Early this morning, we received reports that WordPress blogs were hacked on Linux shared-hosting at DreamHost, as well as other hosting companies. This is dangerous scareware which tries to install a virus on your visitor's computer.
WordPress, Zencart and other php-based platforms were hit. Our earliest hacked site report is of 5/6/2010 @ 9:17am.
This malware was just detected and is not showing up on website malware scanners yet. We have notified sucuri.net of this latest infection so that they can immediately update their malware detections systems.
In no way am I bashing Network Solutions as a hosting company, but I had to share this video with you showing someone breaking into sites on their servers. This is why you need to take your website security so seriously.
If you are hosting your WordPress blog at DreamHost or on another hosting company, please check your websites now to see if it has been infected.
Warning: Do not try to open your website unless you have an up-to-date anti-virus program, your computer is virus free and you're on a secured network!
Here's some of Zettapetta's behavior:
- Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf........ or
- This redirect page is a blank page. The source code contains the following:
<h1>404 Not Found</h1>The page that you have requested could not be found.
- All of your .php files on your WordPress contain the following malicious code...<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z.....
- Located in the source code near the bottom of all .php files is the following script:<script src=" http://zettapetta[dot]com/js[dot]php"></script> and <script src="http://www[dot]indesignstudioinfo[dot]com/ls[dot]php"> .
- Your antivirus program blocks the installation of the threat: www[dot]firesavez5[dot]com or a www[dot]firesaver6[dot]com installer.
How to fix your hacked WordPress site infected with this malware... <<< Before you try this, please read the update below for a quick fix!!!
- Immediately remove your index.php file from the root of your WordPress.
- Add a temporary index.html file to the root of your website that states your site is down for maintenance. (There's no reason to say your sites infected and scare people that haven't been infected). If you don't know how to make your own, you can use our index maintenance page on your own site. Just unzip the file, upload it to your server and then rename it to index.html.
- Go into your "File Manager" or FTP and find out what date and time your site's been hacked. You can tell by looking at your php files. They will most likely all have the same date and time. (To help spread awareness, please leave a comment below or email us this information so we can help track and spread security awareness to our readers.
- Make sure you have a backup of your website, you will need it handy to reinstall your website.
- Open your wp-content/plugins folder on your server and write down the names of all your plugins you have installed on your site.
- Make sure you have a backup of all your images and media. This is usually located in wp-content/uploads. You will need them to put your site back to normal.
- Delete your entire WordPress site from your server. If you have multiple sites on the same hosting account, you will have to do the same with them too! Don't just clean one. It could regenerate to the sites you've fixed.
- Go to http://wordpress.org and download a fresh copy of the latest version of WordPress.
- Unzip the download and unload it to your website via file manager or FTP. If you have SFTP or FTPES capabilities, please use this method. It encrypts all your files so bad guys can't read them.
- Upload your backed up copy of wp-config.php to the root of your WordPress installation. This is the file that connects to your database so all your posts, pages, settings, etc. work again.
- Upload your images and/or media back on the server. This is usually contained in your backed up copy of "wp-content/uploads," unless you chose to house your media in another folder. It contains all the images that you've added to your posts from within your wp-admin. If you don't have a backup of this directory, then you will have to re-upload all your images back to your posts and pages. Yes, I know... nightmare!
- Upload your backed up copy of your theme inside of wp-content/theme directory.
- Get your list of plugins you wrote down and go to http://wordpress.org and download them fresh to your computer and upload them back up to your website. Note: you may have to reactivate or update your plugin settings, but it sure beats losing everything.
- Try logging into your WordPress wp-admin section to see if everything looks okay.
- Visit your home page and try clicking some links to see if they work. If you notice that you get 404 errors when opening a post or page, then go to your wp-admin and update your permalinks. Here's how... Click on Settings > Permalinks > Save Changes. Whew, that was easy. Now go check to see if your links work.
- Go to your server and make sure you have the correct permissions set. All directories/folders should be a maximum of 755. All files, including your php files, images, html, etc, need to be set at a maximum of 644. Note: Never set any directory, including a recommendation from a plugin, to 777.
- Change all your passwords to strong ones and don't use the same one!
- If you need help fixing your site, we can remove the malware and restore your WordPress for you. Contact us for more details.
Now that you've recovered your website. Be sure that you're using the latest version of WordPress. And if you'd like detailed instructions on how to upgrade your WordPress installation, be sure to click here.
We need your help...
This new http://zettapetta[dot]com/js[dot]php malware was just discovered this morning, thanks to a report from Thomas. Please help spread awareness and come together as a community to have safe websites and browsing. Be sure to Tweet this post and add to your Facebook. If you find any information on this new issue, please leave a comment below so we can all help each other.
UPDATE 5/7/2010 at 12:15pm: David Dede of Sucuri.net has written some information about this attack as well as decoding the script.
Be first to know if anything has changed on your website or you have any malicious malware, get the Web Monitoring Service from Sucuri.net. You can sign-up with our discount affiliate link for only $7.99/month, click here.
UPDATE 5/7/2010 at 4:00pm: If you're site is hosted at Go Daddy and you think it may have been compromised, please contact the Go Daddy Security Team here...
QUICK FIX - UPDATE 5/7/2010 at 5:00 pm: This latest attack seems to be a quick fix, according to David Dede. He has written instructions to fix your hacked WordPress site with the zettapetta. CLICK HERE.
P.S. Thanks David! You Rock!
Go Daddy also responds to this attack - Read our latest post here.
Join us on May 19th for a WordPress Security Teleseminar!
You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010. And sign up for our May 19, 2010 at 9pm EST WordPress Security Teleseminar. Participate live from anywhere in the world. Click Here To Register Now!