Title: SQL injection passes through Firewall
Last modified: May 30, 2020

---

# SQL injection passes through Firewall

 *  Resolved [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/)
 * Hello there,
 * our wp_posts table has recently been injected with the developfirstline.js redirection
   javascript hack, which we removed.
 * But apparently then, the firewall could not stop it from happening.
 * Apart from successfully blocked _<script…_ and _fromCharCode_ entries, the firewall
   log contains a lot of Base64-encoded injection entries, such as:
    `BASE64-encoded
   injection - [POST:d = dmFyX2R1bXAoYmFzZTY0X2RlY29kZSgnWjJkb1oydDFlVFUwTWpRek5UWT0nKSk7]-
   mydomain.tld`
 * We decoded some of them, and discovered one of the possible sources of the hack
   code (an IP address in the form of 198.24.166.xxx).
 * So I guess my questions are: how do we prevent this kind of attacks? Is there
   a way to further enhance the security of our site?
 * Any pointers welcome.
    Thank you. Best, Larry

Viewing 11 replies - 1 through 11 (of 11 total)

 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12914167)
 * Did you enable this policy: “NinjaFirewall > Firewall Policies > Basic Policies
   > Block attempts to publish or edit a published post by users who do not have
   the right capabilities” ?
    If you didn’t, then enable it.
 * Can you send me your list of plugins and themes to contact{at}nintechnet{.}com?
   Simply enter “gwdlarry wordpress.org” in the email subject. You can use this 
   script to create the list of plugins/themes and their version: [https://nintechnet.com/share/wp-list.txt](https://nintechnet.com/share/wp-list.txt)
 *  Thread Starter [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12914567)
 * Thank you for your quick reply.
 * As you recommended, I just enabled the “NinjaFirewall > Firewall Policies > Basic
   Policies > Block attempts to publish or edit a published post by users who do
   not have the right capabilities”.
 * The requested list is in the mail.
 * Thank you.
    Best, Larry
 *  Thread Starter [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12958250)
 * Hello there,
 * so we’ve been hacked again with a similar script injection, which we removed.
   
