Cechirecom.com.js.php - WordPress Hacked | Case Study

WordPress blogs hosted on Go Daddy and other hosting companies were hacked by another malicious attack on April 24, 2010 at 6:54am. What was visible in the source code was .

Here's what we know so far...

1. We've only seen it on Go Daddy's Linux hosting accounts, so far.
2. If not removed, this malicious script has a cookie that will run again in 20 days.
   
3. Most hosting accounts were running PHP Version 4.x (you should be running 5.x).
4. Permissions were set to 777 and/or 755 on some or all directories and/or files.
5. Wp-config.php files had weak or no Authentication Unique Keys (secret keys) added.
6. Weak passwords were used for the database, FTP/Hosting and wp-admin.
7. Website can be restored to an earlier date to remove the virus.
8. WordPress database does not seem to be affected.

What we don't know so far...

1. How the malicious hackers are gaining access.
2. The origin of the script.
3. What the downloaded virus will do to computers (I don't want to install it to find out.)
4. Go Daddy and Koredomains have been affected.
5. This malware can affect WordPress and other CMS programs. It doesn't seem to be prejudice to any php file.

What's Go Daddy got to say?

I'd like to quote a comment submitted by Herma Latha at inspriated.com.

"Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you."

Until proven otherwise, we agree with Go Daddy's statement. Please read our article, "Who's Responsible for Your WordPress Security?"

Go Daddy is posting comments on this blog and giving us updates. We will keep you informed here.

How to fix your hacked WordPress site...

If you're uncomfortable with restoring your own WordPress site, we'd be happy to fix it for you right away. We have successfully removed this malware and many others on self-hosted WordPress webites. Just send us an email and one of our experienced WordPress Security experts will get in touch with you ASAP.

Or here's how to remove the cechirecom.com malware hosted at Go Daddy...

1. Put your site in maintenance mode by removing your index.php file and  uploading a temporary index.html file. Make sure you clearly state that your site is undergoing maintenance and will be back up soon. There's no need to make your visitor's panic, thinking your site's been hacked, so leave that part out. This will create a temporary home page until you get your site fixed.
2. Submit a support ticket to Go Daddy and request an FTP log for the last 7 days of your hosting account.
   
   This will help to see if they gained your site through the server and it will show you the IP address. (Help us to find out where it's coming from by emailing us a copy of the IP address from the hack).
3. Login to your Go Daddy hosting account.
4. Click on the "Your Files" button at the top of your Hosting Account home page. This will take you to your "File Manager" where your current server files and snapshots of your website for the last 30 days. You can use this section to change/view your directory/file permissions, modified date/time, and edit/view your files.
   
5. While on your your "Current" tab, locate what date and time your site was hacked. (Make a note of this for your records). You can tell when because your .php files all were changed around the same date and time.
6. Click on the "History" tab to make sure you have a snapshot of your site before the hack. If you go back a day by clicking the calendar before your hack date, you'll see an orange bullet that says "different." Look at that date and time, it should not be the same as what you just noted (Step 5). If you do have a snapshot, then proceed to Step 8.
7. Change the dropdown from 25 to 50 so you can view more files. Also make a note if there is more than one page of files. You will be going through each page using the steps below.
8. Click on your "Current" tab and delete all directories (do these one at a time so you don't bog down the server) and then delete all the files except the following (if you have them):
   
   _db_backups, php_uploads, stats, index.html (this is your "Site undergoing maintenance page.")
   
