Cechirecom.com.js.php – WordPress Hacked | Case Study

WordPress cechirecom detectedWordPress blogs hosted on Go Daddy and other hosting companies were hacked by another malicious attack on April 24, 2010 at 6:54am. What was visible in the source code was .

  • Your website redirects to a blank page at http://www2.burnvirusnow34[dot]xorg.pl
  • When opening your website you receive a warning message from your anti-virus program telling you that it blocked a suspicious threat/virus.
  • Injected on the top of all your .php files on your server is a 3,069 character code. Here's part of what it looks like: dMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jd
    Glvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgIC
  • New: Check for any unknown user accounts, some, not all, webmasters are reporting find one they did not authorize.
  • NEW: Clear your cookies & cache, go to Google.com and search your domain name. Click the link from Google and see if you receive any of the above symptoms. This script may have a special code that only works when visiting your site from Google, even if it seems normal to you from a direct visit.
  • Here's what we know so far...

    1. We've only seen it on Go Daddy's Linux hosting accounts, so far.
    2. If not removed, this malicious script has a cookie that will run again in 20 days.
    3. Most hosting accounts were running PHP Version 4.x (you should be running 5.x).
    4. Permissions were set to 777 and/or 755 on some or all directories and/or files.
    5. Wp-config.php files had weak or no Authentication Unique Keys (secret keys) added.
    6. Weak passwords were used for the database, FTP/Hosting and wp-admin.
    7. Website can be restored to an earlier date to remove the virus.
    8. WordPress database does not seem to be affected.

    What we don't know so far...

    1. How the malicious hackers are gaining access.
    2. The origin of the script.
    3. What the downloaded virus will do to computers (I don't want to install it to find out.)
    4. Go Daddy and Koredomains have been affected.
    5. This malware can affect WordPress and other CMS programs. It doesn't seem to be prejudice to any php file.

    What's Go Daddy got to say?

    I'd like to quote a comment submitted by Herma Latha at inspriated.com.

    "Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you."

    Until proven otherwise, we agree with Go Daddy's statement. Please read our article, "Who's Responsible for Your WordPress Security?"

    Go Daddy is posting comments on this blog and giving us updates. We will keep you informed here.

    How to fix your hacked WordPress site...

    If you're uncomfortable with restoring your own WordPress site, we'd be happy to fix it for you right away. We have successfully removed this malware and many others on self-hosted WordPress webites. Just send us an email and one of our experienced WordPress Security experts will get in touch with you ASAP.

    Or here's how to remove the cechirecom.com malware hosted at Go Daddy...

    1. Put your site in maintenance mode by removing your index.php file and  uploading a temporary index.html file. Make sure you clearly state that your site is undergoing maintenance and will be back up soon. There's no need to make your visitor's panic, thinking your site's been hacked, so leave that part out. This will create a temporary home page until you get your site fixed.
    2. Submit a support ticket to Go Daddy and request an FTP log for the last 7 days of your hosting account.

      This will help to see if they gained your site through the server and it will show you the IP address. (Help us to find out where it's coming from by emailing us a copy of the IP address from the hack).
    3. Login to your Go Daddy hosting account.
    4. Godaddy - File ManagerClick on the "Your Files" button at the top of your Hosting Account home page. This will take you to your "File Manager" where your current server files and snapshots of your website for the last 30 days. You can use this section to change/view your directory/file permissions, modified date/time, and edit/view your files.
    5. While on your your "Current" tab, locate what date and time your site was hacked. (Make a note of this for your records). You can tell when because your .php files all were changed around the same date and time.
    6. Click on the "History" tab to make sure you have a snapshot of your site before the hack. If you go back a day by clicking the calendar before your hack date, you'll see an orange bullet that says "different." Look at that date and time, it should not be the same as what you just noted (Step 5). If you do have a snapshot, then proceed to Step 8.
    7. Change the dropdown from 25 to 50 so you can view more files. Also make a note if there is more than one page of files. You will be going through each page using the steps below.
    8. Click on your "Current" tab and delete all directories (do these one at a time so you don't bog down the server) and then delete all the files except the following (if you have them):

      _db_backups, php_uploads, stats, index.html (this is your "Site undergoing maintenance page.")

