I have a client who’s wordpress sites have gotten hacked twice by iframe scammers. Each time they’ve injected iframe code into the content of the sites.
This last time, today, they simply changed the siteurl in wp_options to their iframe code. The result was obvious and appeared to simply botch the paths of the scripts that rely on
<?php bloginfo(); ?>
I can’t determine if its a password compromise (on FTP or WordPress itself) or a SQL injection to alter siteurl. Since the only thing that was altered is siteurl, I’m thinking perhaps SQL Injection.
What are your thoughts? Any way to scan a site for potential SQL injection vulnerabilities?
The only active plugins on the site are contact form 7 and google xml sitemaps.
It is extremely unlikely that SQL Injection 0-day was used in this attack. WordPress is one of the most insecure PHP projects I have ever audited, and it won a pwnie award for being so insecure. The “WordPress hackers” are a complete joke, they rejected one of my vulnerability reports because they where unable to grasp the simple flaw, they didn’t even bother running my exploit code. (The flaw was patched.)
Using FTP is an extremely bad idea. You are transmitting plain text passwords and source code over the open internet in CLEAR TEXT, you must be completely insane. Use SFTP!!!! I know there is a virus (can’t remember the name…) that is spreading by sniffing network traffic looking for FTP passwords, then it logs in, and modifies .php and .html files it finds. Run an anti-virus on all machines with FTP access to the server, AVG will remove this virus.
I bet that wordpress or one of your plugins has never been updated. Vulnerabilities in plugins are a commonly used to break into web applications. Check all your version numbers of all installed libraries/web apps.
If you want to test your site for SQL Injection then turn
display_errors=On
in yourphp.ini
and run the Sitewatch free service* or the open source Wapiti. After you patch any vulnerabilities, re run the scan to make sure your patches hold. Then run PhpSecInfo to lock down your php install. Make sure to remove all RED entries from the report.*I am affiliated with this site/service.
Don’t forget comments. I’ve had problems with users registering and then throwing code in the comments and in their profile. Check there.
I think it’s trojan horse stealing FTP passwords from user’s PC.
As for software to test your app against SQL injections, there are plenty of answers here on SO already
Have you tried any of the free SQL injection scanners? Nessus does it, but it’s not free anymore, there are a few free ones available, sorry couldn’t be any more help, have not looked at databases in ages and when I did it was only a cursory glance.
If the paper linked here is right, you should use NTOSpider to let it attack your site.