Surviving an SQL injection attack

joomlaI recently suffered an attack on a modestly sized Joomla website (>500 articles), with the result that I had random hyperlinks appended to the end of every article, masquerading as a hard to notice full-stop character.  Tracking down the source of the attack, might be difficult, but this article describes the procedure for clearing up the mess.


Backup

  1. Components > Akeeba Backup > Backup Now.
  2. Enter a comment and click Backup Now!
  3. Go to Administer Backup Files to download your backup in case your web server has a failure.

 

Passwords

You should definitely change the following passwords:

  • MySQL user account.
  • Joomla superuser accounts
  • Web Hosting login account.

 

phpMyAdmin

Next you need to log in to phpMyAdmin and run the following SQL command to see the extent of the damage.

SELECT * FROM `xxxx_content` where introtext like '%>.</a>%'

My malicious hyperlink was presented as a full-stop, and of course, I don't use full-stops for hyperlinks, so this search revealed all the articles affected, and realising the issue existed, I then exported the table as a .csv file.

 

Libre Office

I used Libre Office to 'Find and Replace' the malicious text.

  1. Open the .csv file.
  2. Add a Header row, to match the field names in the content table.
    1. This is important for when you use phpMyAdmin to Import the .csv file, so that it has the correct number of columns.
  3. Select the introtext (5th) column for editing.
  4. In the toolbar menu, go to Edit > Find & Replace.
  5. For Find enter the following
<a style="text-decoration:none" href="/.*">.</a>$
  1. Leave Replace with as blank.
  2. Expand Other Options.
  3. Select Current selection only.
  4. Select Regular expressions.
  5. Choose Values, for Search in.
  6. Search direction is Rows.
  7. Click Replace All.
  8. Save your .csv file with its new 'clean' data.

 

Upload .CSV File

Now you can upload the .csv file back into the database table.

  1. Go back in to phpMyAdmin.
  2. Select the xxxx_content table.
  3. In the Operations tab, click Truncate to empty this table.
  4. Select the Import tab.
  5. Browse to your newly created .csv file.
  6. Enter 1 for the Number of rows to skip.
  7. Click Go.

All being well your articles should now be cleaned up.

 

Things to watch out for

This procedure worked for me, because the hyperlinks were 'disguised' as a full-stop, and the hyper-link itself used 'text-decoration:none', which I never use.  Also all the hyperlinks had been appended to the end of the article.

 

Thanks for visiting.