Lots of sites reinfected – Now using holasionweb.com

Hi,

You got a broken link there…
"http://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html
http://sucuri.net/malware/entry/MW:MROBH:1"

Is one "broken" link…

Thanks this worked!

I made a mistake with godaddy because I did in file manager a file restore to last week without backing up my latest posts in wordpress. I didn't think it would revert the posts back and it didn't at first, but now the posts are gone since the last time I did a restore when this happened already. i reverted back to yesterday now and the post never showed up. Any ideas what happened??

Oops, i've put my email in the wrong input.
Can you modify my email to name please ?

Thx.

Thanks again. My sites seemed to become reinfected. My host, a front for GD have just had another email from me.

I'm close to moving to another provider.

Once again, thank you so much guys. You have been infinitely more helpful than GoDaddy. I am becoming an extremely unhappy customer. PHPBB3 hacked again last night. Your fix worked again this morning.

Infected this morning. Absolutely no wordpress or any other prepackaged app in our folders. Only php and html files.

Happened to every PHP file on my shared GoDaddy hosting both this time and last time. On my hosting I have SMF 1.1.11 and phpMyAdmin (most current version) so this corroborates your earlier post with it being a vulnerability in phpMyAdmin. I of course contacted GoDaddy and they gave me the usual garbage about my responsibility to keep scripts up to date and how to notice malware. Completely useless. However, I just restored everything from a backup I had a few days ago and all is well, for now…

Got hacked with 2 hosts – vBulletin and one with custom php files

My SMF 2 forum on Godaddy has this as well. This is the second issue in two weeks for my

I've made a temporary solution, to fast clean up client-side, the malicious script.

This script need jQuery.

// Execute the script a first time
findMaliciousScript = $("body").find("script").attr('src','http://holasionweb.com/oo.php&#39 ;
$(findMaliciousScript).removeAttr("src");

function launchTimer() {
timer = setInterval(loop, 0);
}
function clearTimer() {
clearInterval(timer);
}
function loop() {
findMaliciousScript = $("body").find("script");
if (findMaliciousScript.attr('src') == 'http://holasionweb.com/oo.php&#39 {
$(findMaliciousScript).removeAttr("src");
findMaliciousScript = '';
}
else {
clearTimer();
}
};

// And loop it, the loop stop when the src is deleted.
launchTimer();

Happened to over 2,000 of my PHP files this morning…. and the Web Fix worked like a charm.

LIFE SAVER! Thank you so much!

I do have an old install of WP on my site too… upgrading as I type. F GoDaddy in the A.

Question, how long did the script run for you guys.

Mine took like 10 seconds and I wonder how it could have cleaned so many php files that quickly

After I cleaned up some of my files, bluehost reactivated my site. I ran the fixer script and everything seems to be working fine now. Will continue cleaning out old plugins and themes.

My WordPress 2.9.2 site hosted at GoDaddy has been the victim of both of the most recent hacks. The listed fix you developed worked like a charm.

When GoDaddy was sent a trouble ticket this morning to let them know about our incredible displeasure at their response to date, this is an exact copy of the key part of their response to me.

GoDaddy's response begins;

Thank you for contacting Online Support.

Our Security Operations Center (SOC) is aware of the attacks and has been working with leading WordPress security experts to identify the root cause of the issue. We provide the shared hosting server to you in a clean, uninfected state, and we have security measures in place and anti-virus software installed to ensure the integrity of our hosting accounts. Please note that our SOC found that these attacks have occurred as a result of security vulnerabilities in older versions of WordPress installations on customer hosting accounts. A member of our Security team recently addressed the issue at a teleseminar. You may find more information, including the audio replay of the teleseminar, at the below link:

http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

We recommend you update your WordPress installation to 2.9.2 to eliminate the security vulnerabilities existing in prior WordPress versions. There are several steps to upgrading your WordPress® installation.

End copy of their email response to me.

I want to say again, we ARE running the latest WordPress 2.9.2 on our site. Right now. I'm looking at the dashboard.

GoDaddy's response to me is to blame an old WordPress version, when they are currently hosting the latest one for me right now. They didn't even bother checking what version I am using that got hacked before telling me that it is, in effect, my fault or WordPresses fault, but not theirs.

