and fixed). So I’m starting to think that it might have been a server vulnerability on GoDaddy’s part. Or they just have no clue of how the attack happened. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Warnings after upgrade of Twenty Eleven theme to 1.5](https://wordpress.org/support/topic/warnings-after-upgrade-of-twenty-eleven-theme-to-15/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/warnings-after-upgrade-of-twenty-eleven-theme-to-15/#post-3255678) * Hi Mmaunder, * After updating to 3.5.1, I’m still getting “File Modified” warnings about the following plugins: 1. Akismet — 4 different files 2. WP Super Cache — readme.txt 3. TimThumb Vulnerability Scanner — cg-tvs-timthumb-latest.txt * I know I have the latest versions of the plugins, especially Akismet, as I have just updated it. * By the way, I _LOVE_ Wordfence and thank you so much for such wonderful security plugin! It’s on my _must-have_ WP security checklist! * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown user "systemwpadmin"](https://wordpress.org/support/topic/unknown-user-systemwpadmin/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/unknown-user-systemwpadmin/#post-2861195) * [@cgw](https://wordpress.org/support/users/cgw/) — thanks for the additional info here and on the other thread. I have added some update over at the other thread. * To answer your questions, my site-in-question is on GoDaddy and no, it doesn’t use Artisteer. * Other than TimThumb, there are other “upload” scripts that can be dangerous, especially if they are outdated. [Uploadify](http://itpixie.com/2012/06/wordpress-exploit-alert-uploadify-php/) is another one you should check your themes/plugins for. * wpsecure.net keeps database of vulnerable WP themes and plugins, you might want to cross-reference your stuff with that list. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown logged in successfully as "systemwpadmin"](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/#post-3218562) * So I have been hounding GoDaddy for more information, since they told me they were investigating the root cause of the attack, and since the attacks (at least for me and StoneChopper) came from GoDaddy servers. * Beside confirming that the attack on my site-in-question did came from a GoDaddy IP, here’s the latest (most thorough) info I have gotten from them so far: * > We have continued to research the root cause of this issue, however due to > security concerns we are unable to provide the entire results of our findings. > Attacks originated from compromised accounts on other shared hosting servers > and we have taken steps to prevent these attacks from succeeding in the future. > We found that in most cases a previous compromise of the account had occurred > in which attackers added a new WordPress administrator user named ‘systemwpadmin’ > to the WordPress database. It does not appear to be an unpublished exploit, > but rather a re-visiting of previously compromised and un-cleaned accounts. > The ‘systemwpadmin’ user was later used to login directly to your WordPress > admin, modify files, and the user was then removed from the database. We have > placed additional security measures in place to prevent this specific attack > in the future. You can work to prevent this attack or similar attacks by ensuring > that WordPress is fully up to date as well as all themes, plugins, etc. and > that any vulnerable items are removed from your account rather than simply > being disabled via WordPress. * Well, _systemwpadmin_ was able to get into after I had all the usual security recommendations done and then some. The only thing I can suspect is that there were some unused themes and plugins when the attack happened, so may be one of them had exploit code. Those unused themes and plugins have since been deleted, and unfortunately I didn’t make copies of them before uninstalling them, so I can’t tell for sure if they were the culprits. * I have pleaded with GoDaddy for more information, especially info on the exploit( s) involved (if there was any). I’m also curious about what “security measures” they put in to prevent such attack in the future, but I doubt they would tell me, especially if that would expose any vulnerability of their servers. I’ll update when I hear back from them. * Meanwhile, I came across [this video](https://wordpress.org/support/users/itpixie/replies/?output_format=md#) that shows an exploit to add a new admin user. It applies to WP 3.3.2, but it doesn’t mean it doesn’t affect current WP version. Here’s a little more info on the exploit: [link](https://wordpress.org/support/users/itpixie/replies/?output_format=md#) * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown user "systemwpadmin"](https://wordpress.org/support/topic/unknown-user-systemwpadmin/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/unknown-user-systemwpadmin/#post-2861192) * I’ve been researching this issue as well, and have been posting some stuff on this other thread: [http://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin](http://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin) * The current theory is that the attacker is able to remotely create an admin level user, logs into the site, does his thing (in my case, tried changing some files via the theme editor), then logs out and delete himself from the database. * I have not completely figured out how that was being done. Someone