Detecting unauthorized queries to a WordPress database - mysql

I suspect that an ex-employee, who had ftp and backend access to our WordPress site, created and installed an API to allow smartphone access to our database. How can I detect queries being made to the database and see what is requesting them?
Thanks

If you want to log all MySQL (just a guess) queries you can go with the solution in this post: Log all queries in mysql
But it should be mentioned that this is not wise for a production site.
Besides, if you really expect that he could have altered the installation with malicious code you should either reinstall a fresh wordpress and transfer all data or at least validate the code files against a fresh wordpress installation to check for altered code.
Basically this is the same as for a potentially penetrated system, restart at a backup point that you trust or with a fresh copy.

Related

Migrate Joomla 3 Site to new domain

I have built a Joomla site for a client on a development server. It soon needs migrating to the client's Live site, which will mean a URL change as well as a physical server change.
I'm new to Joomla, but having worked a lot on WordPress previously I know it's a piece of cake to migrate one WP site to another, especially with the dozen or so available plugins.
However, this doesn't appear to be so easy on Joomla. I have searched for the best practice to achieve this with Joomla 3 but cannot find what I need.
Does anyone have a suggestion for this?
There are in fact a two ways to achieve this and they are quite easy.
1. The first one is the manual way, that is:
Copy the files of your local joomla installation and upload them to
your server
Export your local database and import it on your server.
Edit the configuration.php file to your new server credentials -db
name, db user, db server etc.
2. The second one is through the akeeba backup component.
In this case you create a backup and then restore it on the remote
server. Detailed info
here.
After uploading your remote site you are advised to follow these
guidelines
to secure your installation.

Duplicating existing cakephp app for development

I need to make a development version of a cakePHP app with its own db so that a developer can work on it without disturbing the current users.
I thought it would be simple, I just copied the entire director /project to /project_dev and then copied the DB "project_db" to "project_db_dev". Then I went into /project_dev/config/database.php and changed the db to "project_db_dev".
When I went to see what I had done, I saw the app was still connecting to the same db, as if I'd changed nothing. I realized that the original folder name was referenced in /app/webroot/.htaccess so do I need to find/replace all instances of that folder name?
What steps should I follow to duplicate an existing cakePHP app?
You need to setup some kind of development lifecycle.
Generally speaking the developer shouldn't be doing any development on the server. The best way to handle it is locally using a stack of some kind such as Lamp (Linux, Apache, Mysql, PHP) switch out linux with other OS's. There are multiple cloud solution to these environments to such as Koding.com
Using something like Git for version control the developer can develop locally then push the code through to the server after is being thoroughly tested locally or on a dev server or some kind.
Keeping Dev work and Live work away from each other is key.
Could do with a bit more information.
If both databases are hosted on the same server and you have permission to access them both with the same user then all you have to do is change the name of the database in your database.php
If not you will also have to update the IP and any other additional settings port etc.
If you are still having troubles email me simpsond1988#gmail.com

