As of October 4, 2010, we've confirmed reports of websites hacked with a fake AV malware that are hosted at www.123-reg.co.uk. The meqashopperinfo malware injects a very long script that starts and infects all infected .php files, including self-hosted WordPress blogs.
This is dangerous malware and can infect site visitors computers. If you're hosting at 123-reg, please check your .php files immediately for any malicious code.
The safest way to check is to run a free malware scan at *Sucuri.net or log-in to the server via SFTP and check the dates/times of your .php files to see if they have all been modified to a recent date/time.
The meqashopperinfo redirects visitors to a fake anti-virus website and tries to trick site visitors into checking their computers for virus. Once the visitor clicks the link, viruses are downloaded onto their computer. Caution: On an unprotected computer, these viruses can infect computers without the visitors knowledge.
Other domains used in this malicious code are http://meqashoppercom[dot]com/js.php and http://meqashopperonline[dot]com/js.php.
The fake AV site visitors are redirected to is http://www4.in-scale-feed.in.
All the above domains, but one (www4.in-scale.feed.in) are registered to Hilary Kneber on 9/21/2010. This is the same registrar used in many of the attacks this year on various hosting company, including our reports of the myblindstudioinfoonline malware found on 9/17/2010, cloudisthebestnow malware on 6/8/2010, and lostorana malware on May 17 and 20, 2010.
We have reported these malicious domains to Google as unsafe, and are currently working on tracking down the hosting company to get them shut down.
We need your help…
If your WordPress blog has been compromised while hosting at 123-reg, please let us know what type of code you found on your infected files. Or describe the symptoms you found on your website by leaving a comment below.
If you know anyone else hosted at www.123-reg.co.uk, please forward them this information so they can check their website. Click the Share Button below.
October 6, 2010 at 8:38am – In an effort to get a statement for our readers about the current issue at www.123-reg.co.uk, I am unable to “Ask a Question” unless I have an account. (Good thing I didn't want to “Buy something and wanted to speak with them first.)
However, I did find the latest Security Warning at 123-reg:
Security warning for websites using WordPress
Created: 05 October 2010, 11:28
Last Updated: 06 October 2010, 05:30
Security warning for websites using WordPress
We’ve been made aware of a security issue facing websites using WordPress. We take security very seriously at 123-reg, so we want to check if this matter has affected your site.
If you use the blogging platform WordPress on your web hosting, you may have been the victim of a security hack.
The problem is due to a security breach caused by hackers, who have targeted sites that use WordPress.
As your hosting provider, we want to help you counter this WordPress hack as quickly and as effectively as possible. To do so, please follow these simple steps as soon as you can:
1. Run a simple cleanup script
If your WordPress site has been hacked, you will need to run this
simple cleanup solution script (written to defeat this WordPress hack).
2. Scan your local machine
Run a full anti-virus scan on the local PC from which you administer
your WordPress account.
3. Change all your user passwords
Change any user passwords for WordPress account, your FTP
account and MySQL account.
*** Note for users of 123-APPS ***
the database management
screen will warn that changing the MySQL password can
potentially cause problems with your applications.
This can be avoided by manually updating your WordPress
configuration by taking these steps;
a) From the manage hosting screen, click File manager.
b) Locate your wordpress installation directory and double click it.
c) Locate the file wp-config.php, highlight it and click the edit
link in the left hand menu.
d) Under the MySQL settings, locate your database password, it should
look something like this;
/** MySQL database password */
Change the part that says Pa55word to the new password you created.
4. Change your secret keys
If hackers have stolen your password they may remain logged into
your WordPress account until you have changed your secret keys.
5. Take a backup of your WordPress files
Backup all of your WordPress files to your local PC (label them as
‘hacked site backup). You can then investigate these files later.
That should do the trick!
If you have been affected by the WordPress hack, we're sure that the above steps will completey eradicate the problem – allowing your website to function as before.
We'd like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.
My opinion: This is NOT a WordPress hack. We have confirmed reports that this malware has affected all .php files, even those users that are not using WordPress and ones that already have the latest stable version 3.0.1. This is a hacker attack finding vulnerabilities and running scripts via FTP on numerous hosting providers.
However, the “simple steps” they've indicated above I agree with, with the exception of Step 5. If you're making a backup after running the script to clean the files, than you've backed up a clean copy, not a “hacked site” backup. Step #4 is very important. Be sure not to miss this one!
October 6, 2010 at 9:40am – If your site was hacked at 123-reg, can you please provide the server's Apache, Linux, PHP and MySQL version? And what the permission is for your public_html directory and if it's owned by “you.” This will help with forensics. Just leave it in a comment below.
* Denotes our Affiliate Link. If you a make a purchase through this link, we receive a commission.