By myron_s on

Can't find an appropriate forum to ask this specific question so I'm asking it here. Got an issue. Recently I've been having odd accesses to the textsize module which didn't make sense, all of which were failing so as a precaution I disabled this module, then something interesting has happened.

Some IP addresses are still accessing the URL, but obviously now getting Page Not Found, but since I turned off this module the following has so far happened once and against http://www.mydomain.org.uk/counselling//user/login/ from the same IP address.

PHP - Warning: mb_strlen() expects parameter 1 to be string, array given in drupal_strlen() (line 482 of /content/sites/r/e/mydomain.org.uk/web/counselling/includes/unicode.inc).
.
PHP - Warning: addcslashes() expects parameter 1 to be string, array given in DatabaseConnection->escapeLike() (line 984 of /content/sites/r/e/mydomain.org.uk/web/counselling/includes/database/database.inc).
.
PHP - PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'Crap' AND status = 1' at line 1: SELECT * FROM {users} WHERE name = :name_0, :name_1 AND status = 1; Array ( [:name_0] => FcUk [:name_1] => Crap ) in user_login_authenticate_validate() (line 2154 of /content/sites/r/e/mydomain.org.uk/web/counselling/modules/user/user.module).

Does anyone know what's going on? Is this an attempt of unauthorised access if the version of Drupal was the one that had the SQL injection problem?

I'm on Drupal 7.34 and the core and all modules are showing as up-to-date.

Categories: Drupal 7.x

Comments

nevets’s picture

nevets commented

I would look for a user with either of the name value (:name_0 and :name_1), if you find such a user I would block them.

Something is odd about the error, the query makes sense in terms of trying to log in, but this part, WHERE name = :name_0, :name_1 is odd in that it appears to be passed to login names at once which is where the error is coming from.

myron_s’s picture

myron_s commented

Had a look at dr_node and dr_users SQL data tables and they both seem clean.

Since that SQL error has appeared someone is trying to sign-on to the site I manage using the user name Marcferozi. It's not a constant stream of attempts. Just spread out and random. All these attempts are failing originating from different IP addresses. :-)

I do continual auditing, I don't see any strangely named PHP files pre-hack and post-hack and I guess as I write this, it will be a good idea to take a back-up.

dadderley’s picture

dadderley commented

I manage a bunch of drupal sites. This name 'Marcferozi' is used a lot in attempted logins.
Just for a laugh do a google search for 'Marcferozi' .

mortona2k’s picture

mortona2k commented

I got the same error message.

The other Andrew Morton

VirtualNorman’s picture

VirtualNorman commented

See these issues:

Posting an array as value of a form element is allowed even when a string is expected (and bypasses #maxlength constraints) - first step: text fields

Drupal 7.34 should sql injection attempts create PDOExceptions?

nithinkolekar’s picture

nithinkolekar commented

one of my site built on 7.34 also behaving strangely but it is not similar to this issue [security, bot symptom?] user gets registered although profile2 field set to required but field is empty in user profile

OT: why couldn't we use [#2432841] just line in project issue?

remaye’s picture

remaye commented

I got the same first 2 php warnings in the recent log messages (but not the PDOException):

Warning : mb_strlen() expects parameter 1 to be string, array given dans drupal_strlen() (ligne 478 dans /.../includes/unicode.inc).

Warning : addcslashes() expects parameter 1 to be string, array given dans DatabaseConnection->escapeLike() (ligne 984 dans /.../includes/database/database.inc).

Then log messages tell someone failed to login with empty username ("Login attempt failed for .") but immediately logged as "drupaldev" (drupaldev321@gmail.com), user he created with all roles, activated "php" module, allowed the php text format for all roles and deleted the home page...apparently nothing else but I guess anyone could come to the site and execute any php code he wanted... ?

I removed drupaldev user, desactivated php module and php text format, but I don't know if something wrong could remain active on the site... ? Anyway It seems one can redo the same process at anytime.

(I'm in D 7.31, I could of course update to 7.34 but according to the initial post, it seems the pb is still there...)

Jaypan’s picture

Jaypan commented

I'm in D 7.31

Then the backdoor is still exposed on your site, and it will keep getting hacked. You need to upgrade as soon as possible, and then remove any backdoors you can find.

See this thread for more info: https://www.drupal.org/drupalsa05FAQ

remaye’s picture

remaye commented

For now I just applied the patch provided here :
https://www.drupal.org/SA-CORE-2014-005
(https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch)

Hope it will do the job...

...and then remove any backdoors you can find

I deleted all unwanted users and removed all permissions to PHP text format.
Don't know if it may be somewhere else to look for backdoors...

Thanks Jaypan !

Jaypan’s picture

Jaypan commented

Did you look in your menu_router table, as suggested in that thread? That's where I found the backdoor myself.

TWD’s picture

TWD commented

What would a "backdoor" look like in that table?

Jaypan’s picture

Jaypan commented

https://www.drupal.org/drupalsa05FAQ

remaye’s picture

remaye commented

Did you look in your menu_router table...

No... what am I supposed to find ? I have more than 600 entries ...

bahkobg’s picture

bahkobg commented

Hello guys,

I have the same problem. Is there a patch that mitigate this?

TYPE	php
DATE	Sunday, March 8, 2015 - 22:48
USER	Anonymous (not verified)
LOCATION	http://mysite.com/user/login/
REFERRER	
MESSAGE	PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'Crap' AND status = 1' at line 1: SELECT * FROM {users} WHERE name = :name_0, :name_1 AND status = 1; Array ( [:name_0] => FcUk [:name_1] => Crap ) in user_login_authenticate_validate() (line 2154 of /home/obraxg3k/public_html/modules/user/user.module).
SEVERITY	error
poornachandran’s picture

poornachandran commented

Hi Myron,

There is no problem with the Drupal version you are using.It is been up to date.But there was a problem before the release of 7.32.Please checkout this link regarding announcement released about the vulnerability on Oct 15th in this link http://threatpost.com/assume-every-drupal-7-site-was-compromised-unless-... that time many Drupal sites have been hacked.If you had not updated the site from then for some time there is a chance that your site might have been already hacked in that period.Even if you update it again, since they already hacked it you cant prevent them.There are some steps in Drupal to check whether to find the site 's been hacked. Some are having unneccessary files inside your Drupal Installation,Unneccassary code in your files(for core files you can also check this using the hacked module),You have to check any improper entries in the Database tables(specifically users and Menu),you can also check any new users have been inserted or the existing users permissions or passwords been changed.Anyone please mention if I had missed any.So if your site is hacked please check in to this link https://www.drupal.org/node/2365547 and try to do the needfull mentioned in the link.Otherwise no need to worry my friend.