HT201536: Apple Web Server notifications

Learn about Apple Web Server notifications
Bigday_28

Q: Scan for SQL Injection

Hi

 

My website has been pulled down by the host. They sent me the following message:

 

"We got information that there is SQL Injection on our server and when we trace the injection it is point to your domain.
This is the attack type :
SQL generic sql update injection attempt - GET parameter, SQL union select - possible sql injection attempt - GET parameter

That's why we need to disable your website for temporary.
Please scan your local PC and website files and make sure that your local PC and website files is free from virus.
If you've scan you local PC and website files also make sure there isn't virus please update this ticket again.
So we can enable your website again."

 

Anyone know what do I use please for scanning for this?

 

Thanks

MacBook Air, OS X El Capitan (10.11.6)

Posted on Aug 27, 2016 11:56 PM

Close

Q: Scan for SQL Injection

  • All replies
  • Helpful answers

  • by John Galt,

    John Galt John Galt Aug 28, 2016 6:21 AM in response to Bigday_28
    Level 8 (49,777 points)
    Mac OS X
    Aug 28, 2016 6:21 AM in response to Bigday_28

    Is Apple hosting your website?

  • by Bigday_28,

    Bigday_28 Bigday_28 Aug 28, 2016 3:20 PM in response to John Galt
    Level 1 (8 points)
    Notebooks
    Aug 28, 2016 3:20 PM in response to John Galt
  • by etresoft,

    etresoft etresoft Aug 28, 2016 5:05 PM in response to Bigday_28
    Level 7 (29,320 points)
    Mac OS X
    Aug 28, 2016 5:05 PM in response to Bigday_28

    Hello Bigday_28,

    Can you verify that your website is actually down? Considering the poor grammar, this looks more like a phishing attempt than anything.

  • by Bigday_28,

    Bigday_28 Bigday_28 Aug 28, 2016 8:14 PM in response to etresoft
    Level 1 (8 points)
    Notebooks
    Aug 28, 2016 8:14 PM in response to etresoft

    Hi etresoft

     

    Yes the site is down, check it out:

    http://www.bushwoodgolfclub.org.au/

     

    Their support staff are off-shore so their English is not the best.

     

    The message to me is communicated by a support portal that I log into to raise a ticket and all communication with them is done via the portal. Screen shot:

    Screen Shot 2016-08-29 at 1.12.56 PM.png

  • by etresoft,Helpful

    etresoft etresoft Aug 30, 2016 3:44 AM in response to Bigday_28
    Level 7 (29,320 points)
    Mac OS X
    Aug 30, 2016 3:44 AM in response to Bigday_28

    Hello again Bigday_28,

    That's too bad. Ideally it would be nice to know why they think "SQL injection" is involved. When they say "on our server", which server are they talking about?

     

    In theory, it is possible for your Mac to get hacked and passwords stolen. Then the hackers could, again in an increasingly hypothetical world, gain access to your site and try some SQL injection attacks against some undetermined server somewhere.

     

    But your tech support probably doesn't speak English well enough to understand that question or answer it. It would be more likely that there was some kind of hacking incident on your web server and they disabled your server for that reason. But the cause is almost certainly a security breach on their end, not yours.

     

    I suggest you download MalwareBytes for Mac (https://www.malwarebytes.com/antimalware/mac/) run it and then update the ticket with what you've done and ask for more details. In the meantime, look for a better web host. I use Dreamhost but I might soon move to some cloud service like Google or AWS. Depending on your site, if you pick the correct mix of services, a cloud-based web server can cost less than a dollar a month - sometimes a lot less.

  • by Bigday_28,

    Bigday_28 Bigday_28 Aug 28, 2016 8:51 PM in response to etresoft
    Level 1 (8 points)
    Notebooks
    Aug 28, 2016 8:51 PM in response to etresoft

    Hi again etresoft

     

    Yes it is hard to get through to them what I need sometimes, as they don't understand.

     

    I've been wanting to change hosts but am scared of what that entails. I joined them initially as they had a great Website Builder functionality  and my HTML and ASP.NET is basic at best. Then they took away the website builder functionality so I have been updating and learning HTML the hard way. Thank God for Google Docs so I can upload scores and handicaps to Google Drive and link to them from the website.

