As of October 4, 2010, we've confirmed reports of websites hacked with a fake AV malware that are hosted at www.123-reg.co.uk. The meqashopperinfo malware injects a very long script that starts and infects all infected .php files, including self-hosted WordPress blogs.
This is dangerous malware and can infect site visitors computers. If you're hosting at 123-reg, please check your .php files immediately for any malicious code.
The safest way to check is to run a free malware scan at *Sucuri.net or log-in to the server via SFTP and check the dates/times of your .php files to see if they have all been modified to a recent date/time.
The meqashopperinfo redirects visitors to a fake anti-virus website and tries to trick site visitors into checking their computers for virus. Once the visitor clicks the link, viruses are downloaded onto their computer. Caution: On an unprotected computer, these viruses can infect computers without the visitors knowledge.
A source code view of this malicious javascript looks like:
Other domains used in this malicious code are http://meqashoppercom[dot]com/js.php and http://meqashopperonline[dot]com/js.php.
The fake AV site visitors are redirected to is http://www4.in-scale-feed.in.
All the above domains, but one (www4.in-scale.feed.in) are registered to Hilary Kneber on 9/21/2010. This is the same registrar used in many of the attacks this year on various hosting company, including our reports of the myblindstudioinfoonline malware found on 9/17/2010, cloudisthebestnow malware on 6/8/2010, and lostorana malware on May 17 and 20, 2010.
We have reported these malicious domains to Google as unsafe, and are currently working on tracking down the hosting company to get them shut down.
If your WordPress blog has been hacked and need help fixing it, visit our WordPress Security Services page or contact us.
We need your help…
If your WordPress blog has been compromised while hosting at 123-reg, please let us know what type of code you found on your infected files. Or describe the symptoms you found on your website by leaving a comment below.
If you know anyone else hosted at www.123-reg.co.uk, please forward them this information so they can check their website. Click the Share Button below.
Securely yours,
Regina Smola
WordPress Security Specialist
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
Update:
October 6, 2010 at 8:38am – In an effort to get a statement for our readers about the current issue at www.123-reg.co.uk, I am unable to “Ask a Question” unless I have an account. (Good thing I didn't want to “Buy something and wanted to speak with them first.)
However, I did find the latest Security Warning at 123-reg:
Security warning for websites using WordPress
Created: 05 October 2010, 11:28
Last Updated: 06 October 2010, 05:30Security warning for websites using WordPress
We’ve been made aware of a security issue facing websites using WordPress. We take security very seriously at 123-reg, so we want to check if this matter has affected your site.
If you use the blogging platform WordPress on your web hosting, you may have been the victim of a security hack.
The problem is due to a security breach caused by hackers, who have targeted sites that use WordPress.
As your hosting provider, we want to help you counter this WordPress hack as quickly and as effectively as possible. To do so, please follow these simple steps as soon as you can:
1. Run a simple cleanup script
If your WordPress site has been hacked, you will need to run this
simple cleanup solution script (written to defeat this WordPress hack).
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html2. Scan your local machine
Run a full anti-virus scan on the local PC from which you administer
your WordPress account.3. Change all your user passwords
Change any user passwords for WordPress account, your FTP
account and MySQL account.*** Note for users of 123-APPS ***
the database management
screen will warn that changing the MySQL password can
potentially cause problems with your applications.
This can be avoided by manually updating your WordPress
configuration by taking these steps;
a) From the manage hosting screen, click File manager.
b) Locate your wordpress installation directory and double click it.
c) Locate the file wp-config.php, highlight it and click the edit
link in the left hand menu.
d) Under the MySQL settings, locate your database password, it should
look something like this;/** MySQL database password */
define(‘DB_PASSWORD', ‘Pa55word');Change the part that says Pa55word to the new password you created.
4. Change your secret keys
If hackers have stolen your password they may remain logged into
your WordPress account until you have changed your secret keys.5. Take a backup of your WordPress files
Backup all of your WordPress files to your local PC (label them as
‘hacked site backup). You can then investigate these files later.
