[Plugin: WordPress Firewall 2] SQL injection attack from localhost on live server

  • egr102

    (@egr102)


    13 years, 9 months ago

    This is quite complex to explain but I keep getting injection attacks from another website by just clicking on a link. Oddly though it seems Google Chrome is the one generates it.

    To elaborate, I have this site: http://byassociationonly.com and I have this site: http://dev.byassociationonly.com/example (can’t name site as its a client site).

    Whenever I click on any of the links on http://byassociationonly.com, in Google Chrome, on my machine, none of them work and I get an injection attack.

    The notification I receive is this: http://cl.ly/image/2U111T0m2X35

    I just don’t understand this error at all, Ive never had a problem before.

    I’ve even removed the code within that page its referencing, which is from single.php, yet the problem still exists. I thought there were conflicts with my MAMP servers running locally but even if they are switched off, the problem still exists but localhost:8888 isn’t referenced at all within wp_config.

    However if I do this within Firefox, I don’t get any notifications at all and the links work fine.

    Has anybody got any ideas how to identify where the problem lies and solutions to fix?

    As requested here’s the code on the single.php page, that the error is reffering to: http://pastebin.com/QKqtLXQi

    http://ww.wp.xz.cn/extend/plugins/wordpress-firewall-2/

Viewing 12 replies - 1 through 12 (of 12 total)
  • s_ha_dum

    (@apljdi)

    13 years, 9 months ago

    Your screenshot is missing most of the really interesting information about the purported attack– (full) URL, query strings, POST values, most of the headers… Do any of those links reveal those things?

    That is Virgin Media IP in you screenshot. Is that your ISP?

    >> dig +short -x 82.25.224.201
client-82-25-224-201.glfd.adsl.virginmedia.com.

    You say that “Whenever I click on any of the links on http://byassociationonly.com, in Google Chrome, on my machine, none of them work and I get an injection attack.” Chrome does not complain when I visit http://byassociationonly.com. What happens if you log out from all sites on that server. Do you still have a problem?

    Thread Starter egr102

    (@egr102)

    13 years, 9 months ago

    Thanks for your reply @s_ha_dum, basically I tried logging in/out but still nothing happens. Although I must admit I can’t even get to the login.php screen (I keep getting redirected back to the homepage – followed by a bunch of notifications from WordPress Firewall2 saying there was an SQL injection hack).

    Yes Virgin is my ISP but no, unfortunately clicking on any of those links in the email are either dead links, links to turn email notifications off or a help page to find out more: http://matthewpavkov.com/wordpress-plugins/wordpress-attacks.html

    It seems as though its just my machine, but what could be causing this issue?

    s_ha_dum

    (@apljdi)

    13 years, 9 months ago

    I really don’t know specifically what is causing it. I am fairly sure that there is a flaw in that firewall plugin’s logic, but without knowing which filter is tripping it is hard to say. It could be a number of things.

    It could be an extension you have running in Chrome. Maybe something is sending an odd header or causing some malformed encoding issue. If that is the case, it isn’t the plugin’s fault.

    Thread Starter egr102

    (@egr102)

    13 years, 9 months ago

    Thanks for your response. I can accept if its a plugin problem but I just want to make sure that no other visitors are going to get this error and be denied access to http://byassociationonly.com. Although, its not ideal I don’t mind so much if its just me that gets the problem I was just concerned that this could be part of a wider issue.

    @s_ha_dum did you look through the pastebin code? For a second opinion, can you rule out the code being the problem? I can’t see any odd characters within this code but i’m no PHP expert.

    s_ha_dum

    (@apljdi)

    13 years, 9 months ago

    I can’t promise you that no visitors will get the error. I don’t get an error, but without knowing why you get it I can’t tell you who will or will not see that error.

    I did look through the pastebin code. I didn’t spot anything but that is also probably not where the critical code would be. The code you will have to analyze is the plugin code. And that is assuming that the plugin is the problem. That is not 100% certain at this point.

    Have you looked into your browser extensions as I suggested?

    Thread Starter egr102

    (@egr102)

    13 years, 9 months ago

    @s_ha_dum Yeah, I have disabled all extensions but still the links on http://byassociationonly.com don’t work. However, I have noticed one other strange thing, this is what I do:

    • I open Chrome go to http://byassociationonly.com click on a link, links do not work
    • Keep Chrome open, I then open Firefox as well, go to http://byassociationonly.com, click Contact (for example), link works as expected
    • I go to my already opened version of Chrome, click on Contact, link now works fine
    • Repeat for every other link and Chrome links on http://byassociationonly.com now work…and I DON’T get the SQL injection email notification…Odd

    If I close and then re-open Chrome, problem seems to disappear. I just don’t get it!

    Thread Starter egr102

    (@egr102)

    13 years, 9 months ago

    To add as well, because I don’t know if the notification is caused by a bug within the plugin I don’t want to chance disabling it because if it turns out to be my machine and it is infact a genuine problem and its NOT the plugin then the site will break for everyone and will create a whole world of problems. Not sure what to do about it to be honest.

    s_ha_dum

    (@apljdi)

    13 years, 9 months ago

    That is really strange behavior.

    You have a few errors: http://validator.w3.org/check?verbose=1&uri=http%3A%2F%2Fbyassociationonly.com%2F

    I’d clean those up. Browsers can choke on small things. And the couple that look like this <label for"details" class="visuallyhidden" id="details-… are particularly bad. (You are missing an equal sign after the “for”)

    Thread Starter egr102

    (@egr102)

    13 years, 9 months ago

    Thanks for that although the http://byassociationonly.com website has been going for well over a year now and has never had a problem…until I uploaded the dev.byassociationonly.com/example website to the dev subdomain.

    Does that not mean there could be a problem with that example website?

    s_ha_dum

    (@apljdi)

    13 years, 9 months ago

    …website has been going for well over a year now and has never had a problem.

    But browsers get updated all the time.

    Still, let’s pursue the idea that it is a configuration issue with your ‘dev’ subdomain. How did you set that up? I don’t think it would be a problem with the ‘example’ site itself since you should be loading anything from there (unless something is misconfigured).

    Thread Starter egr102

    (@egr102)

    13 years, 9 months ago

    Ive added HTML pages/sites to the dev domain and never had a problem but when I come to think of it, this is the first time I’ve put a WordPress installation on the dev domain.

    Its on MediaTemple and again this domain got setup about 9-10 months ago now. Specifically this ‘example’ WP installation is using its own database with its own login etc.

    Prior to pushing this example site live, when developing locally on localhost, my database name was ‘wp_hb’, I then exported the database to create a sql file, found all my http://localhost:8888/wp_hb URL’s and replaced them with the http://dev.byassociationonly.com/example URL. I then imported that sql file into my live DB which is called ‘db111134_example’. Would any references to the ‘wp_hb’ db within that sql file cause this problem? Conflict possibly with the standard ‘wp_’ table prefixes?

    Could my code within functions.php affect anything? Here it is: http://pastebin.com/r7Xe4bwu

    s_ha_dum

    (@apljdi)

    13 years, 9 months ago

    I then imported that sql file into my live DB which is called ‘db111134_example’.

    You don’t need to post your actual DB name. I’d remove it. That is a minor to moderate security issue.

    Would any references to the ‘wp_hb’ db within that sql file cause this problem?

    If there were references to the old table it might cause a problem.

    Conflict possibly with the standard ‘wp_’ table prefixes?

    It shouldn’t. No.

    I don’t see anything in your functions.php. That is no guarantee. Things are easy to miss.

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘[Plugin: WordPress Firewall 2] SQL injection attack from localhost on live server’ is closed to new replies.

Tags