Reports of WordPress blogs self-hosted at GoDaddy.com and have been infected with the losotrana[dot]com/js.php on Monday, May 17, 2010 and Thursday, May 20, 2010.
Warning: This is dangerous malware! This scareware injection tries to infect your site visitor's computer. If your visitors do not have an up-to-date anti-virus program running, their computers could get infected.
What You Should Do: If you have an up-to-date version of an anti-virus program running, such as *AVG, please check your website now to see if it redirects you! Note: If you receive a pop-up message to download anything, do NOT click "yes" or "okay."
If you do not have an updated anti-virus program running, do not go to your website to check. Instead, log in to your site via FTP and look at the "Last Modified" column and see if your .php files all have the same date/time (either 5/16, 5/17 or 5/20/2010).
If your website is infected, put it in maintenance mode immediately so that you do not infect your visitors. Click here for instructions on how to put your site in maintenance mode - see Step 2)
Then clean your website completely and upload a fresh copy. Be sure to check for any suspicious .php files that you did not put on your website. There must be a "trigger" file that sets this infection off. Be sure to remove it!
Losotrana Symptoms:
- Viewing your site's source code, you will see the following script injected on your pages:<script src="http://losotrana[dot]com/js.php"></script>
- Your site redirects you to a fake website that executes the threat that tries to download to visitors computers.
- A long string of base64_decode script is found at the top of all .php files.
- This threat has the same IP address as the holasionweb.com injection (188.165.200.96).
- Losotrana.com has the same registrant as the other latest attacks and it shows that they have 203 other domains registered too. You can view the whois here, and I have copied it below for you as well.
HardSoft, Inc.
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us
Here's a screen shot of the threat stopped by AVG on May 17, 2010
Here's a screen shot of the threat stopped by AVG on May 20, 2010
We will continue to provide information as it becomes available. on this post. WPSecurityLock has contacted Go Daddy to report this latest attack. And we are now emailing MediaTemple as well.
UPDATE 5/17/2010 at 9:20am: We're receiving reports from webmasters hosting at MediaTemple that their computers were infected and a virus has stolen their FTP passwords. Please make sure your computers are clean and that you change your FTP passwords immediately.
UPDATE 5/17/2010 at 9:58am: After further investigation, we now know that the sites hacked at MediaTemple are not related to this latest attack. They are an isolated incident and not related to the losotrana[dot].com/js.php script.
So far, the only verified reports of websites attacked with this issue are hosted at GoDaddy only.
UPDATE 5/17/2010 at 10am: We have received correspondence from Go Daddy's Information Security Operations team. They are aware and working on this issue. They will be providing a statement very soon to give you an update.
UPDATE 5/20/2010 at 10am: We are receiving multiple reports that the lostrana[dot]com/js.php script is rearing its ugly head again today! Please keep an eye on your websites. Some are redirecting to http://webguardyourpc-33p[dot]net/.... (see screen shot above)
UPDATE 5/20/2010 at 5:15pm: Go Daddy is reaching out to our community and has provided the latest statment regarding today's attacks:
Compromised Website Update 5/20/10
An attack impacting less than 200 accounts happened this morning.
Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.
We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.
As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here - http://www.godaddy.com/securityissue.
Thank you,
Todd Redfoot, Chief Information Security Officer
GoDaddy.com
We need your help....
This new losotrana[dot]com/js.php malware was just discovered this morning (May 17, 2010) thanks to reports from our community. Please help spread awareness and come together as a community. Be sure to Tweet this message and also add it to your Facebook. If you have any new information, please leave a comment below so we can all help each other.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
* Denotes our Affiliate Link. If you a make a purchase through this link, we receive a commission.
About Regina Smola
Get your FREE e-book,
The problem in Godaddy is not resolved. This Sunday morning i have another hacker intrusion in my godaddy account:
Log of wordpress file monitor:
"This email is to alert you of the following changes to the file system of your website
Timestamp: Sun, 23 May 2010 07:21:51 +0200
Added:
jeremias_scene.php"
No change in my files...
Problem continues....
Get off of GoDaddy. You've been through enough.
You guys talk about WordPress but I got hacked on may 20th and I don't run WordPress but I made a few personal PHP tools using Zend Framework... so if WordPress is running on Zend Framework, I would assume any site running Zend Framework on Go Daddy can be hacked... if not, well, I got hacked anyway
I simply re-uploaded all of my source and it's working ok for now.
It's not only WordPress, it's other PHP-based CMS sites as well.
I've had enough.
I left Godaddy for Hostgator and took my 15 WordPress sites with me.
Our site was hack again today (total of 8 times now) The last attack was May 20th like most everyone else. Did anyone else get hit? (hosted on godaddy) Is there anything else I can try? I've followed this blog and all of godaddy suggestions, I've reinstalled, done all of the security measures and I'm at a total loss. ANY help is appreciated!!
Am in the process of uploading clean files once again.
http://www.sportsthenandnow.com
(infected main site and all subdomains which are running separate WP installs)
Second time today that I am finding new instances of injection on my web-site. Just cleaned everything two days ago... Been exploited 5 or 6 times last month as well. Joomla is up to date, chmod is fine, can't get my head around this....