That should do the trick!If you have been affected by the WordPress hack, we're sure that the above steps will completey eradicate the problem – allowing your website to function as before.
We'd like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.
My opinion: This is NOT a WordPress hack. We have confirmed reports that this malware has affected all .php files, even those users that are not using WordPress and ones that already have the latest stable version 3.0.1. This is a hacker attack finding vulnerabilities and running scripts via FTP on numerous hosting providers.
However, the “simple steps” they've indicated above I agree with, with the exception of Step 5. If you're making a backup after running the script to clean the files, than you've backed up a clean copy, not a “hacked site” backup. Step #4 is very important. Be sure not to miss this one!
October 6, 2010 at 9:40am – If your site was hacked at 123-reg, can you please provide the server's Apache, Linux, PHP and MySQL version? And what the permission is for your public_html directory and if it's owned by “you.” This will help with forensics. Just leave it in a comment below.
* Denotes our Affiliate Link. If you a make a purchase through this link, we receive a commission.
It really sad to see that there are people out there who got nothing better to do but infect people’s computers.
My question is, if it the same guy who infected other websites, why don’t they get locked up?
Daniel Fenn
MTA
Hackers are very dynamic, they are able to change every aspect about how they connect to their victims within seconds. When you think you have them pegged, they completely run you over from a different direction. I imagine that the hosts are having the same problem trying to find and block the hacker(s).
My website got hacked…. some symptoms included pictures not uploading, pop ups on my iphone. script being displayed….
Urgh… I’m not techy enough to deal with this!!! GRRRR!!!!!
Hi Lorraine,
Sorry to hear your site got hacked. Don’t panic. It can be fixed. Just have to get the malware removed ASAP before so your site doesn’t infect your visitors and doesn’t get blacklisted by Google. We’re here for you. Send me an email so we can help.
Hi Regina,
It happened yesterday to a new wordpress site I was setting up for a client (hosted by 123-reg).
I only found out today then about 1 hour ago a friend of mine said his site hosted by 123-reg had also been hit, he deleted everything and started again.
I checked my clients site all wordpress php files in all directories (wp-admin/ wp-content and wp-includes) were showing yesterdays date so I am guessing they were all infected.
I downloaded and checked a few of the main files such as wp-config.php and they all had a load of base 64 code at the top.
I deleted and replaced all the wordpress php, theme and plugin files and changed the password for the database as they had accessed the config file.
The site is now backup, is there anything else you recommend doing.
Pete
Hi Peter,
Thanks for sharing. I’m glad you got it back up.
I would suggest changing the passwords for cpanel, ftp, and admins. Also check the server permissions to make sure they are set to 755 for directories and 644 for files. Sometimes malicious hackers put “mystery” files on servers that can perform more damage. Be sure you check all directories for anything that looks unusual, including any non-WordPress directories like the cgi-bin, etc.
I would also ask the hosting company for a FTP log so you can see if that’s how they got in.
Make sure all computers are virus free that access the site via FTP.
Hi Regina,
I have done all you suggested thanks for that.
The only thing I have yet to do is change all files to 644 could that potentially cause an issue with plugins working or is it just a matter of try and see.
Thanks
Pete
Hi Pete,
You should never set any file permissions higher than 644 for security. All files should work with this setting for WordPress, even plugins. If a plugin doesn’t work don’t use it or it could be because the server that you’re on is not set up correctly for your needs. If you have problems, please contact me right away.
4 of my WordPress sites that are hosted on 123-Reg have had this issue.
All 4 were hit with the meqashopperinfo hack on Monday. I removed the malware, changed FTP details, WP login info, salt and auth keys, checked CHMOD permissions and contacted 123 Reg. They claimed it was my fault for not setting the WP sites up properly! Really? I installed them all with the 123-Reg One Click install system!
