I just got a DB error and searched the IP it came from and its been reported for SQL Injection. Is there a way to test to see if they were successful?

Thanks.

Anyone have a clue?

What DB error did u get?

I changed the DB table ID but her you go. And thanks for looking at it.

Invalid SQL:
SELECT node.nodeid AS itemid,
(node.nodeleft = 1) AS isroot, node.nodeid, node.contenttypeid, node.contentid, node.url, node.parentnode, node.styleid, node.userid,
node.layoutid, node.publishdate, node.setpublish, node.issection, parent.permissionsfrom as parentpermissions,
node.permissionsfrom, node.publicpreview, node.showtitle, node.showuser, node.showpreviewonly, node.showall,
node.showupdated, node.showviewcount, node.showpublishdate, node.settingsforboth, node.includechildren, node.editshowchildren,
node.shownav, node.hidden, node.nosearch, node.nodeleft,
info.description, info.title, info.html_title, info.viewcount, info.creationdate, info.workflowdate,
info.workflowstatus, info.workflowcheckedout, info.workflowlevelid, info.associatedthreadid,
user.username, sectionorder.displayorder, thread.replycount, parentinfo.title AS parenttitle

FROM A2Ctest_cms_node AS node
INNER JOIN A2Ctest_cms_nodeinfo AS info ON info.nodeid = node.nodeid

LEFT JOIN A2Ctest_user AS user ON user.userid = node.userid
LEFT JOIN A2Ctest_thread AS thread ON thread.threadid = info.associatedthreadid
LEFT JOIN A2Ctest_cms_sectionorder AS sectionorder ON sectionorder.sectionid = 1
AND sectionorder.nodeid = node.nodeid
LEFT JOIN A2Ctest_cms_node AS parent ON parent.nodeid = node.parentnode
LEFT JOIN A2Ctest_cms_nodeinfo AS parentinfo ON parentinfo.nodeid = parent.nodeid
INNER JOIN A2Ctest_cms_node AS rootnode
ON rootnode.nodeid = 1 AND (node.nodeleft >= rootnode.nodeleft AND node.nodeleft <= rootnode.noderight) AND node.nodeleft != rootnode.nodeleft AND node.contenttypeid <> 23 AND node.new != 1 AND ( (( (node.permissionsfrom IN (-1)) OR ( node.permissionsfrom in (1,2,5,11,45,117,118,119,120,121,122,123,124,125,1 26,127,128,129,130,131,132,133,134,135,136,148,149 ,164,165,205,242,243,273,336,337,338,375,377) AND (node.parentnode IN (1,133,134,136,375,242,205,45,117,336,337,338,377) OR node.nodeid = 1) AND
node.setpublish > 0 AND node.publishdate < 1534174163 ))) OR (node.setpublish AND node.publishdate <1534174163 AND node.publicpreview > 0))AND node.hidden = 0 AND ((node.setpublish = '1' AND node.publishdate <= 1534174163 ) OR node.userid = 0)

ORDER BY node.publishdate DESC LIMIT -16, 80;

You can use these to scan for anything suspicious.

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

Did you locate anything in the apache/nginx etc log related to that attempted post in the cms for that time stamp?

Well, using PHPmyadmin I found the below items.

I'm not sure how to do the search you're referring to. And not sure how to check apache/nginx. In laymen's terms, please.

And thanks for the help.

%base64% in _searchcore_text, _pmtext, and _post

%exec% in _autosave, _cache, _cacheevent, _widgetconfig, _widgettype, _cronlog, _datastore, dbtech_dbseo_resolvedurl, iei_img, _language, _phrase, _plugin, _pmtext, _post, _postedithistory, _productcode, _searchcore_text, _searchgroup_text, _style, _template, _templatehistory, _thread, _user

I'm not sure how to do the search you're referring to.I believe (pretty sure) he gave you SQL queries you can run via ACP.

Not sure how to check in the ACP. Step by step if its not to much hassle.

Thanks

ACP>Maintenance>Execute SQL Query

One at a time, paste his queries into the manual query box and click "Continue."

You have to be a Super Admin with query running permissions as defined in includes/config.php or nothing will happen, except it will let you know you don't have permission to run queries.

I tried

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%'

This returned an error number: 1146

Did I get the query wrong?

Sorry I feel like a total noob. You would think after 12 years I would know how to do this.

He posted two, complete queries. Looks like you posted only part of the first one.

The queries are:
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

And:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

Try them one at a time.

Tried that also. Im the super admin so thats not it. aLSO TRIED IN THE sql OF PHPMyAdmin. Same result

This is the complete error I get trying either one.

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'REDACTED_forum.plugin' doesn't exist

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'REDACTED_forum.template' doesn't exist

And thanks for the help I really appreciate it.

error desc: Table 'p16t2ugb_forum.plugin' doesn't existI have no idea at all why it's trying to query that table, it's not called for in either query.

Need the guy who posted the queries to chime in, I may be mistaken what exactly it is he posted there. LOOKS like queries, might not be though.

Sorry i haven't been able to help you so far.

Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?No idea. Can't be good though.

snakes was online today, maybe he will chime in.

So like I said I got the plugin query to work and got 42 results. (cant get the template one to work)

Anway

Maybe reinstall the plugins affected with overwriting enabled. That would change the code but not sure about the DB.

Thanks again.
Daniel

Well the 2 queries i gave you just pull the data from those tables, the results you can match to a default/clean install on a dev site for example.

Now if I only had a dev site. :(

Those queries will only show you results that contain the keywords outlined base64 etc

Ok I added my prefix to the query and it worked. I got 3 pages of results just for the Plugin query.

Now what?

You can try searching one at a time

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%';

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%iframe%';

What do you see with just this part of the command?
Any odd plugins that you don't remember adding?
A screenshot would help us, but really if your site was compromised, it's wise to have someone who knows what they're doing on board.