ExpressionEngine : git : local development : remote database

To those of you that are trying to be good little developers and version control their ExpressionEngine sites with git, how do you handle your database?
In my limited experience with multiple developers working on one ExpressionEngine site, we've had to all run off of a single MySQL development database running on a remote web server. For those of you that have tried this, it is PAINFULLY slow. Page loads can easily take 5-10 seconds making development extremely difficult. It would be quicker to work off of a remote development server. I am trying to steer away from working off of a remote MySQL server in order to be able to work from anywhere and not depend on Internet connection speed/quality.
Just wondering how others handle their MySQL databases.
Do all of your developers run off of one central database? Have you dealt with slowness issues like we have?
Do you keep your database under version control? How do you handle export/imports among multiple developers and multiple branches?
With one developer I can import/export/commit the database very easily but as soon as you add another developer to the mix, it gets very VERY muddy. Looking forward to hearing everyone's thoughts on this mammoth topic.
Thanks!
It seems there is a lot of time lost on failing DNS requests, with a remote database.
Start your MySQL server with start mysqld with --skip-name-resolve. (More information on this topic can be found here: http://dev.mysql.com/doc/refman/5.0/en/host-cache.html)
Having a remote database still seems to be the best way for us to work on a project with multiple developers.
I almost always use a central database for development. Depending which host you use, the speed difference may not be huge.
Obviously, if you're not making changes to the database, i.e. only doing template development, keeping the database in sync is not as needed, so you could potentially bring up a local copy of the database. You just have to remember to repeat any database changes, if you do end up making some.
As far as version control, I keep a copy of my base EE install's SQL file in my base repository. Other than that I don't usually keep copies of the database in Git, so I don't do a lot of importing/exporting, etc.
Have you looked at the EE Profiler recently? You'll probably notice in the neighborhood of 20-80 queries on your home page depending on it's complexity.
The problem is that, for each query, MySQL must execute a remote request for data, download the response, and then present ExpressionEngine it's data. The 20-80 round trips to the database is what's causing your delay and I don't think there is much you can do about it. When using a remote (outside our network) database, I get the same delay as you.
When MySQL is running on your machine or the production server, it doesn't have the added network requests causing latency in it's requests for data. This is the difference.
As for fixes, all you can do is move to a database hosted on your internal network. We have a Linux machine that mimics our production environment that we use for staging. Since it's on our network, we can use the local IP address in our database.php file. This is much faster.
The problem that we still have is the issue of channels/fields/entries. When a developer is working on a new section, they'll likely need to create a new channel and fields and/or new entries. When we're ready to push that functionality to production, we have to manually make those changes on the production server as there is no way to reliably export them. I am hopeful of this addon though---we'll see.
In my company (4 developers) we each run our own DB locally. But recently I tested Rackspace Cloud Databases (but there are other cloud db providers) for a heavy DB that could become difficult to run on a little laptop. It's relatively less expensive than running our own db server, and it can be setup or deleted in the minute.

