On September 17, 2010, numerous websites hosted at GoDaddy, including WordPress blogs, were hacked with myblindstudioinfoonline[dot]com malware.
Affected websites got injected with a long malicious script located at the top of .php files and may contain something like base64_decode
This malicious code generates a hidden script on website pages: <script src=”http://myblindstudioinfoonline[dot]com/ll.php”></script>, which redirects visitors to another website.
The redirect site is a fake AV (anti-virus) scam, also known as “scareware.” This scareware tries to trick the visitor into thinking their computer is infected and offers a “download” solution. Unfortunately, this solution is a VIRUS!
On the morning of September 18, 2010, we reached out to GoDaddy for you. They informed us that their Security Team was already working diligently to identify the cause and resolve this issue. By 2:43pm CST, Go Daddy released their first statement advising all customers who believe they have a problem to change their FTP passwords and fill out their security submission form.
On September 19, 2010 at 9 pm CST, we received a new statement from Go Daddy that they've cleaned and restored all affected websites:
The exploit affecting PHP files on several Go Daddy accounts this past weekend has been resolved.
Go Daddy's Security Team worked quickly to clean and restore all affected sites. The exploit was caused by malicious files uploaded via FTP to customer websites.
As a good security practice, Go Daddy recommends all customers change their FTP passwords on a regular basis. To modify your FTP password please follow the steps provided in our help documentation at http://help.godaddy.com/article/6.
As always, Go Daddy's Security Team is here for you. If you ever suspect your site is under attack, please fill out our security submission form, located here – http://www.godaddy.com/securityissue – and notify Go Daddy's 24/7 Customer Support.
Thank you,
Todd Redfoot
Go Daddy Chief Information Security Officer
Go Daddy has advised that they will continue to closely monitor the environment.
At this time, it's still unclear whether other websites hosted elsewhere have been affected. If you know someone hosted elsewhere that experienced this malware, please leave a comment below.
Whois myblindstudioinfoonline[dot]com?
The domain name myblindstudioinfoonline[dot]com is registered to Hilary Kneber. This registrar is not an unfamiliar name. It's the same registrar from mass attacks across numerous major hosting companies in May, 2010. Hilary Kneber is registered to 407 other domain names and I don't think we've seen the last of them yet.
Stay proactive! Monitor your website 24/7 with Sucuri Web Integrity Monitoring. It's what we use and recommend to all webmasters. Use our discounted affiliate link and save: https://wpsecuritylock.com/sucuri.
Warning: If you've had a FTP breach, please do the following immediately!
- Change all of your FTP passwords (Check to see if you have more than one FTP account).
- Change your database passwords (If hackers got into your FTP, did they look at your wp-config.php file?).
- Change your Authentication Unique Keys and Salts (Again, wp-config.php).
- Change your WordPress username passwords (Change any “administrator” account passwords for safety measures).
- Check your permissions on your server. Make sure your directories (folders) are set to 755 and your files are set to 644 (Sometimes hackers like to change CHMOD permissions while they're in there).
For more info about myblindstudioinfoonline malware, read our previous post.
Was your WordPress site hacked but fixed and still looks funny?
Many times, WordPress users ask me why their wp-admin “Dashboard” still looks strange after it's been fixed. The answer is you need to clean your browser cookies and cache.
Updates:
09-20-2010 – We'd like to send a big thank you to Rich Dougan for pointing out a typo on this post from we hacked to were hacked. We've have now updated that paragraph. We're here to slap hackers and help protect your websites. Your rock Rich!
We'd love your feedback
If you found this post helpful or have any questions or feedback, leave your comment below.
Securely yours,
Regina Smola
WordPress Security Specialist
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
P.S. Help spread awareness by telling others, share this article on Twitter and Facebook.
Thanks for this update. These early warning signals help. When I hear of these types of attacks I do a quick scan of all the installs I support regardless of host.
You’re welcome, Rich.
I’m glad to hear you’re proactive in monitoring and protecting your websites.
Sure. :/ They fix symptoms, not the problem.
Last night two of my sites were hacked again, but….
I noticed that only when I tried to login and received an error (one line with error code) but the front end looked fine. Looked at the source and found a long white area right at the beginning of the code. Didn’t find any links at the end of the site.
Technically, the site was hacked but the hack ether didn’t work properly (as it did multiple times before) or they just didn’t have time to finish it. Not sure.
I upgraded to WP3.0.1 two days ago (after last hack). Maybe new WP is more resistant to this type of hack?
By the way, I tried all these WP password changes, DB password changes before and it didn’t work.
