1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My site target of sql injection?

Discussion in 'Black Hat SEO' started by M1ndfluX, Feb 3, 2014.

  1. M1ndfluX

    M1ndfluX Senior Member

    Joined:
    Dec 23, 2009
    Messages:
    1,119
    Likes Received:
    868
    Location:
    031010
    Hey guys,


    Did some checking on one of my sites and i noticed that besides the normal url beeing indexed in g, it also indexed my domain with a strange string added.

    www.mysite.com/?aff=blahblah...

    Not sure what it is and how its done but its not mine and i am pretty sure its injected.
    I did a check on the attached string in the url and other sites also have that strange string attached to it.

    What would the concenquenses be for me as a affiliate, and any way to remove it?


    Thanks in advance.
     
  2. fxphil

    fxphil Senior Member

    Joined:
    Jul 16, 2010
    Messages:
    1,084
    Likes Received:
    504
    What platform is it on? wordpress/joomla etc?


    Check your htaccess file also for weird entries.
     
    • Thanks Thanks x 1
  3. M1ndfluX

    M1ndfluX Senior Member

    Joined:
    Dec 23, 2009
    Messages:
    1,119
    Likes Received:
    868
    Location:
    031010
    Hi fxphil,


    Thanks for helping me out here.

    Its a plain html/css site with no htacces file in the root of the specific domain...
     
  4. fxphil

    fxphil Senior Member

    Joined:
    Jul 16, 2010
    Messages:
    1,084
    Likes Received:
    504
    I may have an idea to kinda of reverse engineer it.

    Are certain pages being redirected like:


    site.com/homepage

    being routed to site.com/aff link?

    Also are affiliate pages actually up when you click them or are they 404?


    If they are 404 then you can deindex them.

    Next is if they are being redirected then we need to figure out which method is creating this.


    And for 100% certain are you sure it's an sql injection?
     
    • Thanks Thanks x 1
  5. Execute

    Execute Supreme Member

    Joined:
    Aug 30, 2010
    Messages:
    1,349
    Likes Received:
    5,017
    Location:
    United Kingdom
    Do you or your host have any recent back-ups of your site? Just saying as instead of finding the root cause and trying to fix it, just starting fresh may be a good step to save time.

    If you do then try and update anything on your site that is old, such as plugins/themes as these are usually the vulnerable entry points.
     
  6. fxphil

    fxphil Senior Member

    Joined:
    Jul 16, 2010
    Messages:
    1,084
    Likes Received:
    504
    Exec is right but you need to fix the problem as they got in before and uploading old files will probably mean the hole is open. It could be an easy fix like setting file permissions or it could be complicated and a few backdoors are setup.
     
  7. Raffy

    Raffy Regular Member

    Joined:
    Nov 30, 2012
    Messages:
    212
    Likes Received:
    613
    What CMS are you using and is it up to date? Using a "free" premium wordpress theme is the most common cause of this. Plugins are another frequent cause, either from sloppy code or intentionally through a backdoor.
     
  8. intrepid

    intrepid Regular Member

    Joined:
    Jun 27, 2011
    Messages:
    318
    Likes Received:
    47
    Exploit Scanner plugin is a good tool to check for backdoors if you're using Wordpress.

    OSSEC can detect all types of malware so download it and let it scan for backdoors, base64, etc. It's free too.
     
  9. rutix

    rutix Junior Member

    Joined:
    Sep 6, 2012
    Messages:
    102
    Likes Received:
    12
    how long do you own this domain? maybe its from the previous owner. Did you tried to check the cached version of the page on google?

    also, this doesnt have anything related to sql injection :)
     
  10. Snajperist

    Snajperist Registered Member

    Joined:
    Apr 9, 2012
    Messages:
    94
    Likes Received:
    23
    I think html/css sites cannot be target of sql injection, since the site isn't connected to database.
     
    • Thanks Thanks x 1
  11. M1ndfluX

    M1ndfluX Senior Member

    Joined:
    Dec 23, 2009
    Messages:
    1,119
    Likes Received:
    868
    Location:
    031010
    Hi fxphil,


    Well actually none of the above ;)

    Its just a plain one page html site, with only a iframe on it from the network.

    Thanks for all the other replies guys, appreciated.

    Never noticed this before, and i am indeed now questioning myself if this is a injection since no database is used for the site.

    To make things ever stranger, the url that was indexed with the strange string now suddenly seems to be deindexed again.
    And for the record, the root domain stays strong in the ranks...
     
    Last edited: Feb 4, 2014
  12. blackboat

    blackboat Newbie

    Joined:
    May 8, 2012
    Messages:
    29
    Likes Received:
    4
    Occupation:
    CEO
    Location:
    BHW
    It can't be sql injection, since you said your site is pure HTML/CSS.
    You should check the iframe for first step.
    PM me your site URL, I will try to look at it more closely.
     
  13. fxphil

    fxphil Senior Member

    Joined:
    Jul 16, 2010
    Messages:
    1,084
    Likes Received:
    504
    Yeah, If anything I can think of without looking at it is that your Iframe code may have significance. You can PM and I will look at it in a little bit here.