    There is all these references to "WebSiteBuilder" in their code on my website pages so if I transfer hosts I'm afraid the website wont display on another host so I'm sorta stuck with them.

     

    Thanks for your help and the malwarebytes link.

  • by John Galt,

    John Galt John Galt Aug 29, 2016 1:09 AM in response to Bigday_28
    Level 8 (49,777 points)
    Mac OS X
    Aug 29, 2016 1:09 AM in response to Bigday_28

    Thanks. Is it possible that your website is hosting advertisements that could be used to deliver malicious content? If so the content of those advertisements is generally beyond your control. They can contain literally anything.

     

    The message they provided is vague at best, and to allege this "SQL injection" threat originated with your Mac is unfounded. I highly suspect the "local PC virus scan" or whatever nonsense they are demanding of you will just waste your time.

     

    It would be most helpful if you could provide the page source so that it can be examined. I understand you might not be willing to do that.

  • by Bigday_28,

    Bigday_28 Bigday_28 Aug 29, 2016 2:53 AM in response to John Galt
    Level 1 (8 points)
    Notebooks
    Aug 29, 2016 2:53 AM in response to John Galt

    There are no adverts on the site.

     

    I am a rookie with this stuff "SQL Injection" is a foreign term.

     

    There are multiple pages on my website and to be honest I rarely update them. All the updating is in Google Drive. The website just displays these pages. If I do update them, it is via FileZilla. Wondering if that may be the cause?

  • by etresoft,

    etresoft etresoft Aug 29, 2016 7:09 AM in response to Bigday_28
    Level 7 (29,320 points)
    Mac OS X
    Aug 29, 2016 7:09 AM in response to Bigday_28

    Hello again Bigday_28,

    A decent web host will give you a temporary domain name to let you move your site over. Once you have it working, then you can move the domain name.

     

    As for SQL injection, here is a good explanation: https://xkcd.com/327/

  • by John Galt,

    John Galt John Galt Aug 29, 2016 7:39 AM in response to Bigday_28
    Level 8 (49,777 points)
    Mac OS X
    Aug 29, 2016 7:39 AM in response to Bigday_28

    If I do update them, it is via FileZilla. Wondering if that may be the cause?

     

    I use FileZilla also. Assuming yours is a legitimately obtained and unaltered copy, that's not it. It would be an enormously complex challenge for FileZilla to be maliciously altered in such a manner to create the circumstances you describe, in return for little or no reward. Have you been able to download the page code hosted on the server and compare it to your locally stored versions?

     

    I'm not convinced there is anything wrong. Assuming there is though, my first suspicion would be outside interference with your website. Someone in possession of your login credentials could obviously do that. Changing them would eliminate that possibility. The other possibility is a security breach of their server as etresoft mentioned, though it seems unlikely that you would be the only user affected by such a breach.

     

    Lacking any specific information of something truly malicious I suspect your hosting company is just mistaken.

  • by Bigday_28,

    Bigday_28 Bigday_28 Aug 31, 2016 6:02 PM in response to Bigday_28
    Level 1 (8 points)
    Notebooks
    Aug 31, 2016 6:02 PM in response to Bigday_28

    I asked the hosting support on what page they are seeing this SQL Injection and they replied it is on the weblog but the morons have not given me permission to view any of my files now!

     

    Haha and thanks for the explanation of SQL injection etresoft

  • by FishingAddict,

    FishingAddict FishingAddict Aug 31, 2016 6:32 PM in response to Bigday_28
    Level 4 (1,586 points)
    Mac OS X
    Aug 31, 2016 6:32 PM in response to Bigday_28

    The important thing to think about is do you have any pages on your website that use a database back-end to retrieve data or to authenticate user logins?  For example, does your website use a Content Management System (CMS) like WordPress, Joomla, Drupal, or in any way use a database such as MySQL, SQL Server, Posgres, SQLIte, etc.  If you use a CMS have you kept the CMS updated and the modules updated?

     

    You will need to contact these guys to get some help with access to you files and also to see if they can provide the actual URL strings where the SQL injection occurred.  Something tells me that you will want to find a better host after this is over.  Therefore, make sure that you can obtain a full backup of you website.