      Please note:
      When you restore your site, any uploads you put on your posts or pages will be lost. You will have to reinstall them. However, the database will remain untouched and you will have all your posts, pages, comments, etc.
    9. Click on the "History" tab and change the calendar to the date before your hack attack. This is a very important step. If you do not change the calendar date the you'll put the virus back up, because it defaults to the most current snapshot.
    10. Click the "checkbox" next to each directory/folder (one at a time) and then click on the "Restore" icon. Repeat until all your directories have a green bullet that says "Current" next to them. This will put each directory back on the server.
    11. Repeat the same step as above to add all the files back on the server. You can do these in bulk, since they are not very large files. I generally do 10 at a time.
    12. Now check to make sure that EVERY directory and file has a green bullet next to it and it says "Current." That means it's currently on your server now. Make sure you check every page! You might have more than one.
    13. Click on the "Current" tab and delete the index.html file (your temporary home page.)
    14. Visit your site and see if it looks normal again.
    15. Go back into your hosting account and put your mouse over the "Database" tab at the top and click on "MySQL."
    16. Click on the pencil icon next to your site's database and change it to a strong password. Once you change it, it will take up to 20 minutes to take affect.
    17. Go back to your File Manager "Current" tab and edit the wp-config.php file. You need to put in your new STRONG password and also change your Authentication Unique Keys.
    18. Click on "Save" and the wp-config.php file will be updated.
    19. When visiting your site, if you see an error message that it cannot connect to the server it could be that the database password has not taken affect yet. Give it a few more minutes. If it doesn't resolve, go back to edit your wp-config.php file and make sure the password is correct.
    20. Try clicking on a link to one of your posts or pages. If it gives you a 404 error, login to your wp-admin and go to Settings > Permalinks and click on "Save" to reset it.
    21. Change your Go Daddy hosting account password (this is the same as your FTP), then change your Go Daddy account password and your wp-admin password.
    22. Check ALL your permission on your server and set them to the correct one (644/files and 755/directories). Read our article, "Ninoplas Base64 WordPress Hacked | Case Study" to find out more about server permissions and more.
    23. Login to your wp-admin and check for any unknown users and delete them.
    24. As a temporary measure, disable registration on your site until there a resolution to stop the hacker attacks.
    25. After you've restored your WordPress site, have us add our Existing WordPress Security Package to greatly reduce the risk of having your website hacked again!

    Updates:

    We will update this blog post as information becomes available. So please bookmark this page.

    UPDATE 4/25/10 at 2:00pm: If you're unable to restore your site with the steps listed above and you have SSH access, be sure to read Rudi's post, "Ninoplas or Cechirecom Base64 virus on WordPress and all php files. How to remove via ssh (Go Daddy)!"

    We just receive the FTP log from one of the WordPress websites we fixed yesterday infected with this malware. There were no suspicious IP addresses accessed via FTP. We're hoping to shed some more light on how the bad hackers are getting in soon.

    UPDATE 4/26/10 at 8:43am CST: We've been contacted by a security analyst at Go Daddy to help them find a common method of compromise. So they're working hard on this issue. Please continue your comments and emails us regarding this malware and Nanoplas base64 as well. We information is appreciated!

    If you're on Go Daddy and have been hacked with this malware, send us your domain name and the date/time you were hacked, so we can give it to Go Daddy's security team. This will help find the access point.

    UPDATE 4/26/2010 at 12:25pm CST: Thanks to all who have sent in their domain names and left comments. Go Daddy's Security Department has just called us and we gave them your information. They're working diligently to find out the access point for this situation.

    Right now, the guess is that the bad hackers have a php file (size 3k) that send a shell command to inject this noxious code. Then it quickly removes itself. Go Daddy is tracking this down right now!

    Continue to comment and send us information, as Go Daddy is checking this post and we're sending them your information. If you know the exact date and time your site was hacked, please include that along with your domain names via our contact form.

    Go Daddy has also promised to comment here on this blog post and send out an email to it's users with information once they know more. So stay tuned.

    UPDATE 4/26/2010 at 1:23pm CST: Scott from Go Daddy's Security Operations Center left a comment that they're on the hunt for a resolution.

    Also, we just found this on the net:

    A nasty little exploit has hit a large number of Go Daddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.

    We've let Go Daddy know about this to see if Google referred traffic has anything to do with it.

    UPDATE 4/26/2010 at 10:18pm CST: Just spoke with Go Daddy's security team. They're working around the clock to find out how sites are being infected. They are making progress. Soon we will know what you can do to protect your websites on this issue. We will give you an update as soon as it's available.

    UPDATE 4/27/2010 at 6:50am CST: Some, not all, webmasters are reporting that they've found an unknown user account. As a precautionary measure, until this issue is resolved, disable registration. To do this, go to your wp-admin, click on settings > general > unchecked anyone can register.

    If you find any unknown users, please email us the username and IP address so that we can keep report to Go Daddy's security department.

    Unfortunately, it's unclear at this time if your site will be reinfected. Monitor your site frequently to make sure your safe. If you want to use an automated monitoring service, we have worked out a special discount with an affiliate of ours. David Dede, of Sucuri. net, has agreed to give our clients their Web Integrity Monitoring service for only $7.99/month or $79/year (regularly $9.99 & $89). Use our special affiliate link.

    UPDATE 4/28/2010 at 9:00am CST: Dancho Danchev, a Threat Intelligence Analysis, has provided some great insight on this malware. You can read his article here.

    UPDATE 4/29/2010 at 9:00pm CST: We are hosting a WordPress Security Gathering - Free 90-minute Teleseminar. We hope you can join us. We will be talking about this recent WordPress attack and giving you tips on keeping your site secure. You can participate from anywhere in the world. For more info, click here.