   Please note: When you restore your site, any uploads you put on your posts or pages will be lost. You will have to reinstall them. However, the database will remain untouched and you will have all your posts, pages, comments, etc.
9. Click on the "History" tab and change the calendar to the date before your hack attack. This is a very important step. If you do not change the calendar date the you'll put the virus back up, because it defaults to the most current snapshot.
10. Click the "checkbox" next to each directory/folder (one at a time) and then click on the "Restore" icon. Repeat until all your directories have a green bullet that says "Current" next to them. This will put each directory back on the server.
11. Repeat the same step as above to add all the files back on the server. You can do these in bulk, since they are not very large files. I generally do 10 at a time.
12. Now check to make sure that EVERY directory and file has a green bullet next to it and it says "Current." That means it's currently on your server now. Make sure you check every page! You might have more than one.
13. Click on the "Current" tab and delete the index.html file (your temporary home page.)
14. Visit your site and see if it looks normal again.
15. Go back into your hosting account and put your mouse over the "Database" tab at the top and click on "MySQL."
16. Click on the pencil icon next to your site's database and change it to a strong password. Once you change it, it will take up to 20 minutes to take affect.
17. Go back to your File Manager "Current" tab and edit the wp-config.php file. You need to put in your new STRONG password and also change your Authentication Unique Keys.
18. Click on "Save" and the wp-config.php file will be updated.
19. When visiting your site, if you see an error message that it cannot connect to the server it could be that the database password has not taken affect yet. Give it a few more minutes. If it doesn't resolve, go back to edit your wp-config.php file and make sure the password is correct.
20. Try clicking on a link to one of your posts or pages. If it gives you a 404 error, login to your wp-admin and go to Settings > Permalinks and click on "Save" to reset it.
21. Change your Go Daddy hosting account password (this is the same as your FTP), then change your Go Daddy account password and your wp-admin password.
22. Check ALL your permission on your server and set them to the correct one (644/files and 755/directories). Read our article, "Ninoplas Base64 WordPress Hacked | Case Study" to find out more about server permissions and more.
23. Login to your wp-admin and check for any unknown users and delete them.
24. As a temporary measure, disable registration on your site until there a resolution to stop the hacker attacks.
25. After you've restored your WordPress site, have us add our Existing WordPress Security Package to greatly reduce the risk of having your website hacked again!

Updates:

We will update this blog post as information becomes available. So please bookmark this page.

UPDATE 4/25/10 at 2:00pm: If you're unable to restore your site with the steps listed above and you have SSH access, be sure to read Rudi's post, "Ninoplas or Cechirecom Base64 virus on WordPress and all php files. How to remove via ssh (Go Daddy)!"

We just receive the FTP log from one of the WordPress websites we fixed yesterday infected with this malware. There were no suspicious IP addresses accessed via FTP. We're hoping to shed some more light on how the bad hackers are getting in soon.

UPDATE 4/26/10 at 8:43am CST: We've been contacted by a security analyst at Go Daddy to help them find a common method of compromise. So they're working hard on this issue. Please continue your comments and emails us regarding this malware and Nanoplas base64 as well. We information is appreciated!

If you're on Go Daddy and have been hacked with this malware, send us your domain name and the date/time you were hacked, so we can give it to Go Daddy's security team. This will help find the access point.

UPDATE 4/26/2010 at 12:25pm CST: Thanks to all who have sent in their domain names and left comments. Go Daddy's Security Department has just called us and we gave them your information. They're working diligently to find out the access point for this situation.

Right now, the guess is that the bad hackers have a php file (size 3k) that send a shell command to inject this noxious code. Then it quickly removes itself. Go Daddy is tracking this down right now!

Continue to comment and send us information, as Go Daddy is checking this post and we're sending them your information. If you know the exact date and time your site was hacked, please include that along with your domain names via our contact form.

Go Daddy has also promised to comment here on this blog post and send out an email to it's users with information once they know more. So stay tuned.

UPDATE 4/26/2010 at 1:23pm CST: Scott from Go Daddy's Security Operations Center left a comment that they're on the hunt for a resolution.

Also, we just found this on the net:

A nasty little exploit has hit a large number of Go Daddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.

We've let Go Daddy know about this to see if Google referred traffic has anything to do with it.