suggested that script injections via outdated Timthumb allowed some kind of user creation script to be added to the site. So you might want to scan your site for any file changes, if you haven’t done that already. Wordfence does a good job pointing out discrepancies between your files versus WP’s original distribution. Check your theme’s functions.php for suspicious stuff too. * A few other things I did seems to help keep the phantom user at bay: 1. updated the salt values in wp-config.php 2. updated my WP database password 3. got rid of any unused themes and plugins — I suspect some kind of user creation script might have been added there in my case 4. I use Wordfence to get alerted when admin level users login so I can better monitor who’s accessing the site. 5. Ultimate Security Checker scans for malicious stuff in post and comments too, if you need a scanner for that. * Will update if I find additional information. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown logged in successfully as "systemwpadmin"](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/#post-3218555) * [@shane](https://wordpress.org/support/users/shane/), * Thanks for the pointer. I actually came across the _wp\_create\_user_ function while searching for code to create users remotely, but it doesn’t quite explain how the attacker was able to specify the numeric user ID (88888) to insert (instead of incrementing from existing IDs). Unless the attacker created an user first, then changes its number ID. But I don’t see the reason why he would do that, especially he was deleting the user after he was done anyways… * Nevertheless, it’s definitely a good point about Timthumb and the theme’s functions. php. Before I took over the management of this site-in-question, it had an outdated timthumb.php. After I updated it to the latest version, the attacker actually tried to changed it (but wasn’t able to as I have other firewalls in place). * The theme’s functions.php is, and has always been, clean, so are the rest of the core, theme and plugin files. However there were a bunch of unused themes and plugins, which I uninstalled. So it is very possible that some kind of user insert exploit code was hidden in one of those unused themes/plugins. * Anyways, I’ll continue to research on this. Will update if I find any additional info. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown logged in successfully as "systemwpadmin"](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/) * [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/unknown-logged-in-successfully-as-systemwpadmin/#post-3218553) * Hi StoneChopper, * Thanks for the additional info. It sounds like you have/had your site configured similar to the one I’m working on (that has this issue). * I was talking to GoDaddy, and basically they told me what I suspected: someone was able to somehow add himself into the WP database, logged in and did his thing, then logged out and deleted himself from the database. The techs at GoDaddy suspected an unpublished backdoor to WP. Supposedly they are looking into the issue as well, since the offending traffic came from their servers. * I have been researching ways to remotely add user into the WP database but haven’t found anything particularly useful yet. But if you’re curious to do some research yourself, I think that’s a good place to start. * Meanwhile I have changed the WP database password (the one that’s in wp-config. php). If you have access to the file on the server, I would change its permission to 400 (readable by owner only, no write or execute access by anyone)). I have also turned the “allow anyone to register” off, as well as blocked the offending IP. So far I haven’t seen additional activities. Hopefully this helps fend off the attacks, at least till we figure out how the attacked was able to add himself into the database. * Good luck! * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[IDB Ecommerce (wpStoreCart 5)] Version 3.0.8 Update Error – File Not Found](https://wordpress.org/support/topic/version-308-update-error-file-not-found/) * Thread Starter [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/version-308-update-error-file-not-found/#post-3239445) * Thanks for the download link. * I was able to download it and installed the update manually. WP still complains that I don’t have the latest version (3.0.6 instead of 3.0.9), but I’m not too concerned about that since I assume you sent me to the most updated version. 🙂 * Anyways, thanks and hope you figure out the WP SVN server weirdness soon. Good luck! * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[IDB Ecommerce (wpStoreCart 5)] Version 3.0.8 Update Error – File Not Found](https://wordpress.org/support/topic/version-308-update-error-file-not-found/) * Thread Starter [itpixie](https://wordpress.org/support/users/itpixie/) * (@itpixie) * [13 years, 5 months ago](https://wordpress.org/support/topic/version-308-update-error-file-not-found/#post-3239443) * Just tried it… No dice. I’m still getting the File Not Found error when trying to download from WP directly. * Thanks for looking into it! Viewing 15 replies - 1 through 15 (of 35 total) 1 [2](https://wordpress.org/support/users/itpixie/replies/page/2/?output_format=md) [3](https://wordpress.org/support/users/itpixie/replies/page/3/?output_format=md) [→](https://wordpress.org/support/users/itpixie/replies/page/2/?output_format=md)