Checked the sites again this morning, all 4 have been hacked again. Seems to me that there’s a vulnerability in the 123-Reg FTP system.
Wow! That’s not good to have it happen again.
This would tell me that it may be a hosting issue if it happened again.
Check to make sure your computers clean from viruses and also follow my suggestions I gave to Pete earlier.
Let me know if you need any more help.
Yes, that shows all the php files that the malware hit. We’re you able to get it cleaned yet?
I hear your frustration about getting replies from customer service. Without it and not closing the security hole, people will change hosting
Fortunately I spotted this site: http://bit.ly/bry3je
Which described the fault and provided a PHP file to upload and sort the issue. I know uploading files from a site you don’t know is a bit suspect but both the security plugins I subsequently installed (exploit scanner and anti virus) confirmed the script had sorted the problem.
It’s also the link/file 123-reg later recommended people use to clean up after the hack.
The root FTP account is uneditable on 123-reg, which is really a no-no.
Glad you found the script at Sucuri.net to help get it fixed. They’re good people! We use their web integrity monitoring service with hourly malware scans. We highly recommend it. No webmaster should be without it.
Can you tell me what the server permission is for your public_html directory and who is the owner of that directory? Hopefully it’s you.
Also do you know what versions of Apache, Linux, PHP MySQL are on the server?
PHP is 5.2.5 or 4.4.8 you can choose
mysql is v5
I’m not sure for Apache & Linux
Hugh
Hi Hugh,
Thanks for the info. No one should ever choose any PHP 4 version. It’s full of security risks, that’s the main reason why PHP5 was released.
The server you’re on is very outdated. PHP 5.2.5 was released in November 8. 2007 and there has been 13 new releases that contained hundreds of security fixes since than. The current version is PHP 5.3.3.
You can see them here: http://www.php.net/ChangeLog-5.php#5.2.5
To located your Apache and Linux, see if you have an info.php page on your server. This will detailed information about the applications on your server. If you don’t have one, click here for instructions on making one yourself.
A great plugin to look check versions and vulnerabilities is ServerBuddy.
Looking in the permissions of public_html via filezilla, the permission is xxx which I’m guessing isn’t right? Having said that 123’s web ftp reckons the public don’t have write permission, so goodness knows :/
MySQL client version: 5.0.77
Apache, I think its 1.1 from looking at the server log file but I’m out of my depth here 🙂
Hi Alex,
When you right-click on your public_html via FTP can you see what the permissions are other than XXX. Can you try using FileZilla? Right-click and choose “file permission” and it will show you the values and the number.
MySQL 5.0.77 was released January 2009. There have been 6 releases since than including closing security holes. You can see the notes here. I’m on HostGator and I’m on 5.1.50. Your host should upgrade to the 5.1.x series. That’s what their there for.
The same happened here, found the krakozebra file as well, did a completely clean install, changed all passwords (ftp password can now be changed through the control panel), added AskApache and other security measures and so far so good,
In addition to what’s been said above, the MySQL control panel also says: Your PHP MySQL library version 5.0.77 differs from your MySQL server version 5.1.47. This may cause unpredictable behavior.
PHP version is 5.2.6. So, apparently they still haven’t done anything to update anything…
Hi David,
Thanks for sharing. I see they ran a command via SSH. Luckily, they were able to fix it. Many users are not familiar with SSH and it is quiet a learning curve.
This malware doesn’t just infect WordPress sites updated or not. It’s a nasty script that attacks any .php files on a server.
Keeping my fingers crossed they don’t get reinfected.
I’ve updated this blog post just below my signature regarding 123-reg.
The 123-Reg email is very disingenuous placing all blame with WordPress when it is clearly an issue with their hosting.
The attack was made on my 123-reg hosted site on 4th October at 5am and it took them two days to respond to this. I am not very impressed.
