Scrpit Injection Hack

This has also happened to one of the wordpress installations that I administer. It was hosted on https://www.123-reg.co.uk/

After asking for them to restore from a backup, they responded with this :

As wordpress is opensource software, security vulnerabilities are found as people have access to the raw code. So wordpress bring out updates on a frequent basis that provide security fixes to the holes that have been exploited.

We recommend that you do the following to keep your wordpress site secure.

1. Update to the latest WordPress version (3.0.1) – (If you installed via APS (One Click Install) then we should prompt you if the latest version appears.

2. Change all your passwords including ftp and control panel passwords on a frequent basis.

3. Ensure you deactivate any plugins before update.

4. Ensure that before installing any plugins you check on the internet if these are secure and people have not been hacked since installing them, as many plugins do a lot of creative things, but have insecure folder permissions making your website open to exploit.

5. Make regular backups of your site.

If your site has been hacked then please follow these instructions.

1. Make a backup of your site (Just in case)

2. Delete the wordpress site on your webspace

3. Install the latest version of WordPress (IF you installed via APS (One Click Install) then we should prompt you if the latest version appears.

For further information please see these useful articles

How to recover from a malware hack on your CMS?

https://wiki.mediatemple.net/w/Recovering_from_a_site_compromise

Tips for cleaning and securing your website

https://www.stopbadware.org/home/security

I always run the latest version of WordPress. I’m also at a loss as to how this could have happened.

jamie

I also host with 123-reg. They are very good at blaming everyone but themselves. I know it doesn’t help with the issue but their shared hosting, and the responsibility they take for it is a bit of a joke. My blogs are moving when this is resolved

Yep, they’ve told me that they do NOT restore backups on an individual basis, so I’ve had to remove all the malicious code from my php files by hand. *sigh*

Jamie,

I don’t know if you can pm on here, but I have a script that will clean the infection very quickly. Of course it doesn’t solve the issue of how they got in in the first place, but 123 reg aren’t helpful on that one either

If you’d like the script to do this PM your email and I’ll send it. It was written by securi.net and does clean this hack, but of course, you need rto check eveything works afterwards

Hugh

Hugh,
That sounds great as I *think* I’ve edited all the php, but they do tend to hide in the unlikeliest places.

I dont think there’s PM on here, jamie at jamie durrant dot com.

Thank you !

I think it interesting that 123-reg currently has a support notice posted that this is a word press issue and they are waiting for wordpress to publish a patch. If this is the case could we have some details as to how long this will take?

Hi Jamie and Hugh,
I’m looking for a clean up for this hack too- any chance you could email it to me pip stone at hot mail dot com

Thank you!

123-reg have now issued a statment;

We’ve been made aware of a security issue facing websites using WordPress. We take security very seriously at 123-reg, so we want to check if this matter has affected your site.

If you use the blogging platform WordPress on your web hosting, you may have been the victim of a security hack (please ignore this email if you haven’t installed WordPress on your hosting).

The problem is due to a security breach caused by hackers, who have targeted sites that use WordPress. WordPress is an open source application, making it vulnerable to such attacks.

As your hosting provider, we want to help you counter this WordPress hack as quickly and as effectively as possible. To do so, please follow these simple steps as soon as you can:
1. Run a simple cleanup script
If your WordPress site has been hacked, you will need to run this
simple cleanup solution script (written to defeat this WordPress hack).
2. Scan your local machine
Run a full anti-virus scan on the local PC from which you administer
your WordPress account.
3. Change all your user passwords
Change any user passwords for WordPress account, your FTP
account and MySQL account.
4. Change your secret keys
If hackers have stolen your password they may remain logged into
your WordPress account until you have changed your secret keys.

Visit the WordPress key generator to obtain a new random set of keys.

Then overwrite your secret keys wp-config.php file with the new ones.
This will disable the hacker’s connection.

5. Take a backup of your WordPress files
Backup all of your WordPress files to your local PC (label them as
‘hacked site backup). You can then investigate these files later.
That should do the trick!

If you have been affected by the WordPress hack, we’re sure that the above steps will completey eradicate the problem – allowing your website to function as before.

We’d like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.

Same here guys. Is there any way you guys could help me out?

I’m really new to all this stuff, so I’ve got no experience what so ever at going through the scripts, as I’ve no idea what I’m looking for.

I too host as 123 as well – is there any way to get a hold of that script Hugh – or could you outline what needs to be done Jamie? This will be very appreciated.

– Iestyn

I’ve managed to get the script from their site, and everything seems to be working as normal now – is there a way to double check?

Here’s a link to the script.

https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html

I think they only way to double check is to go through everything with a fine tooth comb, but that script does solve the immediate issues.

As I posted above I had a file ran from my wp-content/plugins are call krakozebra.php. They deleted the file but left the directory. It would seem prudent to clean this and change passwords as a minimum

Hugh

I too had this problem but again only with sites hosted on 123-reg.

This script will clear out the code from existing infected wordpress files https://bit.ly/9GFNNb

Like everyone else I am more concenred with how it occured in the first place. More so as someone has reported a second infection after clearing out the first.

Really? They’re saying this?

We’d like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.

Idiots. It’s partly due to the security of your webhosting. If you read the details of the attack you would know that this affected Joomla, Drupal and any PHP based cms. How? Current thinking is that some shared hosting services are vulnerable due to the permissions used for PHP – It runs as the same user for all accounts.

Now that said, you should run to your server NOW and check your WordPress File Permissions.

Also I would be bugging the hell out of 123-reg and DEMANDING they both review PHP security as well as publish their SECURE site permissions for running wordpress on their servers.

Ugh.

I’m sorry y’all are having this problem.

(BTW, if you’ve been hacked one, CHANGE YOUR PASSWORDS ?? Right now. And consider making a separate sql ID with it’s own password for WordPress and other SQL/PHP apps, so they don’t get your login ID)

More information being updated here https://www.wpsecuritylock.com/malware-attack-meqashopperinfo-strikes-wordpress-hack-123-reg/