Scrpit Injection Hack

  • hughmiller2001

    (@hughmiller2001)


    15 years, 6 months ago

    Hi,

    Yesterday all 3 of my blogs were hacked. The hackers injected a plugin onto the server called krakozebra and ran a bit of code called krakozebra.php which in turn added a base64_decode line to every bit of php code on my server

    As far as I can tell the krakozebra.php file deleted itself ( I can see it ran from my logs) but they did leave the empty directory behind with the plugins.

    I’ve cleaned the PHP code, but I’m at my wits end trying to work out how they got in in the first place. Does anyone have any suggestions?

    May Thanks

    Hugh

Viewing 7 replies - 16 through 22 (of 22 total)
1 2
  • andywooles

    (@andywooles)

    15 years, 6 months ago

    What version of WordPress are you all running? and are you using Contact Form 7?
    My client (also 123 hosted) was running 2.9.2.
    Most of these attacks happen through plugin vulnerabilities.

    I’ve just installed WordPress Firewall to hopefully block future injection attacks.

    Andy

    Jamie Durrant

    (@jamie-durrant)

    15 years, 6 months ago

    I was running version 3.01 and also Contact Form 7, which I generally use on most of my sites.

    Jamie
    http://www.jamiedurrant.com

    Thread Starter hughmiller2001

    (@hughmiller2001)

    15 years, 6 months ago

    As Jamie,

    I’m also running 3.0.1 and Contact form 7. I can’t believe 123-reg are saying its all WordPress either. One of my sites has an application called photocart installed. Nothing to do with wordpress and that had all its PHP done as well

    andywooles

    (@andywooles)

    15 years, 6 months ago

    One of the challenges with shared hosting is that if they can get enough privileges then potentially all sites on the server can be hit!

    chrisdoth

    (@chrisdoth)

    15 years, 6 months ago

    Not using contact form 7 and have account that was hacked.

    Jamie Durrant

    (@jamie-durrant)

    15 years, 6 months ago

    Was looking at the logs to see what the hacker was up to, looks like he logged in 12 hours apart, the first time doing something with the theme-editor.php. Most odd.

    amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:44 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:46 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:49 GET /wp-admin/theme-editor.php file=/themes/default/404.php&theme=WordPress+Default&dir=theme 500 1507 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

    amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:53 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:54 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:58 GET /wp-admin/plugin-install.php tab=upload 200 19178 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:00 POST /wp-admin/update.php action=upload-plugin 200 16239 http://www.amttrade.co.uk/wp-admin/plugin-install.php?tab=upload Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:02 GET /wp-content/plugins/krakozebra.php – 404 23663 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    http://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:03 GET /wp-content/plugins/krakozebra/krakozebra.php – 200 254 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

    85.234.191.140 – Geo Information
    IP Address 85.234.191.140
    Host 85.234.191.140
    Location LV, Latvia

    Rev. Voodoo

    (@rvoodoo)

    15 years, 6 months ago

    since there is no plugin named krakozebra, get that out of your install!

    seems they installed aplugin for you, how nice…….

Viewing 7 replies - 16 through 22 (of 22 total)
1 2

The topic ‘Scrpit Injection Hack’ is closed to new replies.