    UPDATE 4/30/2010 at 11:00am CST: I found a forum post at Godaddy discussing this issue and some tech support responses. Nothing recent, but thought I'd share it with you. You can view it here.

    UPDATE 4/30/2010 at 1:15PM CST: We just received new information from Godaddy's Information Security Operations department.

    The exploited sites were running old versions of WordPress or had carried an attack forward from an old version in the upgrade process. We saw no indication that WordPress 2.9.2 itself was successfully attacked. Please see the support article for more information.

    UPDATE 5/1/2010 at 6am: This dangerous malware is back! WordPress, Joomla, Pligg and others have been reinfected! We are currently writing a new press release and this will be published on our website shortly.

    BREAKING NEWS 5/1/2010 at 7am: We have just released more information about another attack that happened today. Please read -

    Breaking News! Dangerous Malware Alert - Self-Hosted Sites On Major Hosting Service Hacked Again!

    UPDATE 5/3/2010 at 7:13pm CST: Go Daddy cares! Here's some info...

    UPDATE 5/5/2010 at 3:00pm CST: We'd like to thank Scott from Go Daddy's IT Security Operations department for speaking at our teleseminar today. The audio replay is now available on the webcast page. If you missed this event, you can still register here and listen to the replay.

    Scott has provided the following helpful links for you:

    How to identify the version of WordPress you're using: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/is-my-wordpress-version-up-to-date/

    Our community thread on best practices for cleaning: http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/wordpress-compromisedhhow-to-fix-it

    Upgrading WordPress the "best practice" way:
    http://help.godaddy.com/article/6072

    Form to contact our Security Team:
    www.godaddy.com/securityissue

    UPDATE 5/5/2010 at 5:00 pm CST: We have just uploaded a portion of today's WordPress Security Teleseminar with Scott from Go Daddy. You can listen to the audio by pressing the play button below:

    http://www.wpsecuritylock.com/audio/2010-05-05-wpsecuritylock-godaddy-cares.mp3

    We need your help...

    In order to help spread awareness about this malware attack, click the share button below to link this post to your Twitter, Facebook, email, etc.

    If you have any questions or have any further information about the Cechirecom.com script, please leave a comment below so that we can keep our readers informed.

    Also, send us a screenshot of any popup from your anti-virus program showing what virus it's trying to install so we can let others know what to watch for.

    Securely yours,

    Regina Smola
    Follow me on Twitter
    Follow WPSecurityLock on Twitter

    REGISTER NOW TO LISTEN TO THE AUDIO REPLAY WITH GO DADDY AND WPSECURITYLOCK!
    You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010. Plus, you can still sign up for our May 19, 2010 at 9pm EST teleseminar. You can participate live from anywhere in the world. Click Here To Register Now!

    Comments

    1. Rudi says

      Hi,

      Unfortunately for me, the restore option didn’t worked, instead I accessed the files through ssh and removed the code from all my files with a code: find . -type f -name “*.php” -exec sed -i ‘/base64_decode/d’ {} ;
      The long story is on my blog :).

      Rudi

        • Rudi says

          I contacted Godaddy one day before finding out that there is a restore option, and the support guy asked me if I have a backup of all the files, he didn’t say anything about a restore option. Then I found out that there is one but it says that it doesn’t have access to the folders. This could also be because I opted in that day for ssh which is taking 1 day to activate.

    2. PP says

      Our site was hit with this yesterday and had the potential to create quite a mess. Thanks to Regina and her team, it was cleaned quickly and efficiently. The best part of the process was that we were able to watch the whole procedure as she shared her screen with us online. Once completed we updated passwords (much more complex ones) and our site was back up within 90 minutes!!

      Thanks Regina!!

      • Regina says

        PP, you’re very welcome. I’m happy that we were able to get your site restored so quickly. I know I was a stickler on how STRONG your passwords should be! But glad you made them so complex.

        Thanks for your kind words and trust in us. We look forward to putting our maximum security package on your WordPress.

    3. Gary W Clark says

      Regina,

      I downloaded your “7 Plugins for WordPress Security,” yesterday. I then installed and configured all the plugins. While I was at it, I made my passwords stronger. So far, so good. Thanks a million.

      GW

      • Regina says

        GW,

        Thanks so much for your comment. You’re very welcome!

        I’m glad you were able to get your site fixed. Hopefully the plugins will keep your site more secure. I am VERY happy you used stronger passwords. They don’t call me the Password Sheriff for nothing. LOL

        Did you check your server permissions? And updated the secret keys in the wp-config.php file?

        We just obtained a FTP log for one of the sites we repaired. We saw no unusual IP addresses on it. HMMM Seems they’re not hacking in via FTP. Hopefully, we’ll find out soon.

    4. ris says

      Hi, this procedure also applies to sites hosted on koredomains? I have a website (not done with wordpress) and I’m koredomains ospistato on this virus. how can I clean my website? I follow this procedure? Can you help? thanks!

      • Regina says

        Hello ris,

        I’m sorry to hear about your website being hacked. I am unfamiliar with your hosting company. However, you can contact them and ask them if they provide a snapshot (history or backup) of the files on your server. Tell them you want to restore your site to another date. Some companies charge you to have them do it for you. But certainly ask them if it’s available to you already.

