Wordpress Injection Attack Directly into DB

gord · 25 Feb 2017 at 16:25

Hello all,

I have an annoying problem. One of my Wordpress sites keeps being infected with scripts being injected at the top of every post's content.

I'm not new to WP nor keeping it secure. I have evaluated that, core file integrity is secure, FTP is secure, file permissions are secure and user credentials are secure. This attack is placing information directly into the DB. I created a new DB and DB user and set the site up again on that, but whatever the vulnerability is it bypasses this. The injection isn't using WP to update the post either because the modified date of the posts isn't changing, it's targeting a specific table and column and prepending the script information.

We are using a range of 3rd party plugins (everything is up to date and widely used/official plugins) and a theme we purchased from Themeforest , which we have customised. Ultimately I think the vulnerability must exist in the theme, does anyone have any advice for finding the hole? It's a needle in a haystack right now.

I tried Wordfence security plugin and it didn't stop it. Now I'm using Sucuri, but I don't hold out much hope for that either.

Any advice much appreciated.

antijoke · 26 Feb 2017 at 19:34

What did you modify in the theme?

Have you done a google search for the theme you are using and sql injection to see if it's a problem someone else has had?

xbenjiiman · 27 Feb 2017 at 09:53

Sounds like you could have a shell on your server. See if you can do a grep on your files for any of the following, exec,passthru,system,shell_exec.

Beansprout · 28 Feb 2017 at 15:08

There'll be malicious code somewhere within the site....re-upload everything is usually easiest. In the past it's taken me lots of time to find obscure exploits. Sometimes it's obfuscated code hidden in fake comments in the scripts. Or fake image files, etc.

gord · 28 Feb 2017 at 23:07

Well, it appears the last round of changes helped, or I tired out the bot. I didn't really change a huge amount compared to before, just a few more tweaks from the Wordpress Hardening, specifically: https://codex.wordpress.org/Hardening_WordPress#WP-Includes

Thanks for the responses all. Just in case someone finds this for future ref. My theme modifications were minimal, primarily CSS and some JS but quite safe, so I wasn't too concerned about my changes. I did contact my host as well before the problem went away and they gave me the common fixes, all of which I'd already thoroughly explored. If there was a server side problem that I inspired them to fix then :thumbsup:. I did do one of the comparison scans where your site is compared to a clean version and it didn't find anything. I'm confident my files are clean, but time will tell.

Beansprout · 1 Mar 2017 at 15:43

Are you using this plugin by any chance?

https://www.bleepingcomputer.com/ne...ordpress-plugin-with-over-1-million-installs/

gord · 16 Mar 2017 at 14:27

Beansprout said:
Are you using this plugin by any chance?

https://www.bleepingcomputer.com/ne...ordpress-plugin-with-over-1-million-installs/

Nope, that's not in my plugin list.

Rroff · 16 Mar 2017 at 14:29

I still have an old wordpress based site that I've long since abandoned has a load of injected "helpful" stuff about it being "insecure" and should be updated but I've long since stopped caring - probably should just offline the site I guess.