This script, http://bit.ly/9GFNNb removes the infection scripts but I’m worried reading that some people have been hacked twice
Chris,
Sorry to hear you were a victim too of this malware attack. Unfortunately, the hosting company believes or believed that it was a WordPress issue. But from comments left on this blog and emails submitted to us, it’s clearly not a WordPress issue. This malware injects code on any .php file found on the server. It also seems to come from FTP logins, which has nothing to do with WordPress.
The reason is that EVERY person’s site that was attacked all had infected computers with a virus that steals passwords and the numbers of victims are growing rapidly. Or the hosting servers have security holes somewhere and there are multiple hosting providers all experiencing this same issue. I vote for the later.
All three sites I host with 123-reg were hacked on Monday. Signs and symptoms as described above and 123-reg them selves can only be described as useless. For all their posturing about it being a word press issue I have a second application called photocart on my sites which was also hacked.
One thing I did noticve…….in my wp-content/plugin folder I had a new folder called krakozebra. It was empty however looking at my server logs a file called krakozebra.php has run and then deleted itself from that folder
Hi Hugh,
It’s a shame you had your sites hacked. This is not a WordPress issue. I personally believe it’s a hole in the server somewhere that hackers are getting into and injected their venom on any .php file they can fine.. Just like this same malware attack happened on other hosting companies.
Good forensics Hugh!!!! Finding and sharing that directory (krakozebra) helps us all to watch for these things. Plus the fact that you looked at your server logs and saw the krakozebra.php file was run and then deleted itself. Good job! I think I’ll call you Detective Hugh 🙂 It’s people like you that help us all stay a little safer online. Thank you!
Let me know if you need any help.
Yeah I had the empty krakozebra plugin directory on my clients site.
Forgot to mention that yesterday.
Pete
Hackers love to hide their “trigger” files where we would not notice them right away and unfortunately, some webmasters never look.
Sometimes they hide them in the uploads folder as well. And if you have you images organized in month/year based they can be even harder to find. After a site’s been up awhile, there are many folders created.
I’m reading your post over at wordpress.org’s forums. It is unbelievable what Jamie posted about 123-reg’s response about WordPress and security vulnerabilities. I’m going to contact them for a statement and hopefully update this post with it.
Amazingly, I cannot “Ask a Question” to 123-reg unless I have a username and password.
However, I am updating this post with their latest Security Warning for you in case you missed it.
Additionally I would say 123-reg do not allow you to change the admin FTP password. I have emailed them over this and had no reply.
Alex,
Thanks for your comment.
Being able to change my own FTP password is essential to me. I would consider changing hosts or demand a reply. Have you tried contacting them in their forums?
I agree! I have never heard of a host that didn’t allow you to change any password you wanted. That’s highly unusual, typically you can easily contact your host any time via online chat, shooting them a quick call, or using the forums like Regina mentioned.
This is what the 123-reg control panel has to say on FTP accounts:
“Your FTP accounts
FTP allows you to easily manage all of your website content. By using FTP you can quickly upload, edit and delete your website files. The [email protected] is your default FTP and you cannot Edit that account.Click on the link below to create and manage your FTP accounts.”
Complete with the visible break tag.
So you’re saying you cannot edit the default ftp password? A good security practice is to be proactive in changing all your passwords often.
Update: Peter says that you change the FTP password by clicking on the “Key Icon.” See this comment.
the visible break tag is parsed properly by your comments, unlike their webpage 🙂
I had the same setting however you could change the password of the default ftp account. at this screen, click on the small key ico and you are prompted for the new password.
Thanks for the advice Peter. It sounds like many are missing or not seeing the “key icon.” Hopefully, everyone will find it now and get their FTP passwords changed.
One thing I also wanted to mention is to check to see if there are any OTHER FTP accounts that have access to your account. Look in your control panel and make sure they’re okay and change those passwords too.
Peter, your site’s down for me. Gives me a DNS error.