UPDATE 4/26/2010 at 10:18pm CST: Just spoke with Go Daddy's security team. They're working around the clock to find out how sites are being infected. They are making progress. Soon we will know what you can do to protect your websites on this issue. We will give you an update as soon as it's available.

UPDATE 4/27/2010 at 6:50am CST: Some, not all, webmasters are reporting that they've found an unknown user account. As a precautionary measure, until this issue is resolved, disable registration. To do this, go to your wp-admin, click on settings > general > unchecked anyone can register.

If you find any unknown users, please email us the username and IP address so that we can keep report to Go Daddy's security department.

Unfortunately, it's unclear at this time if your site will be reinfected. Monitor your site frequently to make sure your safe. If you want to use an automated monitoring service, we have worked out a special discount with an affiliate of ours. David Dede, of Sucuri. net, has agreed to give our clients their Web Integrity Monitoring service for only $7.99/month or $79/year (regularly $9.99 & $89). Use our special affiliate link.

UPDATE 4/28/2010 at 9:00am CST: Dancho Danchev, a Threat Intelligence Analysis, has provided some great insight on this malware. You can read his article here.

UPDATE 4/29/2010 at 9:00pm CST: We are hosting a WordPress Security Gathering - Free 90-minute Teleseminar. We hope you can join us. We will be talking about this recent WordPress attack and giving you tips on keeping your site secure. You can participate from anywhere in the world. For more info, click here.

UPDATE 4/30/2010 at 11:00am CST: I found a forum post at Godaddy discussing this issue and some tech support responses. Nothing recent, but thought I'd share it with you. You can view it here.

UPDATE 4/30/2010 at 1:15PM CST: We just received new information from Godaddy's Information Security Operations department.

The exploited sites were running old versions of WordPress or had carried an attack forward from an old version in the upgrade process. We saw no indication that WordPress 2.9.2 itself was successfully attacked. Please see the support article for more information.

http://community.godaddy.com/support/?ci=19370

UPDATE 5/1/2010 at 6am: This dangerous malware is back! WordPress, Joomla, Pligg and others have been reinfected! We are currently writing a new press release and this will be published on our website shortly.

BREAKING NEWS 5/1/2010 at 7am: We have just released more information about another attack that happened today. Please read -

Breaking News! Dangerous Malware Alert - Self-Hosted Sites On Major Hosting Service Hacked Again!

UPDATE 5/3/2010 at 7:13pm CST: Go Daddy cares! Here's some info...

UPDATE 5/5/2010 at 3:00pm CST: We'd like to thank Scott from Go Daddy's IT Security Operations department for speaking at our teleseminar today. The audio replay is now available on the webcast page. If you missed this event, you can still register here and listen to the replay.

Scott has provided the following helpful links for you:

How to identify the version of WordPress you're using: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/is-my-wordpress-version-up-to-date/

Our community thread on best practices for cleaning: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/wordpress-compromisedhhow-to-fix-it

Upgrading WordPress the "best practice" way:
http://help.godaddy.com/article/6072

Form to contact our Security Team:
www.godaddy.com/securityissue

UPDATE 5/5/2010 at 5:00 pm CST: We have just uploaded a portion of today's WordPress Security Teleseminar with Scott from Go Daddy. You can listen to the audio by pressing the play button below:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

We need your help...

In order to help spread awareness about this malware attack, click the share button below to link this post to your Twitter, Facebook, email, etc.

If you have any questions or have any further information about the Cechirecom.com script, please leave a comment below so that we can keep our readers informed.

Also, send us a screenshot of any popup from your anti-virus program showing what virus it's trying to install so we can let others know what to watch for.

Securely yours,

Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter

REGISTER NOW TO LISTEN TO THE AUDIO REPLAY WITH GO DADDY AND WPSECURITYLOCK!
You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010. Plus, you can still sign up for our May 19, 2010 at 9pm EST teleseminar. You can participate live from anywhere in the world. Click Here To Register Now!