I think it’s either GoDaddy (most likely) or WP problem (less likely). Our sites will be hacked until they fix the problem.
Thanks for your comment. Are you saying that your site was cleaned and restored by GoDaddy and it was hacked again last night? If so, is it the same code or different?
Also, this would not be a WordPress issue.
Nope, I cannot afford to wait for GoDaddy. That’s too expensive to loose all these hours. 🙂
I restored all files from my backup and after that updated to WP3.0.1
I don’t know. As I said, most FTP files were modified BUT the front end of the site looked absolutely normal, without any junk in the source.
Also, I found two occurrences of each key file on the FTP server.
For example, one of them wp-config.php and another one wp-config.INFECTED.PHP (or something like that).
I found that my site is hacked again, only when I got an error message trying to loging.
Same problem with both hacked sites, normal front end but all ftp sites modified with duplicated INFECTED files.
I think you are right.
I believed that all the files that have INFECTED.PHP are the files that GoDaddy cleaned for you. They left those copies on the server. You might want to check with them on that.
Glad you got your site upgraded and all is well.
If you find that your Dashboard looks funny, you need to clean your cookies and clear your cache so it will return to normal on your display.
Hope that helps. Thanks again for letting me know.
That’s a good idea. I didn’t think about it.
But… does it mean GoDaddy cleaned my files AFTER I already fixed both sites myself?
I fixed both sites about two days ago, but INFECTED.PHP files appeared last night. Weird!
If they cleaned my sites, I prefer them not to do it in the future because after the “cleaning” my login page stopped working.
I did confirm that they added the INFECTED.PHP files in the clean up process.
I just posted a new post about those that got hacked and a new statement from Go Daddy here:
https://wpsecuritylock.com/go-daddy-fixing-hacked-websites-for-customers/
They will be removing those INFECTED.PHP files shortly.
Thanks, I guess tonight I’ll change all FTP passwords AGAIN.
Did you change your FTP password after the attack on Friday and then were hacked again?
According to Go Daddy’s Security Team anyone that did not change their FTP password were hacked again. But those who did change them were not reinfected.
No, I didn’t change my password after the attack on Friday.
But I changed my ftp passwords a few times during the previous “hack session”, a few months ago and it didn’t help.
How can you confirm that changing the password works?
I hope, really hope, they are right.
I’ll be changing ftp and database passwords tonight. Also, I’ll be updating all sites to WP3.0.1
I can’t confirm that changing your password will work for this hacker attack. I just know that Go Daddy told me it was an FTP breach and advised all customers to change their FTP passwords.
What worries me is that it’s the same registrar as the previous attacks on many major hosting companies back in May, 2010, including Go Daddy. Either the hackers used the same name to throw people off or they are the same group of malicious rats!
Updating your WordPress to 3.0.1 and changing your passwords is an excellent idea.
Hopefully this is the last of this nightmare and I’m keeping my fingers crossed. But we all need to be on high alert!
My suggestion is to also get your site on 24/7 monitoring with hourly malware scans. Here’s my discounted affiliate link – https://wpsecuritylock.com/sucuri. It’s only $7.99/month and worth it’s weight in gold. I use it for all my websites.
Well…
Last night I pulled a new hard drive, installed into my laptop and reinstalled Windows from scratch.
I guess it should rule out any viruses/spyware. 🙂
I plan to use this laptop ONLY for monitoring and editing my sites. Nothing else will be installed besides NOD32 antivirus and FileZilla FTP client. I’m not going to use it for any web browsing.
After that I changed all FTP passwords and Authentication Unique Keys. Upgraded all WP blogs to v3.0.1
Tonight I’m changing database and WP user passwords. Also, I’ll go though file permissions.
We’ll see how it works after that. If my sites will be hacked even after that, most likely it’s GoDaddy fault.
I’m starting thinking that they have an angry insider causing all these problems but this is just a guess.
I never had problems with my WP blogs before even though I was running way outdated versions with same passwords for YEARS!!!! All these nightmare started a few months ago.
Wow! You are really taking your website security seriously. I’m very glad to hear it.
Keep up the good work in staying proactive.
Hi. Some of our websites were affected on September 18. I restored them using GoDaddy’s Restore feature, but they were infected AGAIN yesterday (September 26). The attack was very similar, with Javascript being injected into every PHP file.
I changed FTP passwords after it happened, so I’m confused…
Hi Matthew,
Sorry to hear you got hacked again. I’ve been trying to reach you via email. Can you please contact me so we can discuss your latest attack on your websites. I need to do some more forensics.
Thanks,
Regina