No I just type all the W’s in www. I was up late yesterday fixing, that is my excuse and I am sticking to it 🙂
LOL It’s working now.
Just to add I too had the empty krakozebra appear.
From our server log, does this help?:
85.234.191.140 – 2010-10-04 01:06:02 POST /blog/wp-login.php – 302 932 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
85.234.191.140 – 2010-10-04 01:06:05 GET /blog/wp-admin/ – 200 26111 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
85.234.191.140 – 2010-10-04 01:06:09 GET /blog/wp-admin/plugin-install.php tab=upload 200 16130 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
85.234.191.140 – 2010-10-04 01:06:10 POST /blog/wp-admin/update.php action=upload-plugin 200 13081 http://www./blog/wp-admin/plugin-install.php?tab=upload Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
85.234.191.140 – 2010-10-04 01:06:11 GET /blog/wp-content/plugins/krakozebra.php – 404 9479 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
85.234.191.140 – 2010-10-04 01:06:12 GET /blog/wp-content/plugins/krakozebra/krakozebra.php – 200 254 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
Hi Hugh,
Yes that does help! That IP 85.234.191.140 is located in the country of Latvia. This shows us what the hacker did inside your WordPress Dashboard (wp-admin).
wp-login.php < logging into your site
wp-admin < accessing your Dashboard
wp-admin/plugin-install.php < installing a plugin
wp-admin/update.php < used to update WordPress
wp-content/plugins/krakozebra.php < activating the plugin
wp-content/plugins/krakozebra/krakozebra.php < running the plugin
Make sure you access your database and make sure there are not any hidden users. Browse inside your wp_users and see how many users are listed under column user_login. Delete any that you don't know immediately.
This log does not tell us what username he used to access your site, but make sure you change all passwords that have access.
One plugin I would highly recommend you install is the Exploit Scanner. It will tell you if there is any suspicious code inside your files and database.
I was under the assumption that this was only a FTP breach, but this log clearly states that the hacker logged in via Mozilla Firefox. He’s using a Windows computer. It’s too bad he doesn’t get a nasty virus himself!
Hi I also was hit by the hack. Have taken all the steps and cleaned up.
my public_html and sub folder for the blog had permissions stated as xxx and all on (so anybody could write to it), so changed it to 755.
All worked but not happy that a hack of this nature would occur and get so little proactive support from the hosting site!
Peter
Wow Peter! Are you saying that all your directories and files were set to 777? I hope that’s not the default setting on your server. To find out, try uploading any file, even an image, to the server and then check to see what the permission is. If it defaults too 777 then you need to switch hosts or put your security hat on every time you upload something and never forget to change them. Never use 777 no matter what your host or any plugin says.
Its not the default setting, so can only think that it was changed at the same time as the hack.
Well I’m glad to hear it’s not the default. I’ve seen many hacks were everything was changed to 777. Pretty scary stuff.
Hello,
Thats the reason ..I feel is better to go with a safe and fast acting web hosting company.. I am luck to find http://www.webhost.uk.net hardly had any issues with this guys.
Hi Sophia,
I’m glad to hear it. Looks like they have some great reviews and 24/7 chat and ticket system support. They’re prices are reasonable too.
When you get a chance, please share with us what version of PHP, Apache, Linux and MySQL is so we can let everyone looking for a host in the UK if they’re servers are updated and secure.
Thanks very much for your comment.
A client’s site (on 123-reg) was hacked on Tuesday- I ran the script from Sucuri.net and successfully cleaned off the malicious code. I then changed all the passwords- I have even changed the ftp which is where, I think my new problem may have arisen. The site is down with this message “Error establishing a database connection”
I can access the ftp via filezilla with the new password but cannot understand why the site is not live and visible.
I also can’t understand how 123-reg do not have a live chat or easy way to contact them.
Hi Phil,
If your site says “Error establishing a database connection” then you need to check your wp-config.php file and see that the database password is correct. If you changed the database password, then you must also change it inside this file.
