We have confirmed reports that numerous websites hosted at GoDaddy have been hacked with myblindstudioinfoonline[dot]com malware, including WordPress blogs.
Our first confirmed report of an infected site hosted at Go Daddy was on September 17, 2010 at 5:27pm, the time in which all the .php files were changed.
At this time, it is unclear as to whether any other hosting provider has been affected.
This is dangerous malware and can infect your computer!
This malicious script get injected into .php files, which redirects website visitors to a fake AV page. This fake AV page attempts to make the user think they're computer is infected and offers a solution to fix it by downloading a program.
Symptoms of myblindstudioinfoonline[dot].com malware
- When visiting an infected website, it redirects you to another website with a message that says your computer is infected and tries to download a fix.WARNING: Do not attempt to visit any website links without protecting your computer first with a good, up-to-date antivirus program like AVG and MalwareBytes and a firewall.
- The .php files located on the server have the same “last modified” date and approximately the same time.
- Located at the top of each changed .php files is a very long code that may contain something like base64_decode.
- When viewing the source code from an Internet browser, the following script is found towards the bottom of the file just before the closing </body> tag:<script src=”myblindstudioinfoonline[dot]com/ll[dot]php”></script>
Blacklisted by Firefox Google
Luckily, FireFox and Google have blacklisted http://myblindstudioinfoonline[dot]com.
You can view Google's report here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=www.myblindstudioinfoonline.com
According to Google's Safe Browsing report, this website has not resulted in malicious software being downloaded or installed without a user's consent.
Even though Google's report shows that no malicious software has been unwillingly downloaded, I am not convinced that is true. An unprotected computer can get infected by downloading this malicious software.
What else we know so far
According to Sucuri.net, other domains being used in this attack are:
- http://www3. security-power31 .co.cc (spaces in url left intentionally)
- http://www4 .megaav-soft74. co.cc (spaces in url left intentionally)
And this domain is registered to Hillary Kneber, which is the registrar from the previous attacks made on many major hosting companies in May, 2010.
How to fix your hacked WordPress website:
- Remain calm! It can be fixed!
- Run a virus scan on your computer to make sure it is not infected.
- Remove your website from the server and restore it with a clean copy.
If you're unsure how to do this, we're here to help you! Contact us.
If you'd like us to fix your website for you, see our WordPress Hacking, Virus, and Malware Removal and Website Restoration package.
How to monitor your website for malware
Monitoring your website for malicious activity is essential for any webmaster. If your site gets hacked and goes undetected you risk infecting your visitors' computers and your reputation.
You can put your website on autopilot for malware scans with Web Integrity Monitoring by Sucuri. It detects any unauthorized changes to your website, DNS, whois or SSL certificates. They scan your website (even hourly) for malware, viruses, spam and security issues.
We highly recommend this service and use it ourselves. No webmaster should be without it! Use our discounted affiliate link below and save.
Go to: https://wpsecuritylock.com/sucuri (Only $7.99/month or $79.99/year)
We will update this section as new information comes it.
09-18-2010 at 11:31 am CST – We contacted GoDaddy and they are aware of this situation. They are currently working on it and will give us an update soon.
09-18-2010 at 2:43pm CST – Go Daddy released this statement to us to share with you.
An exploit affected PHP files on approximately 150 Go Daddy accounts Friday afternoon. Go Daddy's Security Team worked quickly to clean and restore these websites, however, we have detected additional customer sites that may currently be experiencing difficulties due to this same attack.
Go Daddy's Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.
Meantime, our team is working swiftly to restore all affected websites and appreciates customer feedback. Go Daddy will continue to monitor as long as it takes to ensure our customer accounts are clean.
If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.
Go Daddy Chief Information Security Officer
09-20-2010 at 10 am CST – I just posted a new statement from Go Daddy and more information about the myblindstudioinfoonline malware and some WordPress security tips – read it here.
We need your help
If your website's been infected and you're not hosting at GoDaddy, let us know. If you find any new domain redirects being used in this attack, share it with others. Let's work together as a community to protect each other. Share your comments below.
P.S. Help spread awareness by telling others, share this article on Twitter and Facebook.