        If you’d like us to fix your site, please let us know. Just click the contact link and send us an email.

    5. Andy Campbell says

      Thanks for this information. A site I manage was hit with this as well and it managed to disrupt everything. Seeing your suggestions to lock down the site shows that we were ripe for the taking. I am working on tightening up security based on these suggestions. The GoDaddy Restore feature via the History solved our problem (for now).

      I firmly believe a plugin was to blame – and I think it was a Cache plugin in our case. I saw the redirect and my antivirus blocked the site (thankfully). Upon doing some research I found some threads discussing Cache plugins getting hacked. I went into the site via FTP and deleted the Cache plugin. It did not fully solve the problem but the redirect ended – browser visits showed the blog but also showed the cechirecom.com as “waiting” for connection but it did not finish the redirect. Clearly something was broken in the redirect from the plugin removal. By that point I had also come across your information and decided to do the restore. Thanks again!

      • Regina says

        Hello Andy,

        Thanks so much for the information. Maybe the cache plugin has a vulnerability we all need to know about. Please provide us with the exact name and link so we can compare and see if others are using the same as well.

        I’m glad the restore worked for you. It’s too bad that webmasters have to go through this. But there are risks involved using a shared hosting account. They best we can do is tighten all areas we have available to us and monitor often. Be sure that you’re backing up your database too.

        • Andy Campbell says

          Regina,

          Thanks again – this site was a lifesaver for sure and I will be following your blog from here forward.

          We were using WP-Cache (http://mnm.uib.es/gallir/wp-cache-2/). I did not want to point the finger in my first post but its probably best for others to see if this plugin is a common thread.

    6. Patrick Curl says

      My site was hit, and I must say your tutorial was a life saver. Especially as I’m new to godaddy and not fully familiar with all the bells and whisltes, I’m much more used to fixing things via cpanel.

      I almost started out trying to fix everything by hand, and just deleting the base encoded parts.

      Also shared your post on digital point, saw someone else having the same issue, looks like it’s a big one.

      • Regina says

        Hi Patrick,

        Sorry to hear about yours site getting hacked. I’m glad you were able to fix your site. Congrats!

        Thanks for sharing our post on digital point. Hackers can spread their mess, but we can spread awareness to keep them out.

    7. Miserere says

      I got hacked Wednesday afternoon (April 21st), then spent 6-7 hours cleaning stuff up and getting the blog back up. My site was redirecting everyone, whether they arrived via a search engine or directly. I installed a bunch of security plugins, but no firewall as I couldn’t get it to install properly. I should point out that some people told me they got a pop-up from their antivirus telling them my site was trying to install something, but all I ever saw on my browser was a redirect to another site and my antivirus warned me against that, but did not mention any software trying to be installed. In any case, the script line at the bottom of every page generated for my blog was redirecting here:

      http://61.4.82.212/js.php

      Then on Friday night I was hacked again; found out when I woke up Saturday morning. I’ve spent the whole weekend reading hacking techniques to try finding traces in my files and database. I found nothing suspicious in my database, and in my WP files all that happened was that every single PHP file was infected with the base64_decode entry at the top, like you mentioned (and like it happened on Wednesday). This time the path in the script added to each page’s source code was:

      http://cechirecom.com/js.php

      I now have a WP firewall properly configured, so I hope between that and GoDaddy getting their act together I won’t be hacked again. My website isn’t my job–it’s meant to be fun, and dealing with F#&*ing hackers is NOT fun. I’ve changed all my passwords, and made them so complicated I can’t even remember them. If I lose that piece of paper stuck to my monitor, I’m going to be in trouble :-)

      Thanks for your post, Regina!

      • says

        Hi Miserere,

        Just thought I would check in with you and see how your site is behaving. I’m glad you have strong passwords now! I wish you the best of luck.

        In case you lost that piece of paper, you should make a copy and put it inside an old year book. It’s something you don’t look at very often and you’ll have a backup. You can also save it in a text file to a flash drive too. Backups are the way to go!

    8. Regina says

      Godaddy has contacted us so that they may help you. Their security analysts are working hard on finding the common method of compromise on their servers. Please continue to provide any information you find on this malware by leaving a comment or sending us an email.

      Continue to spread awareness by linking to this post on Twitter, Facebook, your website, etc.

      • says

        Hi There,

        Mine was one of the blogs that was hacked. I’ve been on the phone with Godaddy since I woke up and every tech support person I’ve talked to hadn’t even heard of this. It’s a little irritating. Anyways, I’ll submit my info via your contact form

        • Regina says

          I gave them your information and they’re checking it. Do you know what time it was hacked. You can post the date and time here as Godaddy is checking your comments on this blog post.

    9. Jerry says

      Regina,

      I went through my sites and it looks as though none of them have been hacked but the sites are running incredibly slow. Do you think this is just because of Godaddy fixing the problem or should I be worried?

