URGENT – plugin compromised ???

  • Resolved justaniceguy

    (@justaniceguy)


    1 year, 1 month ago

    Using latest WP version on PHP 7.4.33 with Sucuri security and Ninja firewall as protection installed plus additional WP hardenings. A few days ago Ninja firewall has logged (not sure if blocked even stated so) bunch of SQL injection lines:

    17/Oct/23 10:06:46 #6249538 HIGH 257 95.181.238.15 GET /index.php – SQL injection – [GET:p = 2790//and(select+1//from//pg_sleep(0))>0//]

    17/Oct/23 10:06:50 #8362795 HIGH 287 95.181.238.15 GET /index.php – SQL injection – [GET:p = 2790//and(select+1)>0waitfor//delay’0:0:0’/**/]

    17/Oct/23 10:10:40 #7310229 CRITICAL 253 95.181.238.15 POST /index.php – SQL injection – [POST:user_login-176 = admin’and/**/extractvalue(1,concat(char(126),md5(1205677646)))and’]

    And at least some 100+ similar rows more.

    Yesterday, I have noticed another strange lines:

    21/Oct/23 23:09:49 #3560787 UPLOAD – 95.214.27.5 POST /wp-admin/admin-ajax.php – File upload detected, no action taken – [RxRznxqz.ph$p (409 bytes)]

    21/Oct/23 23:09:49 #1046071 CRITICAL 1630 95.214.27.5 POST /wp-admin/admin-ajax.php – WP vulnerability – [REQUEST:action = wpr_addons_upload_file, File = RxRznxqz.ph$p]

    And just now Sucuri has informed me of a changed file: October 21, 2023 6:12 am wp-admin/error_log

    This is the log (6 lines in total):

    [21-Oct-2023 06:12:44 UTC] WordPress database error Duplicate key name ‘quesiton_id’ for query ALTER TABLE wp_watu_answer ADD INDEX quesiton_id (question_id); made by require_once(‘wp-load.php’), require_once(‘wp-config.php’), require_once(‘wp-settings.php’), do_action(‘init’), WP_Hook->do_action, WP_Hook->apply_filters, watu_init, watu_activate

    5 more additional similar lines are for quiz_and_criteria, name, exam_id, cat_id and exam_user

    Kindly asking for a your feedback as soon as possible!

    Thank you

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Bob

    (@prasunsen)

    I don’t see how any of of these SQL injections are related to Watu in any way.

    The DB error is not related and not a problem. We’ll look into it to avoid filling the log, but it can’t harm anything – it’s just a wrong attempt to add a field that was already added.

    Thread Starter justaniceguy

    (@justaniceguy)

    Well I am not that “techy” in the MySQL databases and all that. I’ve suspected into plugin vulnerability because of the two things.

    Firstly, because of this and few other similar lines: 17/Oct/23 10:05:47 #7580915 CRITICAL 259 95.181.238.15 POST /index.php – SQL injection – [POST:quiz_id = 7//and(select+1//from//pg_sleep(0))>0//] – (my domain name)

    Secondly, because within the admin error log all 6 error lines are referring to this plugin.

    Thing is that i haven’t been changing anything on my site and those plugin related errors showed up after these SQL injection lines and “…File = RxRznxqz.ph$p…” has been uploaded. That’s why I have suspected that plugin got vulnerable.

    My apologize if I made a wrong thought but aside of the fact that atm everything looks good on my site I don’t like all this “smoke” because where the smoke is there is some fire too.

    I really do appreciate your time and will to check why those errors appeared. If you need any more extra info from me I would be more than happy to provide additional details.

    Going to look for additional place where I can post my case as well.

    Plugin Author Bob

    (@prasunsen)

    Thanks. The logs show injection attempts, but I see no evidence that they have succeeded.

    The plugin has been sanitized several times and reviewed several times by the WP security team. I see no reason to worry – the security plugins are alarming about attempts and many of these alarms are, to say it politely, unnecessary. For example, warning you that the error log file is changed isn’t useful at all – of course, it will be changed when any error happens – that is the purpose of the error log file.

    Thread Starter justaniceguy

    (@justaniceguy)

    OK. I have just scanned whole site using Ninja scanner plugin and it also does not find anything suspicious. My biggest fear was upload of that RxRznxqz.ph$p file because log description generally states that it shows “blocked attempts/events unless stated otherwise” while next to the file upload event it says “no action taken”. That makes me unclear if the file was uploaded or not.

    Anyway, thank you for your responses. I am going to start a thread within security plugin and try to clear the case with them while marking this thread as solved.

    Wish you an easy and successful upcoming week.

    Plugin Author Bob

    (@prasunsen)

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘URGENT – plugin compromised ???’ is closed to new replies.