Jamie Durrant

Forum Replies Created

Viewing 6 replies - 1 through 6 (of 6 total)
  • Forum: Hacks
    In reply to: Scrpit Injection Hack

    Was looking at the logs to see what the hacker was up to, looks like he logged in 12 hours apart, the first time doing something with the theme-editor.php. Most odd.

    amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:44 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    https://www.amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:46 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    https://www.amttrade.co.uk 85.234.191.140 – 2010-10-03 17:51:49 GET /wp-admin/theme-editor.php file=/themes/default/404.php&theme=WordPress+Default&dir=theme 500 1507 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

    amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:53 POST /wp-login.php – 302 897 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:54 GET /wp-admin/ – 200 43012 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:16:58 GET /wp-admin/plugin-install.php tab=upload 200 19178 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:00 POST /wp-admin/update.php action=upload-plugin 200 16239 https://www.amttrade.co.uk/wp-admin/plugin-install.php?tab=upload Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:02 GET /wp-content/plugins/krakozebra.php – 404 23663 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
    https://www.amttrade.co.uk 85.234.191.140 – 2010-10-04 04:17:03 GET /wp-content/plugins/krakozebra/krakozebra.php – 200 254 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+Maxthon;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

    85.234.191.140 – Geo Information
    IP Address 85.234.191.140
    Host 85.234.191.140
    Location LV, Latvia

    Forum: Hacks
    In reply to: Scrpit Injection Hack

    I was running version 3.01 and also Contact Form 7, which I generally use on most of my sites.

    Jamie
    https://www.jamiedurrant.com

    Forum: Hacks
    In reply to: Scrpit Injection Hack

    123-reg have now issued a statment;

    We’ve been made aware of a security issue facing websites using WordPress. We take security very seriously at 123-reg, so we want to check if this matter has affected your site.

    If you use the blogging platform WordPress on your web hosting, you may have been the victim of a security hack (please ignore this email if you haven’t installed WordPress on your hosting).

    The problem is due to a security breach caused by hackers, who have targeted sites that use WordPress. WordPress is an open source application, making it vulnerable to such attacks.

    As your hosting provider, we want to help you counter this WordPress hack as quickly and as effectively as possible. To do so, please follow these simple steps as soon as you can:
    1. Run a simple cleanup script
    If your WordPress site has been hacked, you will need to run this
    simple cleanup solution script (written to defeat this WordPress hack).
    2. Scan your local machine
    Run a full anti-virus scan on the local PC from which you administer
    your WordPress account.
    3. Change all your user passwords
    Change any user passwords for WordPress account, your FTP
    account and MySQL account.
    4. Change your secret keys
    If hackers have stolen your password they may remain logged into
    your WordPress account until you have changed your secret keys.

    Visit the WordPress key generator to obtain a new random set of keys.

    Then overwrite your secret keys wp-config.php file with the new ones.
    This will disable the hacker’s connection.

    5. Take a backup of your WordPress files
    Backup all of your WordPress files to your local PC (label them as
    ‘hacked site backup). You can then investigate these files later.
    That should do the trick!

    If you have been affected by the WordPress hack, we’re sure that the above steps will completey eradicate the problem – allowing your website to function as before.

    We’d like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.

    Forum: Hacks
    In reply to: Scrpit Injection Hack

    Hugh,
    That sounds great as I *think* I’ve edited all the php, but they do tend to hide in the unlikeliest places.

    I dont think there’s PM on here, jamie at jamie durrant dot com.

    Thank you !

    Forum: Hacks
    In reply to: Scrpit Injection Hack

    Yep, they’ve told me that they do NOT restore backups on an individual basis, so I’ve had to remove all the malicious code from my php files by hand. *sigh*

    Forum: Hacks
    In reply to: Scrpit Injection Hack

    This has also happened to one of the wordpress installations that I administer. It was hosted on https://www.123-reg.co.uk/

    After asking for them to restore from a backup, they responded with this :

    As wordpress is opensource software, security vulnerabilities are found as people have access to the raw code. So wordpress bring out updates on a frequent basis that provide security fixes to the holes that have been exploited.

    We recommend that you do the following to keep your wordpress site secure.

    1. Update to the latest WordPress version (3.0.1) – (If you installed via APS (One Click Install) then we should prompt you if the latest version appears.

    2. Change all your passwords including ftp and control panel passwords on a frequent basis.

    3. Ensure you deactivate any plugins before update.

    4. Ensure that before installing any plugins you check on the internet if these are secure and people have not been hacked since installing them, as many plugins do a lot of creative things, but have insecure folder permissions making your website open to exploit.

    5. Make regular backups of your site.

    If your site has been hacked then please follow these instructions.

    1. Make a backup of your site (Just in case)

    2. Delete the wordpress site on your webspace

    3. Install the latest version of WordPress (IF you installed via APS (One Click Install) then we should prompt you if the latest version appears.

    For further information please see these useful articles

    How to recover from a malware hack on your CMS?

    https://wiki.mediatemple.net/w/Recovering_from_a_site_compromise

    Tips for cleaning and securing your website

    https://www.stopbadware.org/home/security

    I always run the latest version of WordPress. I’m also at a loss as to how this could have happened.

    jamie

Viewing 6 replies - 1 through 6 (of 6 total)