      I went through each one of my sites and none of them contained an error message nor did they have the script you mentioned above.

      Look forward to hearing from you.

      • Regina says

        Jerry, I think it’s because Godaddy is scouring their servers working to track and mame the hacker. They just called me and they’ve found the php file their using, now they’re on the warpath to put them out of commission! If you want me to scan your site to see if I notice anything, please just send me an email. Thanks for your comment.

        • Jerry says

          Thank you Regina,

          I guess I will hold off putting up some new blogs today! If I see anything unusual, I will contact you ASAP. Also looking into your security software, looks as though this may be a must have in the near future.

    10. Regina says

      UPDATE 4/26/2010 – Godaddy has just contacted us and they’re working diligently to find out the access point for this situation. Right now, the guess is that the bad hackers have a php file (size 3k) that send a shell command to inject this noxious code. Then it quickly removes itself.

      Continue to comment and send information, as Godaddy is checking this post and we’re sending them information as they arise. If you know the exact date and time your site was hacked, please include that along with your domain names via our contact form.

      Godaddy has also promised to comment here on this blog post and send out an email to it’s users with information once they know more. So stay tuned.

    11. Regina says

      I know it sucks. But it’s a risk we all take running a website. Just like locking your doors at night, you have to do all you can to lock your website too. Sometimes they get in to the servers through a loop hole and it infects hundreds and even thousands of sites in minutes. And other times, it could be easily avoided by using very strong passwords, good permissions, and cover every security angle you can.

      Be sure to check this post for some tips on securing your website – http://www.wpsecuritylock.com/whos-responsible-for-your-wordpress-security/

      Thanks for your comment. Good luck with your website. If you need any help, please let me know.

    12. Infected says

      I had two sites infected 10 days ago. Fixed them, replaced all FTP passwords on all sites (I have over 10 sites).
      10 days later 2 other sites got infected.

      All sites are hosted by GoDaddy.

      Here’s the strange thing!

      Two sites using WP, but two other sites running two running publishing systems (not common systems).

      All sites got infected. I believe it’s not my fault, there is something wrong on GoDaddy side (or one of my comps is infected with logger or something like that).

      • says

        My site was infected last saturday. I do not have WP but do have zencart with all its security measures. A post on zencart forum says that I did everything I could to secure the site but the problem may have been with godaddy shared hosting.

        Thank you for posting a how-to get rid of this. I was also trying to manually clean up the files.

        I have been on godaddy file manager and noticed that you can overwrite the file from the former date. The tutorial above is to delete the current file then restore it. Is it not effective and less time consuming to just overwrite the files?

        • Regina says

          PinoyStitch,

          Thanks for your comment and question. No it is not a good idea to just overwrite files from a previous date.

          Reason: If the malicious hacker put a file on your server outside of what you overwrite, then it will still be there.

      • Infected says

        I called GoDaddy, provided the site name, date and exact time when all files were modified.
        I explained that this happens with different publishing systems hosted on different servers.
        Not sure if they going to investigate it.

        My wife is working on fixing those site. Such a pain!

      • Regina says

        Thank you Scott for letting us know. We have faith that you’ll track them down.

        We’ve noticed that this is not isolated to just Godaddy and WordPress, but is seen on other hosting companies and CMS as well, including Pligg, Joomla, etc.

    13. Debabrata says

      Hi Regina,

      First of all I would like to introduce myself. My name is Debabrata and I run two websites along with my partner Nitesh. They are http://www.gamersmint.com and http://www.indianauteur.com. It seems our websites have been infiltrated by this virus/malware too. We have the same script at the bottom of every page in the source code and all our theme’s php files also contain that long line of malicious code that you posted.

      We are on Godaddy’s premium hosting plan. It seems our website was hacked around the 24th of April. This is really tragic and sad as we were gaining rapid popularity. Now, I would like to know what’s the best way to do damage control. We have backed up both our website’s content and are on the verge of following the said steps you wrote. But I would like to mention that we are by no means professional coders, far from it, so we are a bit scared of messing things up. Please let me know if you can guide me in any which way.

      Best Regards
      Debabrata

    14. Infected says

      Both my sites are clean now!!!!

      Here’s how my lovely wife cleaning sites:

      1. Download all folders and files from FTP server.
      2. Using Ultraedit she’s doing global search. Searching for the melicious code and replacing it with nothing.
      3. Uploading all cleaned up files back to FTP.

      She checked both databases and they are clean.

    15. Arthur says

      I had the exact cechire.com hack. Unfortunately I didn’t check the date of the hack before I restored the files to an earlier date.

      I have to say it’s a bit galling that when the little guy (me) contacts Godaddy support we are fobbed off with a cut and paste “viruses are your responsibility” email, and yet they’re clearly working on this issue, whether or not it’s their fault. They could at least have said they’re aware of a problem.

      • says

        Thanks Steve,

        Just wanted to let you know that I personally sent in your information to Godaddy. Thanks again for letting us know.

    16. Adam says

      My site was infected with this same malware and Regina helped me to fix it quickly. Now I just want to make sure my site remains secure.

