And it is still not over. Remember the code we found last week that was hacking all the PHP files at GoDaddy?
It is still happening, but now using the losotrana.com domain ( http://losotrana.com/js.php ). This is the script that will show up on your site if you get hacked:
Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:
You can clean up using this script:
All the sites so far hosted at GoDaddy. If you are signed up with us, our system should have already alerted you (or it will do so very soon). Again, this is not YOUR fault! GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet.
A curiosity is that this Losotrana.com site is hosted at the same domain as holasionweb.com used on the previous attack:
$ host holasionweb.com
holasionweb.com has address 18.104.22.168
$ host Losotrana.com
Losotrana.com has address 22.214.171.124
Also, all domains used on the latest attacks were registered by the same person:
Hilary Kneber firstname.lastname@example.org
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
The requests to infect all the files are coming from: 126.96.36.199, which is also faking Google’s referer:
188.8.131.52 - - - "GET www.x.com/simple_production.php HTTP/1.1" 200 57 "-"
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Update: GoDaddy FTP server seems to be down.
As always, if you are having difficulties getting your site cleanup, send us an email at email@example.com or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.