Site Hack via CollectionVersionBlocksOutputCache DB Table

Permalink
Hello all,

A site I implemented/manage has unfortunately been hacked sending traffic to sex site URL. Looking through the code and DB, the only evidence I can see of this sex site URL is in the database export in the "CollectionVersionBlocksOutputCache" database table. Furthermore, it seems that they managed to change the URL in the view.php of a custom block - the original code looking like so:

var contactus_submit_url = '<?php echo $this->controller->getCurrentUrl(); ?>';


This is used to output some inline JS into the HTML for purposes of Ajax - and where getCurrentUrl() is:

function getCurrentUrl(){
      $currentPage = Page::getCurrentPage();
      Loader::helper('navigation');
      return NavigationHelper::getLinkToCollection($currentPage, true);
   }


While I know it's hard to guess, I trying to figure out what access a hacker would need to change or get code into the "CollectionVersionBlocksOutputCache" database table - would they need:

* - Editor access? (obviously)
* - Direct database access?
* - SQL Injection access?
* - Shell (command line) access?

I have grepped the files and nothing matches with that sex site URL. This hack seems so specific and I'm wondering what ways this could be done and how I can derive more information to determine the entry point.

Thanks in advance for any help, thoughts or advice!

Alex

PS - The SQL shows a entry in "CollectionVersionBlocksOutputCache" like so (with the content omitted for purposes of brevity):

,(1,26,638,'Contact Us Form','...content omitted for purposes of brevity...',1391797128)

alexaalto
 
alexaalto replied on at Permalink Reply
alexaalto
...and the mystery thickens. I see that the output from a second custom block used to render the main drop down navigation was also showing this criminal sex site URL. In this case the URL is simply rendered via the controller.php as HTML (no JS involved) where the URL comes from the C5

$nh = Loader::helper('navigation');
$path = $nh->getLinkToCollection($page, true);


The hacker managed to change the cached block to use the sex site URL.

I initially missed this as I logged in as Admin which I think caused the cache to be purged and the block to be recreated - or at least this is my theory. Does this seem correct?

Thing is, I'm not seeing any altered PHP files - I am only find changed database entries (I believe C5 cache entries).