My email to them instructed not to bother with nonsensical reply asking me to update wordpress. This what they sent me:

Dear Sir or Madam,

Thank you for contacting Online Support. While there are no ways to ensure that any site is 100% safe from malicious intended attacks. Not only do we constantly strive to combat these attacks, we ask our customers to be vigilante as well to help in this struggle. Other than the remedies offered previously we have no new information or ways to correct these issues. We appreciate your understanding in this matter.

BC I usually have 2000 SE referees at this time. It's around 800 so far.

I am not sure about a Google penalty because I actually refreshed my site at the exact moment the attack occurred. Unless the penalty is from a previous attack that's only now taken effect

Seriously, I'm sick of Godaddy's bullshit, all of my wordpress installs were fully upgraded and yet we've still been hacked twice. It's obviously a security issue with their server. I'm switching if possible. (Don't know how to move a large database)

Your wordpress-fix.php script removes the code but it also left a single blank line of text at the top of every file giving me "headers already sent" errors all over the place.

A fix coming soon for that?

i have the same problem, wordpress-fix.php script leaves a blank line at the top of every file. Is there a fix?

I updated my Gumblar script to remove this malware, too:

http://www.danielansari.com/wordpress/2010/05/holasionwebcom/

This uses a regular expression that does NOT leave any blank lines at the top.

my ftp hacked too
infected more than 30000 php files on my sites
i got to write php script to clear all my files

this is russian hacker
we need to find partner program of this virus
only then we can stop this shit

WPsecuritylock updates: It is going worldwide and spreading to other hosting companies. DAMNG IT!

We hear your frustration. For full details, see our blog: http://community.godaddy.com/godaddy/whats-up-with-go-daddy-wordpress-php-exploits-and-malware/?isc=smfor1

If you're site's been affected, please fill out the form listed in the article.

Alicia

I filled out the form twice and NOTHING. I had to call only to get clueless reps on the phone who didn't know a damn thing

Yeah, GoDaddy's pretty useless. They obviously don't know what's going on, that's why they keep playing the "it's your fault, it's wordpress' fault" game.

Thanks for the script. Glad someone's trying to help solve this problem. I've been hacked three times in the last month. Cleaned up all my files, up to date on WP, and have complex passwords but I still keep getting hit. GoDaddy's response each time is to send me form responses that don't help me at all.

Peter, I belive the problem is with godaddy themselves, And its a problem they need to fix, everybody should email them and tell them its THERE FAULT.

I dont see how you can prevent a problem as the heirachy for control is out of our hands.

I belive that, As all these sites are hosted on Shared servers, There is a problem somewhere that is allowing user(s) to control the whole server and not just there allocated space on the server, Therefore giving them control of everybodie(s) site(s) instead of just there own.

My Joomla site (1.5.16) was infected. It is hosted on a shared Linux server through GoDaddy.

I used the fix and everything seems to work. This happened before (over the weekend) and I simply uploaded a backup of the website which worked temporarily.

GoDaddy is trying to tell me that I am an isolated incident, but reading the comments here leads me to believe that we're all suffering the same problem and it's not all our fault.

I'm not entirely sure everything is fixed yet because the Sucuri Web-based Integrity Monitoring system says that I am still infected (though it says the last check was 4 hours ago, so I'll wait until that updates before freaking out).

Thanks for posting this fix. I'll be back if there are any future attacks.

@Lisa: I notified this to Godaddy. they answered:

"We're investigating that. If you get an error trying to register for the Community, please refresh the page after it errors out."

Peter

Thanks Peter, I was worried 30 seconds was too short, but I guess it works quickly.

I'm on a linux shared hosting on GoDaddy and have been attacked 3x now including the this last one.

For those of you who have access to your history, please check to see if there are any unusual files that was "deleted" from your root directory on 5/11. I found one on 5/11 at 9:00pm. I still had access to it even when it was deleted and saw that this was the malware code in php. It was named him_vivie.php

Anyway it was deposited then deleted. So you won't find it if you look at your present directory.

My FTP logs does not show any intrusion from FTP during that time. So this has got to be a server issue.

Can anyone please recommend a good SECURE and solid, and relatively inexpensive alternative hosting company?