      Thank you for posting this information – it’s been a lifesaver! I’ll be sure to follow this blog from now on.

    17. Sue Nardo says

      I have a client who has had their website hacked, but it was back on Feb 3rd – his account must have been one of their “test cases”. His last WP backup was done on 2/23/10 so he’s essentially backed up the virus. Also, because GoDaddy doesn’t have a back-up for more than 30 days, he doesn’t have any backup before 2/3/2010. What options does he have and can your team help? My thought is he has no choice but to uninstall WP and reinstall and connect the new install to the existing database – so he doesn’t lose his posts. Is that correct?

      • Regina says

        Thanks for your comment Sue. Can you please email me the domain name of your client’s “test case” site so I can have Godaddy take a look? They might be able to search some logs.

        Unfortunately, going back that far on the server would be impossible. The records are only kept for 30 days, as far as I know. The good news is, his database should not be affected. All content (posts, pages, comments, etc.) should still be intact.

        He could remove everything from the server, do a fresh install of WordPress. Then manually upload all plugins he used.

        Then he will have to reupload ALL uploads (images, mp3, etc.) that were put on the site. The database does not hold the media files, just keeps the data telling the post to show them.

        I hope that helps.

    18. Terry Glass says

      I had the same problem. The code is in the plug ins and theme php files. I went through one by one and removed the code. I now have removed the offending script from my source code.

      I initially uninstalled and deleted all files off my hosting account at Go Daddy and did a reinstall using their WordPress install. I got the site up and running and found the offending source code and went through each file deleting it.

      I hope this works, it seems to be for now.

      Terry

      • Regina says

        Terry, thanks for sharing. It’s interesting that you found the offending source code after you did a reinstall. Did you use a backup copy to reinstall? That backup may have been affected.

        Good luck with your site.

    19. Greg says

      I’m incredibly blessed or just plain lucky. I’ve got 4 wp sites on godaddy and none have been hacked. Of course, I have passwords that even I can’t remember.

      • Regina says

        Greg, you rock! That’s what I like to hear, very strong passwords!

        Good luck with your sites. Just keep a close eye on them, especially during this crisis.

        Thanks for your comment.

    20. turbinedog says

      I have a WP site hosted on GoDaddy Linux. it has not been hacked. I was keeping up with the versions to 2.9.1, and I have user registration and comments/outside uploads turned off/locked down. I’ll have to check later on the other version information.

      • Infected says

        For security measures, always upgrade to the latest version of WordPress. Version 2.9.2 is the most recent right now.

        -running latest WP version 2.9.2
        -very strong password for FTP changed 10 days ago
        -latest php and my sql database

        Didn’t help. It was hacked anyway.

        • Regina says

          Until we find out how the hack is happening, all we can is make sure we take all the necessary security measures that we can. The safer the better.

          • Infected says

            Until we find out how the hack is happening, all we can is make sure we take all the necessary security measures that we can. The safer the better.

            I think there could be something wrong with security settings on Go Daddy’s side. As I mentioned before I had 4 different sites hacked in the past 2 weeks.

            Two sites running WP blogs, one site running Astanda Directory and one site running XZero Community Classifieds.

            According to GoDaddy all sites are running on different servers.

            All sites were hacked exactly same way – there was a java script link attached to the very end of the site. I noticed it first on one of the WP sites after the admin interface stopped displaying properly.
            It looks like someone got access to the FTP server, modified all files and folder and put it back. This is just a guess.

    21. Mastermind says

      I just find out how do they do it. I’ve checked my client’s ftps and found just one directory with 777 rigths that was similary hacked with that base64 month ago.

    22. Steve says

      Take it seriously I was hit by the NS attacks everything you can do to help your host helps. I was hit ion the 18th and 23rd. I do nightly SQL backups so survived. This is some pretty serious stuff.

      Here’s the time line.

      April 7: Database injections are identified on our WordPress hosted accounts.
      Actions: websites are scanned and cleaned and steps are commenced to contain the issue.

      April 16: Additional malicious code appears on customers’ website files.
      Actions: operations team continues to run scans that identify code and clean customer websites.

      April: 18-24: The criminals dynamically inject code on customers’ websites and change signatures each time. The criminals add viruses and/or malware to customers’ sites.
      Actions: security and network experts work to contain the infections and prevent additional issues.

      April 25-present: Security and network teams confirm that security measures continue to contain the malicious code.

      Ongoing: We continue to monitor and implement additional measures as needed to protect our customers. Customers who have not logged in to their sites for at least three weeks are now reporting infections and are being escalated to technical services. The security team confirmed that these are not new cases of infections.

      • says

        Wow! Thanks Steve for sharing this information. It’s amazing how many websites are still infected and webmasters aren’t even aware.

        Keep us informed on any new information you get.

        Are you still with Network Solutions and how’s your site doing now?

    23. says

      I’ve got WordPress 6 sites which have been hacked – all hosted with GoDaddy. I have 2 WP blogs which have not been hacked – both hosted with GoDaddy also.

