Help needed - SQL injection attack in a website with Armadillo installed


(Mark Smith) #1

Hello, I have a client whose website has been subject to an SQL injection attack. The database that’s been attacked is the one for the Armadillo installation.

I have no experience of this and I am not sure how to solve it. I would really appreciate any advice from someone in the know as to what I can do. I am happy to post the details (of suspicious queries) if it helps?

Can I just republish the site and upload or is it more complex than that? And is there anything I can do to stop this happening again?

Many thanks in advance

Mark


(Mark Sealey) #2

Mark,

I would start by contacting your web hosting company and explain to them what’s happened and what policies they have in place to protect your site.

And Jonathan at NimbleHost, who will almost certainly want to know; and may well be able to advise as well.

Depending on what they each say - especially that the host can and will protect your site from such vulnerabilities in the future (SQL injection means that SQL has been used to upload/run/execute malicious code by someone with access to the database and familiarity with PHP etc), I’d have thought you’d be safe just to republish… provided that your data locally is ‘whole’.


(Mark Smith) #3

Thanks Mark, yes I have also let Nimblehost know and I am hoping you are right about the republish.

Am I right in thinking then, that this is malicious queries only and it doesn’t ‘infect’ the actual database?

As a result of this, I have contacted my own host (the site in question is hosted elsewhere) and they are saying that the servers are protected with ModSecurity and have pointed me in the direction of some more reading. I will post again when I have heard from Nimblehost

Thanks for your reply - much appreciated


(Mark Sealey) #4

Mark,

I am sorry you have this to deal with :-(.

Yes, do wait until you hear from Nimblehost (because they will probably want enough details to amend Armadillo’s code - if it was indeed a vulnerability in Armadillo’s database) - as well from the host where your site, the one which includes your Armadillo database itself.

They are likely to know exactly what to do and how to find out what happened.

If the database was exploited once and is simply republished the same, then there is nothing to stop the perpetrators from doing so again, unfortunately.

What’s more if they can pervert the way the database is intended to be used to retrieve data, they may indeed be able to compromise the data repeatedly. So in that sense they can contaminate what’s held in it, wipe it and otherwise make it useless, equally vulnerable and/or able to spread further such malice.

This Wiki page explains how SQL Injection attacks work.


(Mark Smith) #5

Thanks, yeah it is a pain!

I am waiting to hear from NH and will post when I have.


(Mark Smith) #6

A quick update: I have still not heard back from Nimblehost about this so if anyone from there is reading this, I would really appreciate some help. I submitted the support email on 8 May.

Many thanks


(Mathew Mitchell) #7

Does the host for the website offer backups? You should be able to download a non-contaiminated version of the database. They also should be able to help with the attack.


(scott williams) #8

perhaps a ping here to @nimblehost will get Johnathan’s attention…


(Jonathan Head) #9

Apologies for the delay @Mark - looks like we either didn’t get the message, or it was inadvertently archived when we were clearing out spam (which has exponentially increased to our support inbox recently).

SQL injection attacks were forefront on my mind when developing Armadillo, and it is specifically hardened against them. That being said, no software is 100% secure and there will always attack vectors that were overlooked or unknown to begin with; I will dig into this deeper and will get back to you with more info as I know more.


(system) #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.