DB injection

  • Resolved Roberto Jobet

    (@robertojobet)


    4 years, 10 months ago

    Hi,

    I’ve installed NF in a WP website a few weeks ago.

    Today I’ve found that a Russian IP successfully performed a DB injection even if NF was protecting the website…

    NF is not supposed to block DB injections?

    Best regards

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Yes it is, but injections that are performed from a PHP script, i.e., not if someone connects directly to your DB with its credentials.
    Could you clarify some points:
    1. Do you have the Duplicator plugin installed (or similar plugins that had critical vulnerabilities during the past few months)?
    2. What did they change in the DB: post/page content, site options etc?

    Thread Starter Roberto Jobet

    (@robertojobet)

    Hi,
    Thanks for your quick reply!
    I’ve noticed this injection during a malware scan, that found it in website’s DB:

    Wamesjeoni
    WamesjeoniQS
    eurlsbc@xxxx.com
    xxxx
    viagra from the uk
    viagra lavitra viagra
    viagra 100mg
     – viagra softabs
    viagra uk buy
    1
    SUBMIT
    No
    39
    5.164.203.239
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Kinza/4.8.2
    https://www.xxx.com/en/contact/
    05/05/2020
    8:29 pm

    Investigating further, I’ve found in Sucuri security plugin log file, the following entry:
    20:29
    system: Flamingo_contact status has been changed (details):
    ID: 37913, Old status: new, New status: publish, Title: eurlsbc@xxxx.com
    IP: 5.164.203.239

    This entry is related to a plugin (called Flamingo), that is installed in this website.
    So it seems that the injection came through this plugin…

    I’ve checked for any recent vulnerability for this plugin, but I didn’t find anything.
    I’ve contacted plugin’s developer to investigate further…

    I’ve tried to lookup into webserver Apache’s log file, but I don’t find any connection from this IP address yesterday at 8:29 pm….

    How did he succeded to inject the code into website’s DB?!

    Thanks for any help

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    @robertojobet Please don’t post phone number, email addresses, or links when you post something like this. This is the 2nd one of these I’ve had to scrub today!

    Plugin Author nintechnet

    (@nintechnet)

    I don’t really see any issue with that. I’m not familiar with Flamingo, but its description page reads:

    This plugin stores submission data collected through contact forms, which may include the submitters’ personal information, in the database on the server that hosts the website.

    So what I see is that someone used your contact form to send spam, and Flamingo saved it to the DB. When scanning the DB, your plugin noticed the viagra-related keywords and links, and flagged them.

    Did I miss something? Does your site look hacked or everything is as usual? Did you receive any alert or notification from NinjaFirewall?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘DB injection’ is closed to new replies.