Title: malicious javascript or SQL injection attack? Last modified: August 19, 2016 --- # malicious javascript or SQL injection attack? * [saphire2](https://wordpress.org/support/users/saphire2/) * (@saphire2) * [16 years, 7 months ago](https://wordpress.org/support/topic/malicious-javascript-or-sql-injection-attack/) * Big problem tonight. Okayed a post comment and wrote a reply and **then** checked my Bad Behavior log, which showed that this same person had sent a Request contained a malicious JavaScript or SQL injection attack. Don’t know how all this works, if this person first tried to get in through Bad Behavior and when that didn’t work, tried to get in with a blog comment, which (big groan) unfortunately did work. I of course deleted the comments, but I would guess it was too late. Question now is how do I know the difference between a javascript or SQL injection attack? In the Editor I can’t see anything different in my files (it’s still early: haven’t closed and reopened WP). So what I should do first? Would be **very** thankful for some help here. * Bad Behavior report: 66.82.9.81 * 2009-10-09 22:44:47 * Request contained a malicious JavaScript or SQL injection attack GET /2009/09/ high-roller-holiday-spender/comment-page-1/#comment-10 HTTP/1.1 Accept: text/ html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Charset: ISO- 8859-1,utf-8;q=0.7,*;q=0.7 Accept-Language: en-us,en;q=0.5 Client-Ip: 67.44.98.124 Connection: Keep-Alive Cookie: bb2_screener_=1255128284+66.82.9.81+67.44.98.124 +67.44.98.124; comment_author_23b1ef4acb64bd6c8ab1aebf608dc9d2=RecycleCindy; comment_author_email_23b1ef4acb64bd6c8ab1aebf608dc9d2=cindy%40myrecycledbags. com; comment_author_url_23b1ef4acb64bd6c8ab1aebf608dc9d2=http%3A%2F%2Fwww.myrecycledbags. com Host: savvysavingbytes.com Keep-Alive: 300 Referer: [http://savvysavingbytes.com/2009/09/high-roller-holiday-spender/](http://savvysavingbytes.com/2009/09/high-roller-holiday-spender/) User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/ 20090824 Firefox/3.5.3 GTB5 X-Forwarded-For: 67.44.98.124 Viewing 3 replies - 1 through 3 (of 3 total) * [alism](https://wordpress.org/support/users/alism/) * (@alism) * [16 years, 7 months ago](https://wordpress.org/support/topic/malicious-javascript-or-sql-injection-attack/#post-1239487) * You’re right to be wary, but I wouldn’t get too worked up in this case. My take is that’s a false positive from Bad Behaviour, just caused by the ‘#’ in the URL request. * Browsers don’t normally send the # anchor as part of an http request, as the whole page is downloaded regardless, and the anchor just extracted from the page by the browser when its rendered. So anything out of the ordinary gets blocked by Bad Behavior. * I don’t understand quite why the browser has sent that # in this case, but it’s not malicious – it’s just a page anchor appended to the URL. * If it were a spam comment that you’ve deleted, it might be a bot, but if it was an otherwise ok comment (ie not trying to peddle pills ‘n porn and actually related to the post etc), I’d probably call it legit and guess that the visitor has just got a bad plugin installed or some bad config that’s causing it to send anchors too and just wouldn’t worry about it. * Thread Starter [saphire2](https://wordpress.org/support/users/saphire2/) * (@saphire2) * [16 years, 7 months ago](https://wordpress.org/support/topic/malicious-javascript-or-sql-injection-attack/#post-1239496) * Thank you so much for your reply, Alism. I have been on the phone with my host and they so far don’t see anything wrong with my javascript. * They also said that no blog comment could contain anything that could harm the database without knowledge of my password. Do you agree with that? * Again, I feel way better after your knowledgable reply. * [alism](https://wordpress.org/support/users/alism/) * (@alism) * [16 years, 7 months ago](https://wordpress.org/support/topic/malicious-javascript-or-sql-injection-attack/#post-1239516) * Hmmmmm, any user input that’s fed into a script/program should be treated as malicious at first, so I wouldn’t entirely agree with that statement, but I know what they’re getting at. As long as that input is validated properly and checked for any badness and shenanigans, it’s not a problem. * There’s always someone trying to hack their way in using some innovative technique that no-one has ever planned for happening or thought of before, so never say never. Based on what you’ve written above, I don’t think you’re seeing anything to worry about with that particular URL request though. * But, I see you’ve said you’re running WordPress 2.7.1, if that’s the case, you really should update it *asap*, as there’s been a security update since then which is worth worrying about: [http://wordpress.org/support/topic/307660?replies=1](http://wordpress.org/support/topic/307660?replies=1) * G’night! Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘malicious javascript or SQL injection attack?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [alism](https://wordpress.org/support/users/alism/) * Last activity: [16 years, 7 months ago](https://wordpress.org/support/topic/malicious-javascript-or-sql-injection-attack/#post-1239516) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics