Beware WordPress SQL Attack!

If you run a WordPress blog on your server (or are an admin for one), you need to read this.

I was watching my webserver log scroll by (yes, I do that a lot), and I witnessed yet another attempted SQL attack.  This time it wasn’t trying to inject anything onto my server like last time.  This time it was trying to get the admin password hash stored in the database.  Yikes!

Here is what the request looked like:

GET /stuff/index.php?cat=999 UNION SELECT null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null FROM wp_users where id=1

There were several variations of this request that came in very quick succession.  Can you see what it’s doing?

Basically it is trying to dump your admin password hash to the screen.  If successful it would look something like:

666:<password-hash-here>:666:

The evil bot/script/whatever would just look for the “666:” surrounding the hash and read it out.  Then it would probably lookup the hash in a Rainbow Table.  If you have a weak password it would be completely compromised.

Luckily, since I had modified my webserver’s .htaccess file after enduring the last SQL attack, this attack got a very nice “HTTP 403: SCREW YOU!” response from my server!  I am re-displaying the section of the .htaccess file for your edification (I also added an entry for “outfile” which should never be used in an http request).

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} union [NC]
RewriteRule .* /————http———– [F,NC]
RewriteRule http: /———http———– [F,NC]

RewriteCond %{QUERY_STRING} select [NC]
RewriteRule .* /————http———– [F,NC]
RewriteRule http: /———http———– [F,NC]

RewriteCond %{QUERY_STRING} jatest [NC]
RewriteRule .* /————http———– [F,NC]
RewriteRule http: /———http———– [F,NC]

RewriteCond %{QUERY_STRING} http [NC]
RewriteRule .* /————http———– [F,NC]
RewriteRule http: /———http———– [F,NC]

RewriteCond %{QUERY_STRING} outfile [NC]
RewriteRule .* /————http———– [F,NC]
RewriteRule http: /———http———– [F,NC]
</IfModule>

This should also be a good reminder to always use strong passwords.

August 2, 2008 | Filed Under web

 
Popularity: 43%

Comments

4 Responses to “Beware WordPress SQL Attack!”

  1. harris on August 7th, 2008 12:15 am

    your .htaccess script works. But in wordpress not works, specialy when i edit page/post then save it. After press save button, wordpress will redirect with “http”, and then error comes “page not found”. But edited page/post is successfull.

  2. Chad on August 7th, 2008 9:05 am

    Ah yes, you are correct. You can selectively comment out those lines (using # at the beginning of the line) while you are working with wordpress so that you don’t block yourself out.

  3. Protecting Yourself from Zombies: Lighttpd Edition : Patterns in the Bitstream on September 12th, 2008 3:03 pm

    [...] to zombies trying SQL injection attacks against your webserver.

  4. the world according to Jared W. Smith / weblog / Anatomy of a WordPress Hack on February 15th, 2009 4:03 pm

    [...] of evidence of attempts on my site, including strange hits on the WordPress XML-RPC library and an attempt to get at my admin password that at least correlated with a possible time that the site was hit. I traced the IP and put a [...]

Leave a Reply