Hi,
Thanks for your quick reply!
I’ve noticed this injection during a malware scan, that found it in website’s DB:
Wamesjeoni
WamesjeoniQS
eurlsbc@xxxx.com
xxxx
viagra from the uk
viagra lavitra viagra
viagra 100mg
– viagra softabs
viagra uk buy
1
SUBMIT
No
39
5.164.203.239
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Kinza/4.8.2
https://www.xxx.com/en/contact/
05/05/2020
8:29 pm
Investigating further, I’ve found in Sucuri security plugin log file, the following entry:
20:29
system: Flamingo_contact status has been changed (details):
ID: 37913, Old status: new, New status: publish, Title: eurlsbc@xxxx.com
IP: 5.164.203.239
This entry is related to a plugin (called Flamingo), that is installed in this website.
So it seems that the injection came through this plugin…
I’ve checked for any recent vulnerability for this plugin, but I didn’t find anything.
I’ve contacted plugin’s developer to investigate further…
I’ve tried to lookup into webserver Apache’s log file, but I don’t find any connection from this IP address yesterday at 8:29 pm….
How did he succeded to inject the code into website’s DB?!
Thanks for any help