Hack attempts? Do we have a problem?

[sharpweb]

Hi, extremely long post warning!

One of the sites I've built with PW had 15 each of these errors 4 days ago:

  Quote

4 days ago 2025-02-20 09:30:20	-	/products/	Fatal Error: Uncaught Error: Class "FieldtypeText" not found in /wire/modules/Fieldtype/FieldtypePageTitle.module:17 Stack trace: 1. /wire/core/ModulesFiles.php(324): include_once() 2. /wire/core/ModulesLoader.php(682): ModulesFiles->includeModuleFile('/home/xxx/pub...', 'FieldtypePageTi...') 3. /wire/core/Modules.php(667): ModulesLoader->includeModule(false, '/home/xxx/pub...') 4. /wire/core/Modules.php(574): Modules->includeModule('FieldtypePageTi...') 5. /wire/core/Fieldtypes.php(194): Modules->getModule('FieldtypePageTi...') 6. /wire/core/Fields.php(203): Fieldtypes->get('FieldtypePageTi...') 7. /wire/core/WireSaveableItems.php(260): Fields->makeItem(Array) 8. /wire/core/Fields.php(255): WireSaveableItems->initItem(Array, Object(FieldsArray)) 9. /wire/core/WireSaveableItems.php(953): Fields->initItem(Array) 10. /wire/core/WireSaveableItems.php(469): WireSaveableItems->getLazy(1) 11. /wire/core/Fieldgroup.php(127): WireSaveableItems->get(1) 12. /wire/core/Fieldgroup.php(380): Fieldgroup->add(1) 13. /wire/core/WireSaveableItemsLookup.php(122): Fieldgroup->addLookupItem(1, Array) 14. /wire/core/WireSaveableItems.php(953): WireSaveableItemsLookup->initItem(Array) 15. /wire/core/WireSaveableItems.php(469): WireSaveableItems->getLazy(1) 16. /wire/core/Template.php(796): WireSaveableItems->get(1) 17. /wire/core/Templates.php(132): Template->setRaw('fieldgroups_id', 1) 18. /wire/core/WireSaveableItems.php(260): Templates->makeItem(Array) 19. /wire/core/WireSaveableItems.php(953): WireSaveableItems->initItem(Array) 20. /wire/core/WireSaveableItems.php(469): WireSaveableItems->getLazy(1) 21. /wire/core/Templates.php(252): WireSaveableItems->get(1) 22. /wire/core/PagesLoader.php(1241): Templates->get(1) 23. /wire/core/Pages.php(217): PagesLoader->getById(Array) 24. /wire/core/ProcessWire.php(625): Pages->init() 25. /wire/core/ProcessWire.php(582): ProcessWire->initVar('pages', Object(Pages)) 26. /wire/core/ProcessWire.php(315): ProcessWire->load(Object(Config)) 27. /home/xxx/public_html/index.php(52): ProcessWire->__construct(Object(Config)) #27 {main} thrown Line 17 of /wire/modules/Fieldtype/FieldtypePageTitle.module
4 days ago 2025-02-20 09:30:20	-	/products/	Error: Exception: SQLSTATE[HY000] [1040] Too many connections In /wire/core/WireDatabasePDO.php line 505

Expand  

I figured it was some sort of DoS attack that was destined to fail, but the FieldtypeText errors were a bit curious, possibly part of the overload of the database.  Then last night I got a bunch of different errors:

  Quote

9 hours ago 2025-02-24 04:03:49	-	/site/assets/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
9 hours ago 2025-02-24 04:03:43	-	/site/modules/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
9 hours ago 2025-02-24 04:00:30	-	/site/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
9 hours ago 2025-02-24 03:52:05	-	/site/templates/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:37:15	-	/covid19-policy/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:29:37	-	/covid19-policy	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:19:43	-	/wire/modules/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:13:51	-	/form-builder/join/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:12:38	-	/wire/templates-admin/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:12:23	-	/wire/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:12:10	-	/article/another-test-article-about-nothing/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:12:00	-	/form-builder/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:11:26	-	/form-builder/contact/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:06:43	-	/article/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:05:14	-	/article/test-article/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:04:57	-	/telehealth	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 03:04:37	-	/telehealth/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 02:56:58	-	/sitemap.xml	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 02:49:28	-	/form-builder/contact/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936
10 hours ago 2025-02-24 02:47:37	-	/form-builder/join/	Error: Exception: SQLSTATE[42000]: Syntax error or access violation: 3057 Incorrect user-level lock name '1'. In /wire/core/WireDatabasePDO.php line 936

Expand  

This seemed a little more serious to me.  It was targeting admin folders.  I checked all the /wire/ and /site/ links and they all throw a 404 as expected.  They also targeted unpublished pages and a couple of published test pages for some reason, but there are some old links on the site to them that shouldn't be there.  