And don’t forget to change your Authentication Unique Keys and Salts in the wp-config.php file too. This will disable all the hackers browser cookies.
Hope that helps 🙂
And it’s a shame that they don’t offer better support.
Our WordPress site is hosted with 123 Reg. We received their Security Warning email yesterday and, on checking, found our site had been hacked too. I’ve run the cleanup process described in this blog and changed passwords. Thanks to all for the advice – it’s been a great help.
One thing I did notice was that we have a zero bytes file called .hidden in the wordpressblogsmedia folder. The permission on this file was set to 755. I’ve changed the permission to 644 but wondered if this file should be there. We don’t allow postings on our site. Anybody got thoughts on this?
I will contact 123 Reg and ask for ftp access logs as it really does look like they’re inferring the issue is with WordPress rather than a breach of their security.
Thanks again for your advice and guidancce.
Hi David,
What was the date and time that file was put on your server? Delete the .hidden file immediately! A file or directory that starts with a dot . is suspicious. And many times these files are hidden from webmasters unless you know how to “see” hidden files with your FTP client and sometimes I’ve seen hosting accounts that did not make them public.
Anytime you wonder if a file is supposed to be there, just download a copy of WordPress and extract it on your computer. Then you can compare what’s on your server vs what’s in the core files of WordPress. You can do the same for plugins too.
I’m not sure why you have a media folder. That must of been one you made yourself. It’s not part of the installation of WordPress. Maybe you created it to put images or videos in?
Glad you got your site fixed.
Hi Regina
The .hidden file and the media folder were date stamped March this year. I don’t recall creating the folder and wouldn’t have any reason to do so. I was playing around with Windows Live Writer and some editor plugins about that time so it may be a consequence.
Many thanks again for your time and advice.
Regards
David
Thanks for your help Regina. Auth Keys and Salts changed- really appreciate your time.
You’re very welcome. Stay Safe! Keeping my fingers crossed that your site will be okay.
I was looking through my logs also to try and see how they got in;
amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:44 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:46 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:49 GET /wp-admin/theme-editor.php file=/themes/default/404.php&theme=WordPress+Default&dir=theme 500 1507 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
—– Then 12 hours later ————–
amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:53 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:54 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:58 GET /wp-admin/plugin-install.php tab=upload 200 19178 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:00 POST /wp-admin/update.php action=upload-plugin 200 16239 amttrade.co.uk/wp-admin/plugin-install.php?tab=upload Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:02 GET /wp-content/plugins/krakozebra.php – 404 23663 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:03 GET /wp-content/plugins/krakozebra/krakozebra.php – 200 254 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
85.234.191.140 – Geo Information
IP Address 85.234.191.140
Host 85.234.191.140
Location LV, Latvia
City Rezekne, 23 –
Organization Sagade Ltd.
ISP SIA IZZI
AS Number AS6851 “SIA” IZZI
Latitude 56°50’00” North
Longitude 27°31’67” East
Distance 1562.42 km (970.84 miles)
* I updated this post to remove the links to the hacker.
Thanks for posting your log and tracking down the snake. He’s lucky I’m not his mom! I wouldn’t care if he was 50 years old, I put him over my knee and someone would have to call child services!
I noticed that the hacker logged in roughly 12 hours before and went into the theme editor, the 404.php page. Goodness knows what that was about!
Jamie,
I removed the log from this comment since you previously submitted it and your other comment was pending review.
Yes, seems he was busy in alot of areas on your website.
Be sure to install and run the Exploit Scanner just to make sure there isn’t any damage left and it will check your database too. Let’s hope he left that alone.
Be sure you’re making backups frequently of both your site and your database.
I have tried the scanner, however I dont see the page in the Dashboard links after I have installed and activated it. Do you know if it is 3.0.1 compatible? Have you used it before?