   This time the site address (url) was also changed to the hack site.
 * So it’s the second time the firewall doesn’t catch this type of attack….
 * Any suggestions?
 * Thank you.
    Best, Larry
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12958946)
 * There are 3 possibilities:
 * 1. SQL injection: a vulnerability in a script allows them to inject their code
   into a SQL command. I would expect NinjaFirewall to either block the SQLi or 
   the XSS (if there was JS code inserted), or even both. I’m not saying it’s impossible,
   just that I’m a bit skeptical.
    -Did you check your HTTP log, e.g. look for suspicious
   POST requests, that are followed by 301 or 302 responses (as soon as they modified
   the site url, the following GET requests should return a 301 or 302 to redirect
   users, instead of the usual 200 code).
 * 2. WordPress API: a vulnerability in a script allows them to inject their code
   via the API. If you enabled the policy to block posts/pages edition, it should
   be blocked. Additionally, the firewall blocks any modifications to the WP settings
   such as attempts to change the site URL if you have the “Block attempts to modify
   important WordPress settings” firewall policy enabled (it is by default).
    The
   only way to bypass it would be to have a admin account. -Did you check all users
   and made sure they didn’t hack an admin account?
 * 3. Remote access to the DB: we’ve seen that often for the past 2 months. Hackers
   connect directly to the DB. There were some vulnerabilities lately (e.g., Duplicator
   plugin etc) that allowed them to steal the DB credentials by downloading or viewing
   the content of the wp-config.php
    * Did you change your DB password since the
   first hack? * Did you change your salts and keys in your wp-config.php? You can
   generate new ones here: [https://api.wordpress.org/secret-key/1.1/salt/](https://api.wordpress.org/secret-key/1.1/salt/)*
   Is you DB remotely accessible? You can try to telnet to your site on port 3306.
   For instance, here’s a test on our website nintechnet.com:
 *     ```
       telnet nintechnet.com 3306
       Connected to nintechnet.com.
       Escape character is '^]'.
       Connection closed by foreign host.
       ```
   
 * The connection is reject (Connection closed by foreign host), hence it is not
   remotely accessible.
    Replace our domain with yours and test it.
 * -If it is remotely accessible, consider changing that.
    -If it isn’t, doesn’t
   mean hackers cannot access it: they could use another script on your site/server(
   DB management script such a adminer.php, phpMyAdmin etc), or a vulnerability 
   in a script that can be executed without loading WP. This would likely be blocked
   if NF runs in “Full WAF” mode, but wouldn’t if it runs in “WordPress WAF” mode.
   Which mode are you running it?
 *  Thread Starter [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12961548)
 * Thank you for your reply.
 * 1. I looked in the server log files and there are several GET requests (from 
   a few days ago) that are redirected to russian sites (.ru), but I could not see
   a suspicious POST in their vicinity. I see a lot of “POST /wp-cron.php?doing_wp_cron
   =” entries but the source is the web server address where the site is hosted.
 * 2. All the following policies are enabled:
    Block attempts to modify important
   WordPress settings Block user accounts creation Block attempts to gain administrative
   privileges Block attempts to publish or edit a published post by users who do
   not have the right capabilities There are 2 legitimate admins. All others have
   very limited capabilities.
 * 3. I changed the DB password a few moments ago.
    I changed the salts and keys
   2 weeks ago after the 1st hack. My DB is apparently not remotely accessible (
   Trying to connect… -> Connection error), and there are no DB-admin-tools available
   in the web hosting space. DB-Management is only possible from the provider’s 
   admin interface. The firewall runs in Full WAF mode.
 * Thanks again for your help.
    Best, Larry
 *  Thread Starter [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12963637)
 * Just a thought: As far as I know, but I could be wrong, there is no need to have
   executable javascript code in a post (or it could be a policy on the site that
   forbids it).
    For the redirection code to be injected in the database, there 
   must be the equivalent of a statement like `"update wp_posts set post_content
   ='hfjdfhjd <script text/javascript href="xyz"></script>'"` in the data stream.
   Wouldn’t it be possible to filter it out of the data stream? This would mean 
   monitoring the access to the database. Thanks. Best, Larry
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12964358)
 * 1. If there’s nothing in the HTTP log, that means they either access the DB remotely
   or from another hacked domain on the server.
    I just checked the list of plugins
   you sent to us and you have Duplicator installed. I’m still thinking they stole
   your DB credentials a couple of weeks ago when it was vulnerable and used them
   to hack your DB. We’ve seen that a lot of times for the past weeks. Getting remote
   access to the DB means they can bypass any security applications (WAF etc).
 * 3. If you just changed it now, that could solve the issue. I would still look
   in that direction before anything else. You mentioned you cannot connect to the
   DB, but that looks like there’s no MySQL listening on that IP. Maybe it is listening
   on another IP/host? Check the value of `DB_HOST` in your wp-config.php. If it
   is different, try to telnet to it on port 3306.
 * > “update wp_posts set post_content=’hfjdfhjd <script text/javascript href=”xyz”
   > ></script>'”
 * Hackers don’t stand a chance to inject this payload. NF will block it immediately.
   Even if you base64-encoded it, it would be detected and blocked.
    You need root
   access to monitor the DB. Or to use phpMyAdmin which will show your requests 
   in real time.
 *  Thread Starter [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12964684)
 * Thank you for your reply.
 * You were right with the db remote access, I was telnetting the wrong host.
    With
   the correct host, I see that:
 *     ```
       J                                                                                                                        5.6.26Jf.Q--9ud!Çu?zk)')6sal{mysql_native_password
   
       Verbindung zu Host verloren.
   
       C:\Users\lmg00> 
       ```
   
 * The “Verbindung zu Host verloren message (“Lost connection to host.”) comes after
   approx. 8 seconds. So it seems the DB is not remotely accessible or is it?
 * Thanks again.
    Best, Larry
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12966484)
 * It is.
    If they stole your DB credentials by exploiting the vulnerability in 
   Duplicator, they could access it and thus bypass the firewall or any other security
   application, even a CDN firewall. Now that you have changed the password, let’s
   wait and see.
 * If this is your own server, you can restrict access to your DB from your website
   IP only, but if this is a shared host, I’m not sure you can do anything to restrict
   it. You may ask your host.
 * Make sure also that you have scanned your site and that there’s no backdoor.
 *  Thread Starter [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [6 years ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12969885)
 * Thank you for your reply.
 * I will contact the hosting provider regarding the possibility of remotely accessing
   the DB and hear what he has to say…
 * Thank you.
    Best, Larry
 *  Thread Starter [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * (@gwdlarry)
 * [5 years, 12 months ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12991747)
 * Looks good now. I’ll come back to you in case I have further questions.
 * Thank you very much for your outstanding support.
    Best, Larry

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘SQL injection passes through Firewall’ is closed to new replies.

 * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137)
 * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/)
 * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/)

 * 11 replies
 * 2 participants
 * Last reply from: [gwdlarry](https://wordpress.org/support/users/gwdlarry/)
 * Last activity: [5 years, 12 months ago](https://wordpress.org/support/topic/sql-injection-passes-through-firewall/#post-12991747)
 * Status: resolved