MySql Database Hacked, NOT injections

Three weeks ago, I found a list of my website's users and info on Paste Bin giving away all privacy. I ran updates and protected against SQL Injections. I also added a pre-request to save the SQL in text format in a LOG table whenever user input is required to be able to analyse any injection if my protection wasn't enough.
Then today the same post was on Paste Bin again with recent entries so I checked the LOG table to find only clean entries. Is there anything else than injections I should worry about? The web seems to give info about Injections only!
Could they have had access to the dbpassword in a php file on the server and could they have connected from and external server?
Should I change the dbpassword frequently?
Are there any solution non-script wise like hosting security plan or something like that which should be efficient enough?
I am receiving physical threats from hacked users and would really like to close this quickly...
If you're implementing your own protection against user input, you're probably doing it wrong. Most standard database libraries will give you a way of passing in parameters to queries where it will be sanitised properly, and these will have been coded with more things in mind than you're probably aware of. Reinventing the wheel in anything security-related is a bad idea!
Other things to worry about:
Password policy (strong passwords)
Access to your database server (is it firewalled?)
SSH access to your server (again, firewalled?)
Keeping all of your software up-to-date
Just to add to the other answers that you've had so far. If someone is posting the contents of your database online then you need to assume that the server(s) running the application and database have been compromised, as once they've gained initial access, it's likely that they'll have placed root-kits or similar tools onto the server to keep access to it.
As to how they got in there's a number of potential options, depending on the architecture of your solution, and it's imposssible to say which is the case without more details. Some of the more likely options options would be
SSH passwords
Administrative web apps (e.g. PHPMyAdmin) with common passwords or vulnerabilities
Access via hosting service (e.g. weak passwords on administrative login panels)
If the site is PHP based Remote File Inclusion issues are a distinct possibility
If you can I'd recommend engaging a forensics or incident response company to help you recover the data and rebuild, but failing that I'd recommend getting a backup from before the compromise and using that to rebuild the server, then ensure that all software is updated and patched and passwords are not the same as the compromised system, before bringing it online.
The best protection for this is to allow connections to the mysql database only from the machine where your application runs.
First of all, make sure, network access to the MySQL database is "need to know" - in most cases this is a simplye bind-address 127.0.0.1.
Next change the DB password, just because yes, you can (C)
Now think of this: If somebody got your DB passwd from your PHP files, you already are in deep s***t: Nothing stops him or her from just repeating that stunt! You need to audit your application for backdoors (after the fact problem) and how the guys got in there (before the fact problem). Check your apache logs for requests with unusual GET parameters - a filename in there mostly is a dead givaway.
I agree with Razvan. Also if you're running any CMS or prepackaged web pages, make sure they're the latest version. They most likely access as localhost from the web server. Hackers follow the change logs of those and every time a security patch is released, they attack published vulnerabilities on servers running the older version. It's often performed in bulk by crawlers. Odds are they have a database with your server listed as running old versions of things.
First you need to ensure that this "php file" containing the DB password(s) is not within the web root directory, otherwise they could simply access it like: http://mydomain.com/dbpassword.php.
Second, immediately change the passwords used to access your database.
Third, ensure that mysql will only accept connections from 'localhost', vs allowing connections from anywhere; '%'. And if it is a dedicated server, then you should "harden" the box and add an IP rule to IPTables where mysql access is only allowed from the server's IP. These changes would ensure that if they did get your db username/password creds, they can not access the database from a remote computer, instead they would have to exploit your application, or ssh into your server to gain access to your database.
Next, you should disable all user accounts to your site, and force them to update their passwords using a closed loop verification process. This will ensure no ongoing malicious activity is occurring with your users or their accounts.
These are just a few steps to take, there are others such as tracking local users login activity. It is possible that one of your system's user accounts has been compromised (rooted). The point is, you need to consider all points of access to your system and services therein, if you are unable to do it, it may be time to hire or contract a seasoned sysadmin to help you.
If this is shared web hosting, and another user is logged in with shell access and is able to guess the path to your web root, and the password configuration (PHP or other script) file is world readable, then the user can read it.
This is one of the most common vulnerabilities and is very easy to exploit.
If this is the case:
To correct the issue, you need to move the configuration file out of your web root folder and/or change the permissions on it so that it's not world readable, and then change your database password.
Most likely, the user would not be able to inject anything into your application.
Changing the database server so that it's only accessible locally or to your web server would do no good, since the malicious user would be on the same web server and still be able to access it.
If you did not see any malicious queries, then they are probably accessing your db via the MySQL command line (or PHPMyAdmin or other tool), and not through your application.
Enabling the general query log would allow you to see all queries in plain text in the log, but if this is shared web (and MySQL server) hosting, you probably won't be able to enable this.
This is something you may wish to report to your web host. They may be able to find the attacker and suspend their account or provide you with evidence.

How to access phpMyAdmin on remote server

For my websites I use Dreamhost. Dreamhost requires you to create a hostname (ex: mysql.mclindigital.com) that the database will reside on. For me it's simple, if I want to access phpMyAdmin, I simply navigate to mysql.mclindigital.com, and it enters into phpMyAdmin automatically.
Apparently Dreamhost is in the minority using this method, because most people seem to use "localhost". So, how do I access phpMyAdmin for these websites? Will I need to get their Web Panel login info to browse around for this info?
As an example, I had a past client and I had to go here: http://216.120.237.104:2082/3rdparty/phpMyAdmin/index.php to get into their phpMyAdmin. I never really understood what I was doing, but it just worked. Now I am in the same situation, but this time the client isn't as tech-savvy and is unable to give me the URL I need to go to.
Also, I should point out I am not 100% certain that they have phpMyAdmin installed. I do know they have a database however, because they are running a Wordpress Blog.
There is nothing magic or special about phpMyAdmin. It is just
a bunch of php scripts.
Some webhosts(Such as dreamhost) may install it as standard
similary to formmail and a bunch of other tools they may install.
Your problem is most likely that you client don't have
phpMyAdmin installed, and the easy solution(If you have ftp access)
is to go to http://www.phpmyadmin.net/home_page/index.php download
phpMyAdmin, configure it and then just upload it to their ftp server
your self. Then you can acces it similary to any other php script.