WordPress.org

Forums

WordPress › Support » Plugins and Hacks » Hacks

Scrpit Injection Hack (23 posts)

  1. hughmiller2001
    Member
    Posted 2 years ago #

    Hi,

    Yesterday all 3 of my blogs were hacked. The hackers injected a plugin onto the server called krakozebra and ran a bit of code called krakozebra.php which in turn added a base64_decode line to every bit of php code on my server

    As far as I can tell the krakozebra.php file deleted itself ( I can see it ran from my logs) but they did leave the empty directory behind with the plugins.

    I've cleaned the PHP code, but I'm at my wits end trying to work out how they got in in the first place. Does anyone have any suggestions?

    May Thanks

    Hugh

  2. Jamie Durrant
    Member
    Posted 2 years ago #

    This has also happened to one of the wordpress installations that I administer. It was hosted on http://www.123-reg.co.uk/

    After asking for them to restore from a backup, they responded with this :

    As wordpress is opensource software, security vulnerabilities are found as people have access to the raw code. So wordpress bring out updates on a frequent basis that provide security fixes to the holes that have been exploited.

    We recommend that you do the following to keep your wordpress site secure.

    1. Update to the latest WordPress version (3.0.1) - (If you installed via APS (One Click Install) then we should prompt you if the latest version appears.

    2. Change all your passwords including ftp and control panel passwords on a frequent basis.

    3. Ensure you deactivate any plugins before update.

    4. Ensure that before installing any plugins you check on the internet if these are secure and people have not been hacked since installing them, as many plugins do a lot of creative things, but have insecure folder permissions making your website open to exploit.

    5. Make regular backups of your site.

    If your site has been hacked then please follow these instructions.

    1. Make a backup of your site (Just in case)

    2. Delete the wordpress site on your webspace

    3. Install the latest version of WordPress (IF you installed via APS (One Click Install) then we should prompt you if the latest version appears.

    For further information please see these useful articles

    How to recover from a malware hack on your CMS?

    http://wiki.mediatemple.net/w/Recovering_from_a_site_compromise

    Tips for cleaning and securing your website

    http://www.stopbadware.org/home/security

    I always run the latest version of WordPress. I'm also at a loss as to how this could have happened.

    jamie

  3. hughmiller2001
    Member
    Posted 2 years ago #

    I also host with 123-reg. They are very good at blaming everyone but themselves. I know it doesn't help with the issue but their shared hosting, and the responsibility they take for it is a bit of a joke. My blogs are moving when this is resolved

  4. Jamie Durrant
    Member
    Posted 2 years ago #

    Yep, they've told me that they do NOT restore backups on an individual basis, so I've had to remove all the malicious code from my php files by hand. *sigh*

  5. hughmiller2001
    Member
    Posted 2 years ago #

    Jamie,

    I don't know if you can pm on here, but I have a script that will clean the infection very quickly. Of course it doesn't solve the issue of how they got in in the first place, but 123 reg aren't helpful on that one either

    If you'd like the script to do this PM your email and I'll send it. It was written by securi.net and does clean this hack, but of course, you need rto check eveything works afterwards

    Hugh

  6. Jamie Durrant
    Member
    Posted 2 years ago #

    Hugh,
    That sounds great as I *think* I've edited all the php, but they do tend to hide in the unlikeliest places.

    I dont think there's PM on here, jamie at jamie durrant dot com.

    Thank you !

  7. hughmiller2001
    Member
    Posted 2 years ago #

    I think it interesting that 123-reg currently has a support notice posted that this is a word press issue and they are waiting for wordpress to publish a patch. If this is the case could we have some details as to how long this will take?

  8. Phil Gee
    Member
    Posted 2 years ago #

    Hi Jamie and Hugh,
    I'm looking for a clean up for this hack too- any chance you could email it to me pip stone at hot mail dot com

    Thank you!

  9. Jamie Durrant
    Member
    Posted 2 years ago #

    123-reg have now issued a statment;

    We’ve been made aware of a security issue facing websites using WordPress. We take security very seriously at 123-reg, so we want to check if this matter has affected your site.

    If you use the blogging platform WordPress on your web hosting, you may have been the victim of a security hack (please ignore this email if you haven't installed WordPress on your hosting).

    The problem is due to a security breach caused by hackers, who have targeted sites that use WordPress. WordPress is an open source application, making it vulnerable to such attacks.

    As your hosting provider, we want to help you counter this WordPress hack as quickly and as effectively as possible. To do so, please follow these simple steps as soon as you can:
    1. Run a simple cleanup script
    If your WordPress site has been hacked, you will need to run this
    simple cleanup solution script (written to defeat this WordPress hack).
    2. Scan your local machine
    Run a full anti-virus scan on the local PC from which you administer
    your WordPress account.
    3. Change all your user passwords
    Change any user passwords for WordPress account, your FTP
    account and MySQL account.
    4. Change your secret keys
    If hackers have stolen your password they may remain logged into
    your WordPress account until you have changed your secret keys.

    Visit the WordPress key generator to obtain a new random set of keys.

    Then overwrite your secret keys wp-config.php file with the new ones.
    This will disable the hacker's connection.

    5. Take a backup of your WordPress files
    Backup all of your WordPress files to your local PC (label them as
    'hacked site backup). You can then investigate these files later.
    That should do the trick!