Hi Peter,
Yes I use it on my site and mine’s updated. Once you activate it, it’s listed on the left under “Tools.” If you still can’t find it, let me know and we’ll Skye 🙂
Looking at the logs on my clients site and everyone who has shared theres they have used 2 ip addresses.
85.234.191.140 (latvia) and 194.28.112.10 (bologne) to run it so I have denied access in my .htaccess file obviously if they use different ip’s next time it will be pointless but just thought I would share the code with others
put the following in the .htaccess file in the root of your blog
# Deny IP Address
order allow,deny
deny from 85.234.191.140
deny from 194.28.112.10
allow from all
Excellent tip Pete!
This happened over at Media Temple as well, started Sunday night for me. I’ve spent the past two days cleaning things up a bit. Not sure if (mt) has put the word out yet, but I have multiple WordPress, and non-Wordpress, sites hosted with them and all of my PHP files were altered with this same type of injection.
Hi Steve,
Sorry to hear your websites got hacked, but thanks for letting us know that you found this malware on mediatemple.
I’m glad you finally got them fixed. Be sure to change all your passwords and your secret keys on the WP sites.
Keep us informed of any new developments. We all appreciate you spreading awareness.
Hi there i discovered both my wordpress sites hosted by 123reg were hacked on the 4th. I rang 123reg who at that point had no idea it was going on and so weren’t that helpful, i am fairly web illiterate and the steps being described on older blogs before 123 issued their fix were a bit much for me, so out of desperation i ended up deleting wordpress and starting again using something else. a real nightmare.
Hey Billy,
I’m really sorry to hear about your troubles! I hope you were able to keep your old posts and pages, if not – we might be able to find a way to restore them for you.
Let us know!
Lucas,
Sorry to hear you got hacked. Thanks for sharing the code with us. I have made a copy of it for forensics and edited the code in your comment to not show the whole thing to protect others.
Glad to hear you got it fixed.
PS :
Media Temple
the webroot folder has 755
Well at least it’s not 777. Thanks for letting us know. Did you check your other site files to make sure their permissions are okay? 644 for files and 755 for directories?
My 123-reg hosted WordPress (3.0.1) site fell prey to this hack around the 6th of October… I only noticed after logging in to wp-admin to find that none of the drop-down arrows on the left-hand menu were working, the interface was slow to work with and I couldn’t alter permalinks for new posts. All of my php files had the base-64 decode in them, so I took the recommended clean-up steps, but the WordPress problems remained. Even after doing a clean re-install (deleted all the files, copied a fresh wordpress directory and changed all the secret keys) I am still experiencing exactly the same problems when I log in to wp-admin. Any suggestions?
Hi Todd,
Thanks for your comment. Sorry to hear your WordPress got hacked. If you’ve cleaned your site and your wp-admin “Dashboard” still looks as if it’s got problems try cleaning your cache and browser cookies. This should return you back to normal.
Let me know if that helps.
Thanks Regina, that seems to have sorted it – a relief to have found someone who knows what they’re talking about! Much appreciated.
Thanks for the clean up file, it did the trick. This is the second time this has happened to my wordpress site hosted on 123-reg.
I’m going to do some more research on keeping my site secure…. probably on your website!
Thanks James
I have just started playing with WordPress and seem to have been hit with this malware attack (am hosted at 123 but they are not interested – it is my issue it seems).
In many of my php files I have the base 64 code in there (not sure how to remove this manually)…. and also have the ‘script’ tag at the foot of many pages linking of to:
h t t p : / / meqashopperinfo . com / js . php
I ran the file at Sucuri in a number of directories and although it said successful.. the code and link are still there and the site is still randomly redirecting…. anyone any ideas on how to get rid of this?? Tks in advance.
Hi Ian,
Sorry to hear your site got hacked. I have looked at your source code on your home page and I do not see the script tag. Have you tried cleaning your cookies and cache? That may help.
Also, check the link in your footer next to your copyright, it’s broken.
If you need any help more help, please contact me.