Support » Plugins and Hacks » Hacks » Scrpit Injection Hack

Scrpit Injection Hack

  • hughmiller2001



    Yesterday all 3 of my blogs were hacked. The hackers injected a plugin onto the server called krakozebra and ran a bit of code called krakozebra.php which in turn added a base64_decode line to every bit of php code on my server

    As far as I can tell the krakozebra.php file deleted itself ( I can see it ran from my logs) but they did leave the empty directory behind with the plugins.

    I’ve cleaned the PHP code, but I’m at my wits end trying to work out how they got in in the first place. Does anyone have any suggestions?

    May Thanks


Viewing 15 replies - 1 through 15 (of 22 total)
  • Jamie Durrant


    This has also happened to one of the wordpress installations that I administer. It was hosted on http://www.123-reg.co.uk/

    After asking for them to restore from a backup, they responded with this :

    As wordpress is opensource software, security vulnerabilities are found as people have access to the raw code. So wordpress bring out updates on a frequent basis that provide security fixes to the holes that have been exploited.

    We recommend that you do the following to keep your wordpress site secure.

    1. Update to the latest WordPress version (3.0.1) – (If you installed via APS (One Click Install) then we should prompt you if the latest version appears.

    2. Change all your passwords including ftp and control panel passwords on a frequent basis.

    3. Ensure you deactivate any plugins before update.

    4. Ensure that before installing any plugins you check on the internet if these are secure and people have not been hacked since installing them, as many plugins do a lot of creative things, but have insecure folder permissions making your website open to exploit.

    5. Make regular backups of your site.

    If your site has been hacked then please follow these instructions.

    1. Make a backup of your site (Just in case)

    2. Delete the wordpress site on your webspace

    3. Install the latest version of WordPress (IF you installed via APS (One Click Install) then we should prompt you if the latest version appears.

    For further information please see these useful articles

    How to recover from a malware hack on your CMS?


    Tips for cleaning and securing your website


    I always run the latest version of WordPress. I’m also at a loss as to how this could have happened.




    I also host with 123-reg. They are very good at blaming everyone but themselves. I know it doesn’t help with the issue but their shared hosting, and the responsibility they take for it is a bit of a joke. My blogs are moving when this is resolved

    Jamie Durrant


    Yep, they’ve told me that they do NOT restore backups on an individual basis, so I’ve had to remove all the malicious code from my php files by hand. *sigh*




    I don’t know if you can pm on here, but I have a script that will clean the infection very quickly. Of course it doesn’t solve the issue of how they got in in the first place, but 123 reg aren’t helpful on that one either

    If you’d like the script to do this PM your email and I’ll send it. It was written by securi.net and does clean this hack, but of course, you need rto check eveything works afterwards


    Jamie Durrant


    That sounds great as I *think* I’ve edited all the php, but they do tend to hide in the unlikeliest places.

    I dont think there’s PM on here, jamie at jamie durrant dot com.

    Thank you !



    I think it interesting that 123-reg currently has a support notice posted that this is a word press issue and they are waiting for wordpress to publish a patch. If this is the case could we have some details as to how long this will take?

    Phil Gee


    Hi Jamie and Hugh,
    I’m looking for a clean up for this hack too- any chance you could email it to me pip stone at hot mail dot com

    Thank you!

    Jamie Durrant


    123-reg have now issued a statment;

    We’ve been made aware of a security issue facing websites using WordPress. We take security very seriously at 123-reg, so we want to check if this matter has affected your site.

    If you use the blogging platform WordPress on your web hosting, you may have been the victim of a security hack (please ignore this email if you haven’t installed WordPress on your hosting).

    The problem is due to a security breach caused by hackers, who have targeted sites that use WordPress. WordPress is an open source application, making it vulnerable to such attacks.

    As your hosting provider, we want to help you counter this WordPress hack as quickly and as effectively as possible. To do so, please follow these simple steps as soon as you can:
    1. Run a simple cleanup script
    If your WordPress site has been hacked, you will need to run this
    simple cleanup solution script (written to defeat this WordPress hack).
    2. Scan your local machine
    Run a full anti-virus scan on the local PC from which you administer
    your WordPress account.
    3. Change all your user passwords
    Change any user passwords for WordPress account, your FTP
    account and MySQL account.
    4. Change your secret keys
    If hackers have stolen your password they may remain logged into
    your WordPress account until you have changed your secret keys.

    Visit the WordPress key generator to obtain a new random set of keys.

    Then overwrite your secret keys wp-config.php file with the new ones.
    This will disable the hacker’s connection.

    5. Take a backup of your WordPress files
    Backup all of your WordPress files to your local PC (label them as
    ‘hacked site backup). You can then investigate these files later.
    That should do the trick!

    If you have been affected by the WordPress hack, we’re sure that the above steps will completey eradicate the problem – allowing your website to function as before.

    We’d like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.



    Same here guys. Is there any way you guys could help me out?

    I’m really new to all this stuff, so I’ve got no experience what so ever at going through the scripts, as I’ve no idea what I’m looking for.

    I too host as 123 as well – is there any way to get a hold of that script Hugh – or could you outline what needs to be done Jamie? This will be very appreciated.

    – Iestyn



    I’ve managed to get the script from their site, and everything seems to be working as normal now – is there a way to double check?

    Here’s a link to the script.




    I think they only way to double check is to go through everything with a fine tooth comb, but that script does solve the immediate issues.

    As I posted above I had a file ran from my wp-content/plugins are call krakozebra.php. They deleted the file but left the directory. It would seem prudent to clean this and change passwords as a minimum




    I too had this problem but again only with sites hosted on 123-reg.



    This script will clear out the code from existing infected wordpress files http://bit.ly/9GFNNb

    Like everyone else I am more concenred with how it occured in the first place. More so as someone has reported a second infection after clearing out the first.

    Moderator Ipstenu (Mika Epstein)


    Really? They’re saying this?

    We’d like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.

    Idiots. It’s partly due to the security of your webhosting. If you read the details of the attack you would know that this affected Joomla, Drupal and any PHP based cms. How? Current thinking is that some shared hosting services are vulnerable due to the permissions used for PHP – It runs as the same user for all accounts.

    Now that said, you should run to your server NOW and check your WordPress File Permissions.

    Also I would be bugging the hell out of 123-reg and DEMANDING they both review PHP security as well as publish their SECURE site permissions for running wordpress on their servers.


    I’m sorry y’all are having this problem.

    (BTW, if you’ve been hacked one, CHANGE YOUR PASSWORDS 🙂 Right now. And consider making a separate sql ID with it’s own password for WordPress and other SQL/PHP apps, so they don’t get your login ID)



Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Scrpit Injection Hack’ is closed to new replies.