Scrpit Injection Hack

What version of WordPress are you all running? and are you using Contact Form 7?
My client (also 123 hosted) was running 2.9.2.
Most of these attacks happen through plugin vulnerabilities.

I’ve just installed WordPress Firewall to hopefully block future injection attacks.

Andy

I was running version 3.01 and also Contact Form 7, which I generally use on most of my sites.

Jamie
https://www.jamiedurrant.com

As Jamie,

I’m also running 3.0.1 and Contact form 7. I can’t believe 123-reg are saying its all WordPress either. One of my sites has an application called photocart installed. Nothing to do with wordpress and that had all its PHP done as well

One of the challenges with shared hosting is that if they can get enough privileges then potentially all sites on the server can be hit!

Not using contact form 7 and have account that was hacked.

Was looking at the logs to see what the hacker was up to, looks like he logged in 12 hours apart, the first time doing something with the theme-editor.php. Most odd.

amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:44 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
https://www.amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:46 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
https://www.amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:49 GET /wp-admin/theme-editor.php file=/themes/default/404.php&theme=WordPress+Default&dir=theme 500 1507 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:53 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:54 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:58 GET /wp-admin/plugin-install.php tab=upload 200 19178 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:00 POST /wp-admin/update.php action=upload-plugin 200 16239 https://www.amttrade.co.uk/wp-admin/plugin-install.php?tab=upload Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:02 GET /wp-content/plugins/krakozebra.php – 404 23663 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:03 GET /wp-content/plugins/krakozebra/krakozebra.php – 200 254 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

85.234.191.140 – Geo Information
IP Address 85.234.191.140
Host 85.234.191.140
Location LV, Latvia

since there is no plugin named krakozebra, get that out of your install!

seems they installed aplugin for you, how nice…….