I checked the logs are there  18,000 requests from last night from a single IP (I won't post in case they are snooping the internet for that IP).  I can share the logs if anyone wants to see but needless to say there are a lot of probing URLs like those quoted below.  Notably the last bunch of probes all returned 404 or 500.
 

  Quote

[24/Feb/2025:12:03:06 +0000] "GET /site/assets/ HTTP/1.1" 404 13165 "https://www.google.com/search?hl=en&q=testing" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

[24/Feb/2025:09:20:29 +0000] "GET /about'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||' HTTP/1.1" 404 13165 "https://xxx.ca/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

[24/Feb/2025:09:20:29 +0000] "GET /sports-therapy/v7u3w371mutl.php HTTP/1.1" 404 13165 "https://xxx.ca/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

[24/Feb/2025:09:20:28 +0000] "GET /article/another-test-article-about-nothing/database.sqlite HTTP/1.1" 404 13165 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

etc......
 

Expand  

What I don't understand is why the error "Syntax error or access violation: 3057 Incorrect user-level lock name '1'." shows up 20 times.  Were those successful probes?  Or closer to successful?

Perhaps from their first probe they figured out the site was in PW and then used the second one to attempt to access forbidden areas of the site?

The code is in a GIT repo and I can confirm that no files on the server have been changed, although the /site/assets folder is excluded from the repo.

I can also confirm that there are no tables added to the database (I have a backup from the day before) and the only tables with new rows were ones that make sense (except the one below) like process_changelog (things I did today) and sessions.

The one that stood out was module_sert_keywords (https://github.com/marcostoll/processwire-search-engine-referrer-tracker) which only had a bunch of new rows, but my understanding of the module is that it adds rows when the referrer is Google, so any hack attempt that pretended to come from google would add a record.  There were about 220 new records that look like this:

  Quote

Expand  

So I think the site did it's job and kept the hacker out, but I'm not 100% sure and wanted to share my findings with the PW community.  I'm not a security expert, just a security conscious developer.

Modules are mostly up to date, but 3 have updates available (Tracy, Changelog and Jumplinks) and the core is still at 3.0.229

I'm happy to share any other details that are needed, possibly by DM if they are sensitive.

Thanks for getting to the end!

Chris

Edited February 24 by sharpweb

[wbmnfktr]

  On 2/24/2025 at 10:51 PM, sharpweb said:

The code is in a GIT repo

Expand  

Is that one public? If so... change that!

 

For everything else... I'm absolutely not sure this was or wasn't a hacking attempt but at least it looks like someone was scanning the website and the server/hosting - especially the database - couldn't handle that much traffic/pings/requests. This could have been Google, ChatGPT,  or whatever crawler/bot/spider is active right now.

That FieldtypeText log at the beginning seems to indicate there is something it can't handle for whatever reason. Might be a hook that updates a text field or something. I'd probably use this as starting point for everyting PW-related.

Please check the other /site/assets/logs/ files for more entries, check server log files to see what happened elsewhere on the server and so on.

[sharpweb]

  On 2/25/2025 at 12:37 AM, wbmnfktr said:

Is that one public? If so... change that!

Expand  

Definitely private. 

Thanks for your reply, I'll try to look at the PW logs and server logs in more detail.  Some of that was pasted above, but I could definitely spend more time looking when I have time.

[AndZyk]

Hello @sharpweb,

I am not sure if really somebody tried to attack your website, but if that happens again maybe this commercial module could help. 😉
https://processwire.com/store/pro-dev-tools/wire-request-blocker/

Regards, Andreas

[sharpweb]

  On 2/25/2025 at 1:16 PM, AndZyk said:

I am not sure if really somebody tried to attack your website, but if that happens again maybe this commercial module could help. 😉
https://processwire.com/store/pro-dev-tools/wire-request-blocker/

Expand  

I'm working with my host to see what they can do, but will look into this as well. Thanks!