      I’ll send you the details of the hacked sites on your contact form.

      After reading the comments here I note the following:-
      I already have “anyone can register” unchecked.
      I do not have WP-Cache installed.
      Following a hack attack in December 09 I also disabled comments – at that time GoDaddy “support” were very unhelpful. In the end I did nothing (except search for non-existent problems in my blogs) and within a few days GoDaddy fixed their own problem.
      I consider my passwords to be very strong – using a combination of both upper and lowercase, numbers and non-dictionary words.
      Just checked my GoDaddy a/c – says PHP version is 4.x – I assume this is something I must rely on them to keep up to date.
      I keep the version of WordPress up to date – 2.9.2

      I have read your detailed instructions but your point 1 says to remove the index.php file and upload a temporary one – I don’t know how to do this, so it seems I’m stuck already!

      I have backups emailed to me using the WP-Backup plugin – I’m not sure how to restore from these files. Presumably restoring from a backup file prior to the hack would work instead.

      I would be grateful for your comment on using the backup file instead. In the meantime I will give you full details on your contact form, in addition to emailing GoDaddy.

      Thank you

    24. says

      Any additional word on how these hackers got in? It’s hard to make sure it doesn’t happen again if we don’t know how they did it in the first place. :(

      • Regina says

        Steve,

        We have updated this post this morning. Any new information will be listed in RED with date and time (see above) so you can check back often for new developments.

        Dancho Danchev, a Threat Intelligence Analyst, has provided some great insight on this malware. You can read his article here – http://bit.ly/cOu9IW

        We spoke with GoDaddy yesterday and they’re still investigating, and making great progress. They’ll provide information as soon as they can.

        We’ll keep updates as soon as we have any new information.

        • Rick says

          I was on the phone with GoDaddy yesterday and the tech never mentioned that this was a known issue. In fact, I’ve been on the phone with them almost every day for the past week while my site was hacked.

          It’s irritating that I have to read about this on a blog instead of getting an honest answer from thier support team. They are still telling me that this is not a problem on their end and is either my or WordPress’ doing.

          Thank you for sharing this info, and I look forward to an update today.

    25. Regina says

      We are hosting a WordPress Security Gathering – A Free 90-minute Teleseminar. You can participate from anywhere in the world (phone or Internet). Let’s chat about this most recent malware attack. For more information, click here.

    26. says

      I had to talk with GoDaddy tech support for something unrelated today. I mentioned the hackings over the weekend, and the tech support guy seemed surprised. He said he hadn’t heard about it.

      …jeez…

    27. says

      We just got new information from Godaddy’s Information Security Operations department. They’ve done an extensive investigation into resolving this matter. Here’s what they had to say:

      The exploited sites were running old versions of WordPress or had carried an attack forward from an old version in the upgrade process. We saw no indication that WordPress 2.9.2 itself was successfully attacked. Please see the support article for more information.
      http://community.godaddy.com/support/?ci=19370

      We’ve also updated this post with the new information as well.

      • Arthur says

        I’m baffled. I ran 2.9.2, and I upgraded using the automatic upgrade tool within WordPress. Are they saying that’s wrong?! Rather than just covering their own back could they perhaps let their customers know what we’re supposed to be doing? How do you upgrade in the ‘wrong’ way?!

        • says

          Arthur, I’m baffled too. I am getting emails like crazy right now saying sites are reinfected. I have contacted Godaddy’s security department. These hacker is very crafty.

          As soon as I know something further, I will certainly let you know.

          • Arthur says

            Thanks Regina, seems like you’re working very hard on this issue. I’m just worried really. I got hacked once before on an old Movable Type installation and it was completely my fault (didn’t update for a year), so I have been so careful with the wordpress installation. If I don’t know how to protect it properly then it’s just scary.

            As far as I can tell I have not been reinfected – definitely no redirects or anything obvious.

    28. Preet says

      This happened to me, deleted everything and re-installed everything. Running 2.9.2 now and as of this morning a NEW script is now showing – I got hacked again! This time pointing to “http://kdjkfjskdfjlskdjf.com/kp.php”

      I took all the precautions listed here. I am on GoDaddy and everything that was happening with the attack that this thread refers to happened to me. I had it completely cleaned and now a new attack.

      HELP!!!

      My site is wheredoesallmymoneygo.com

      • says

        Hello Preet,

        Thanks for your comment. I have contacted Godaddy’s security team and let them know of this issue. You’re not alone. Several others are having the same problem this morning.

        My suggestion is to repeat the process so you don’t infect anyone’s computer. And as soon as we know ANYTHING, we will let everyone know.

        We are all working hard to find answers! We’ll keep you posted.

          • Steve says

            I’ve been working since April 18 to clean up my platform and things still aren’t quite right on the servers end.

            Your main concern right now should be intrusion monitoring. Clean up your site the best you can, backup nightly, look for suspicious file changes daily. Report any new hacks to your Host ASAP.

            I wish it wasn’t so. But this is the harsh reality we are facing right now.