    If you have been affected by the WordPress hack, we're sure that the above steps will completey eradicate the problem – allowing your website to function as before.

    We'd like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.

  10. IestynR
    Member
    Posted 2 years ago #

    Same here guys. Is there any way you guys could help me out?

    I'm really new to all this stuff, so I've got no experience what so ever at going through the scripts, as I've no idea what I'm looking for.

    I too host as 123 as well - is there any way to get a hold of that script Hugh - or could you outline what needs to be done Jamie? This will be very appreciated.

    - Iestyn

  11. IestynR
    Member
    Posted 2 years ago #

    I've managed to get the script from their site, and everything seems to be working as normal now - is there a way to double check?

    Here's a link to the script.

    http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html

  12. hughmiller2001
    Member
    Posted 2 years ago #

    I think they only way to double check is to go through everything with a fine tooth comb, but that script does solve the immediate issues.

    As I posted above I had a file ran from my wp-content/plugins are call krakozebra.php. They deleted the file but left the directory. It would seem prudent to clean this and change passwords as a minimum

    Hugh

  13. chrisdoth
    Member
    Posted 2 years ago #

    I too had this problem but again only with sites hosted on 123-reg.

  14. chrisdoth
    Member
    Posted 2 years ago #

    This script will clear out the code from existing infected wordpress files http://bit.ly/9GFNNb

    Like everyone else I am more concenred with how it occured in the first place. More so as someone has reported a second infection after clearing out the first.

  15. Ipstenu (Mika E.)
    Half-Elf Support Rogue & Mod
    Posted 2 years ago #

    Really? They're saying this?

    We'd like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.

    Idiots. It's partly due to the security of your webhosting. If you read the details of the attack you would know that this affected Joomla, Drupal and any PHP based cms. How? Current thinking is that some shared hosting services are vulnerable due to the permissions used for PHP - It runs as the same user for all accounts.

    Now that said, you should run to your server NOW and check your WordPress File Permissions.

    Also I would be bugging the hell out of 123-reg and DEMANDING they both review PHP security as well as publish their SECURE site permissions for running wordpress on their servers.

    Ugh.

    I'm sorry y'all are having this problem.

    (BTW, if you've been hacked one, CHANGE YOUR PASSWORDS :) Right now. And consider making a separate sql ID with it's own password for WordPress and other SQL/PHP apps, so they don't get your login ID)

  16. chrisdoth
    Member
    Posted 2 years ago #

    More information being updated here http://www.wpsecuritylock.com/malware-attack-meqashopperinfo-strikes-wordpress-hack-123-reg/

  17. andywooles
    Member
    Posted 2 years ago #

    What version of WordPress are you all running? and are you using Contact Form 7?
    My client (also 123 hosted) was running 2.9.2.
    Most of these attacks happen through plugin vulnerabilities.

    I've just installed WordPress Firewall to hopefully block future injection attacks.

    Andy

  18. Jamie Durrant
    Member
    Posted 2 years ago #

    I was running version 3.01 and also Contact Form 7, which I generally use on most of my sites.

    Jamie
    http://www.jamiedurrant.com

  19. hughmiller2001
    Member
    Posted 2 years ago #

    As Jamie,

    I'm also running 3.0.1 and Contact form 7. I can't believe 123-reg are saying its all WordPress either. One of my sites has an application called photocart installed. Nothing to do with wordpress and that had all its PHP done as well

  20. andywooles
    Member
    Posted 2 years ago #

    One of the challenges with shared hosting is that if they can get enough privileges then potentially all sites on the server can be hit!

  21. chrisdoth
    Member
    Posted 2 years ago #

    Not using contact form 7 and have account that was hacked.

  22. Jamie Durrant
    Member
    Posted 2 years ago #

    Was looking at the logs to see what the hacker was up to, looks like he logged in 12 hours apart, the first time doing something with the theme-editor.php. Most odd.

    amttrade.co.uk 85.234.191.140 - 2010-10-03 17:51:44 POST /wp-login.php - 302 897 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 - 2010-10-03 17:51:46 GET /wp-admin/ - 200 43012 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 - 2010-10-03 17:51:49 GET /wp-admin/theme-editor.php file=/themes/default/404.php&theme=WordPress+Default&dir=theme 500 1507 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

    amttrade.co.uk 85.234.191.140 - 2010-10-04 04:16:53 POST /wp-login.php - 302 897 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 - 2010-10-04 04:16:54 GET /wp-admin/ - 200 43012 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 - 2010-10-04 04:16:58 GET /wp-admin/plugin-install.php tab=upload 200 19178 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 - 2010-10-04 04:17:00 POST /wp-admin/update.php action=upload-plugin 200 16239 http://www.amttrade.co.uk/wp-admin/plugin-install.php?tab=upload Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 - 2010-10-04 04:17:02 GET /wp-content/plugins/krakozebra.php - 404 23663 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 - 2010-10-04 04:17:03 GET /wp-content/plugins/krakozebra/krakozebra.php - 200 254 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

    85.234.191.140 - Geo Information
    IP Address 85.234.191.140
    Host 85.234.191.140
    Location LV, Latvia

  23. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    since there is no plugin named krakozebra, get that out of your install!

    seems they installed aplugin for you, how nice.......

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.