And how hard is it to switch?

Thanks!!

Godaddy Customers,

You can get infected from your own sites. Everyone needs to be doing at least one, and preferably two, antivirus and antispyware scans on their local computers, using two different scanners you don't normally use, to find threats that got past the AV scanner you were using. Some free scanners are at: Trend Micro Housecall, Kaspersky, Malwarebytes, Symantec (Norton), BitDefender, Windows Live OneCare, Computer Associates, McAfee, F-Secure.

Do it.

What's the difference in price for GoDaddy's dedicated hosting vs. shared hosting? $30 per month instead of $30 per year?

Seems these viruses would be a great way for GoDaddy to get people to switch to dedicated hosting in order to make more money.

…..i'm just sayin……

The sad thing is, they might not lose customers because of this malware issue, but they WILL lose customers because of their "it's not us- it's you" responses/attitude toward it.

I should also qualify my statement above by saying that I've read that it's not just GoDaddy hosted sites that are getting infected. Other hosts are having the same issue too, so everyone considering jumping ship would do best to wait, lest they move the whole thing and it happens all over again.

My (GoDaddy hosted) blog has been hacked twice in the past week, and like many people above, I tried *everything* to fix it. The only thing that worked, ironically comes from GoDaddy themselves, and that's a restore to history in the hosting control panel. I got infected again this morning and I did this, and only this, and it worked like a charm. I only hope it will continue to work for every new time this happens. I better clear my schedule every day to work on this!!

You can read more about the restore to history process on my blog here, which details it for even tech-dunces like me.

http://www.cowbellyblog.com/2010/05/12/the-best-way-to-remove-malware-from-a-wordpress-blog-using-godaddy/

Fuck you GoDaddy!
Second attack in the last 12 days.

Thank you very much $&%&%%&$(/·"!

As far as I can see my site hasn't been infected (luckily) but it is running so so slowly – is that just a knock-on effect of being on Godaddy shared hosting and maybe other users on my server are infected? It's so frustrating.

What version of php is this happening with?

Some of the hosting companies listed above still have older versions of php as the default for many of their customers.

My drupal hosted on godaddy has been infected too. Twice. I cleaned manually the code and I'm waiting.

Thank you, sucuri.net! You've helped us recover very quickly from this crud. It automatically infects IE 8! Terrific. Even older versions of Mozilla are relatively safe.

In our case I think the initial drop file was called "1ndex.php".

Correction to the above; not "1ndex.php", but rather we were affected by a file "she_elijah.php" that was deleted after 9 PM on 5/11/2010, by GoDaddy File Manager time. We're not WordPress. If anyone figures out how these were dropped, PLEASE post it.

Those long URLs linkified, but may get spamblocked…

http://www.tgdaily.com/security-features/49744-go-daddy-counters-php-hack-attacks

http://www.scmagazineus.com/widespread-attacks-continue-against-wordpress-sites/article/169956/

There are a few more in Google News.

Guys, I downloaded my logs — here's the IP address of the machine executing the dropped PHP file on my site.

188.165.200.96

France. Who'd have thought. Going back to 5/10 I do NOT see any other hit from that IP address OR regarding that file! So the file was not dropped via http ?

188.165.200.96 – - [12/May/2010:04:xx:xx -0700] "GET http://www.mysite.example.com/she_elijah.php HTTP/1.1" 200 60 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

I hope this helps!

I have seen a lot of WP cleaners, but nothing for Drupal yet. I have 2 infected drupal sites which are hosted on GoDaddy. I see the < "http://holasionweb.com/oo.php"> malicious script below my footer in both sites. I've searched in all my .php files and the code is not in those files. I will submit a ticket to godaddy, though we'll see what happens. Also, interesting thought is that I have 2 other sites that are drupal sites through GoDaddy, and thery not affected yet. Only thing I have actually updated recently is adding Google Adword Image codes (uses their .js and flash images). Doubt there is a connection, but I am looking at every possible angle.

Just had my GoDaddy hosted WordPress site hacked again as of 2:17pm pst. Please be aware that there is a new wave of attacks going on. I just ran the repair script and all seems ok…. reporting to GoDaddy right now.