    29. says

      well so much for 2.92 not being affected we were just done again lastnight on the recently upgraded version, second time in 2 weeks.

      12.42am 1st may 2010.

      • Steve says

        It doesn’t matter how hardened our WP installs are. We are totally helpless if a Host is under an assault-attack of this manner.

        Rouge Accounts on Host Servers seem to be the latest security threat.

        • Infected says

          Steve,

          It doesn’t matter how hardened our WP installs are. We are totally helpless if a Host is under an assault-attack of this manner.

          I agree. I don’t think that all these hacks happening because of my fault.
          I believe that all attacks are coming from GoDaddy side.

    30. Infected says

      Man!!!!
      4 sites hacked again on May 1.
      Replacing hacked from backup.

      GoDaddy do something!!!!!!!!!!!11

    31. Rick says

      I just got hacked again last night!!!! I am livid. I am now out 11 days of work due to this fiasco, and what is GoDaddy going to do for me?. This is unacceptable, and the fact that the phone reps are STILL denying a problem is ridiculous.

    32. Michelle says

      My website was infected again! This time I caught some strange file that was uploaded to my site by using the paranoid 911 plugin. The file was called rachael_philippine.php.

      After last week’s attack I changed all passwords including database, hosting, ftp, wordpress admin along with the wordpress security keys. They still managed to get in.

      Godaddy is working on my site to clean it up, BUT until they figure out how it is being breached it’s only a temp fix.

    33. Patrick Curl says

      I’m a social media utilizer – and my sites were hacked as well – second time in a week – we’re trying to get some motion behind godaddy and make them hire some people or do something to make their service more secure. As such I’m starting a Twitter grassroots campaign. I’m no way affiliated w/ the link – but we all need to tweet this message and retweet it as often as possible today – we’re trying to get #ihategodaddy as a trending topic.

      The tweet: RT @patrickcurl Customers transferring OUT of GoDaddy QUADRUPLE! http://bit.ly/dvwtoT #ihategodaddy pls RT

    34. says

      Awesome info. My site got hacked last night, but GoDaddy’s awesome backup system and this post got it all straight. Thank you so much!

    35. very early symptoms of pregnancy says

      You challenged me to try something new, and you have my thanks with a link from my place : )

    36. BenSpark says

      I was attacked again on Saturday morning. All my blogs were hacked again. This time I was able to roll everything back. It looks like my main blog, benspark.com is the one under attack. I installed a bunch of security plug ins and that seems to be keeping things at bay right now.

    37. Chris says

      As of last night, Dreamhost has also been hit. On my server, a few wordpress installs and a zencart install. Same script, only this time the js.php was found on zettapetta[dot]com

    38. Russell says

      Website was hacked with same thing but no WordPress but I do host with GoDaddy shared linux hosting.

      The injection happened around 10:30am to 11:30am US mountain time. I believe though it happened closer to 11 am.

      I am sure about this because SMF just started putting errors in the error logs about headers being already sent since this script misses up the headers. The headers already sent error started around 11:02:48 AM according to the SMF error logs.

      I used a recursive script to clear out all the code but I can’t investigate this any further. The access logs tell a whole different story, There is nothing stating this happened at this time or any evidence of a injection. My guess there not in my logs and something may be very well wrong with my server.

    39. Ed says

      5/8/2010 our site got hacked at 4:34 AM
      Injected
      <?php /**/ eval(base64_decode("aWYoZnVuY…
      and a bunch more stuff in EVERY .php file on the site

    40. says

      My godaddy sites hacked again on 5/12/10. I know godaddy believes this is my fault and not theirs, but I’ve always run the latest version of WP, all plugins, themes, etc, as well as whatever they provide. I’ve changed all passwords, etc., and the same thing happened again. Wherever the problem lies, this is a drag.

    41. says

      Damn the virus is back. We had been informed by GoDaddy team that it has been removed and that the details are not shared to avoid the hacker from knowing the technique. Now i wonder if the secret got shared with them as they have again got me injected us with the malware even though we had secured the sites with all the cautions as shared here.
      The malware caused us serious loss of revenues the last time and this time i wonder if we would be switching the site from GoDaddy host as all our sites hosted on other platforms are not experiencing any sort of problems even though we have not updated the security setting the way we did for sites hosted on GoDaddy server.
      Please GoDaddy team look into the issue.
      The two sites are
      Our-Cats.com
      TechNama.com

    42. Adnan says

      I have had similar problems with my GoDaddy shared hosting (Linux). It has happened to me few times already. However, since it infects all of my sites I have on same account (most are WordPress, but some are Joomla based), I can not restore files using GoDaddy File Manager, because every time I try to restore all at once, it breaks with time out error, and I can not restore one by one (there are dozens of thousands files). Does anybody know is it possible to make restore using SSH (I have it enabled) from Godaddy archive and how to do it?

    43. says

      What I am looking to do is similar. I am looking to have a static page as well as the blog appear on the main page of my wordpress site. Right now going to the settings section will only allow me to do one or the other. any feedback would be appreciated.