Site Hack via CollectionVersionBlocksOutputCache DB Table
Permalink
Hello all,
A site I implemented/manage has unfortunately been hacked sending traffic to sex site URL. Looking through the code and DB, the only evidence I can see of this sex site URL is in the database export in the "CollectionVersionBlocksOutputCache" database table. Furthermore, it seems that they managed to change the URL in the view.php of a custom block - the original code looking like so:
This is used to output some inline JS into the HTML for purposes of Ajax - and where getCurrentUrl() is:
While I know it's hard to guess, I trying to figure out what access a hacker would need to change or get code into the "CollectionVersionBlocksOutputCache" database table - would they need:
* - Editor access? (obviously)
* - Direct database access?
* - SQL Injection access?
* - Shell (command line) access?
I have grepped the files and nothing matches with that sex site URL. This hack seems so specific and I'm wondering what ways this could be done and how I can derive more information to determine the entry point.
Thanks in advance for any help, thoughts or advice!
Alex
PS - The SQL shows a entry in "CollectionVersionBlocksOutputCache" like so (with the content omitted for purposes of brevity):
A site I implemented/manage has unfortunately been hacked sending traffic to sex site URL. Looking through the code and DB, the only evidence I can see of this sex site URL is in the database export in the "CollectionVersionBlocksOutputCache" database table. Furthermore, it seems that they managed to change the URL in the view.php of a custom block - the original code looking like so:
var contactus_submit_url = '<?php echo $this->controller->getCurrentUrl(); ?>';
This is used to output some inline JS into the HTML for purposes of Ajax - and where getCurrentUrl() is:
function getCurrentUrl(){ $currentPage = Page::getCurrentPage(); Loader::helper('navigation'); return NavigationHelper::getLinkToCollection($currentPage, true); }
While I know it's hard to guess, I trying to figure out what access a hacker would need to change or get code into the "CollectionVersionBlocksOutputCache" database table - would they need:
* - Editor access? (obviously)
* - Direct database access?
* - SQL Injection access?
* - Shell (command line) access?
I have grepped the files and nothing matches with that sex site URL. This hack seems so specific and I'm wondering what ways this could be done and how I can derive more information to determine the entry point.
Thanks in advance for any help, thoughts or advice!
Alex
PS - The SQL shows a entry in "CollectionVersionBlocksOutputCache" like so (with the content omitted for purposes of brevity):
,(1,26,638,'Contact Us Form','...content omitted for purposes of brevity...',1391797128)
The hacker managed to change the cached block to use the sex site URL.
I initially missed this as I logged in as Admin which I think caused the cache to be purged and the block to be recreated - or at least this is my theory. Does this seem correct?
Thing is, I'm not seeing any altered PHP files - I am only find changed database entries (I believe C5 cache entries).