Mass Shared Host Website Hack

Reports began to appear on the Internet two days ago that suggested that a new mass hack was underway. It was first assumed that the hack was only targeting WordPress blogs but it soon became known that other scripts were also affected by it.

The common denominator of the hack was that all affected websites were hosted on so called shared hosting servers. These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network Solutions. It is likely that others are affected as well.

It is not clear yet how the hack was carried out. Current suggestions are either weak passwords or file access rights that allow the attacker to gain access.

We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.

How do you know if your website is affected?

All those sites had this JavaScript added to their pages:

http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php

Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).

The website WP Security Lock posted detection instructions as well.

Here's some of Zettapetta's behavior:
Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf........ or
http://www1.firesavez6.com/?p=p52dcWpkbG6HjsbIo...
This redirect page is a blank page. The source code contains the following:

404 Not Found

The page that you have requested could not be found.
All of your .php files on your WordPress contain the following malicious code... Located in the source code near the bottom of all .php files is the following script: http://zettapetta.com/js.php and http://www.indesignstudioinfo.com/
Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.

Sucuri.net has posted instructions on how to remove the malicious code from WordPress.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:

$ find ./ -name "*.php" -type f | \
xargs sed -i 's###g' 2>&1
$ find ./ -name "*.php" -type f | \
xargs sed -i '/./,$!d' 2>&1

Via web:

If you don't have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

Has your blog or website been affected by the hack? Let us know how you resolved the issue in the comments.

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Mass Shared Host Website Hack

  1. wow... May 9, 2010 at 6:55 pm #

    And what about ghacks? 2 times on 3 i tried to read this article from my rss reader, and i got forwarded to another page that try to scam you into believing you have a virus and trying to get you to install some crapware.

    • Anonymous May 9, 2010 at 6:58 pm #

      TRUE. my Trend WTP reports that you have a horjan problem.

    • Martin May 9, 2010 at 7:06 pm #

      Anyone else experiencing this?

      • wow... May 9, 2010 at 7:42 pm #

        Looks like it stopped now. It happened twice to me on 3 visits but stopped after that.

      • Martin May 9, 2010 at 7:44 pm #

        Can you do me a favor and make a screenshot of the issue if it happens again and save the source code of the page? Need to investigate the issue.

  2. stef May 9, 2010 at 8:08 pm #

    sure thing!
    One thing i know, it automatically forwarded me to one of a few urls, 1 who don't seem to work anymore

    http://www4.suitcase52td.net/?p=p52dcWpkbmmHnc3KbmNToKV1iqHWnG2cXpO...

    ^^^^ that one works still

    http://www1.firesavez7.com/?p=p52dcWpkbmmHjsbIo216h3de0KCfYWCcU9LXoKitaVzHysd2lJN%2Fel6orKWeY5WWZWRkZ2VonJOIo6T....

    nvermind, the 2nd one works again, sometimes it 404's, sometimes it doesnt
    i cut it like in your article to make sure nobody clicks on it...

    one is similar to the one in your article oddly enough :-/

    • Martin May 9, 2010 at 10:16 pm #

      Thanks Stef and everyone, should be sorted out by now.

  3. rvdmast May 9, 2010 at 8:21 pm #

    Yup i got redirected too to some scam page when i clicked the article link to this article.
    Happened only the first time though...can't seem to reproduce it...yet

  4. rvdmast May 9, 2010 at 8:34 pm #

    sorry didn't make a screenshot, i was rather in a hurry to kill firefox with taskmanager before it would do damage, and i'm certainly not going there again. I could tell you the URL it redirected me to though i don't think it'd be wise to post it here. I'll just use your contact form to send a message.

    • Martin May 9, 2010 at 10:15 pm #

      Ok I now know what happened. My blog was not hacked (thank god). the text that i copied from one of the sites (the second quote) contained script references to the two JavaScript files which would get loaded if a user opened the blog article. I have edited the script reference and it should now display as safe again.

      • Alec_Burgess May 10, 2010 at 12:27 am #

        So if I understand correctly, you accidentally hacked your own site?

      • Martin May 10, 2010 at 8:22 am #

        Well it was never hacked. Just the script tags were embedded in the quote from the other site that load the Javascripts.

  5. WayneW May 10, 2010 at 1:30 am #

    Happened to me earlier today accessing this page. Avast stopped it cold.
    Sorry, didn't note the redirect.

  6. alexander May 10, 2010 at 7:42 am #

    I've been redirected the first time that i visited this article !!

    My nod32 NO STOP the threat and i saw a quick fake AV scanning while few seconds.

    No see strange processes or threats but i'm worry after that.
    I'm infected ??? What i supposed to do ???

    thanks in advanced.

    • stef May 10, 2010 at 12:34 pm #

      The site you fall on would have tried to make you download some executable file. If you didn't download and install that executable, you're fine.

  7. heidi May 10, 2010 at 5:16 pm #

    this happened to me today when visiting a site. can't even remember what the site was. i was directed to the www1.firesavez7.com site where they were attempting to force a download. not thinking, i did download it but mcafee refused to allow it to be installed. (thank, goodness.) i assume this means my system is still okay? i'm currently running a full scan on my computer and files.

    what a mess!!!

    i did a screen print but not sure how to post it here. :)

  8. marcella May 10, 2010 at 10:27 pm #

    Just tried to open a site hosted by WordPress and was re-directed to the the www1.firesavez7.com site

  9. Darrell May 11, 2010 at 12:13 am #

    When I tried visiting a wordpress site my Firefox browser when away and I had a Firefox dialog box that said I should scan my computer or something. The only option was to hit OK. So I used taskmanager to kill firefox. Opening Firefox again just loaded the page again because of the way I had killed the session. So I blocked the firesavez7 domain in my hosts file and was able to get into Firefox again to delete the website session it was attempting to restore.

  10. darrell May 11, 2010 at 2:39 am #

    Would blocking unwanted characters (commas, apostrophes, and the such), and blocking POST requests that don't have the referrer of your domain help against your site being the entry point for these attacks?

    http://www.hackerfactor.com/blog/index.php?/archives/342-Better-Than-Nothing-Security,-Part-IV.html

  11. RA May 12, 2010 at 6:16 pm #

    yep my website has it is on godaddy and they dont' think it has anything to do with their server. I have been talking to the support team and they are basically saying that since I have a website that i put it there.

    what the......

    I am about to name them on my website if they dont try to fix this issue. Furthermore, my husband has taken the virus out of my site by going line by line by line ....

    and it came back 3 days later. Obvious this is a server issue
    and secondly, I have joomla, and the most up to date version.

    this virus is getting on my nerves! lol...

  12. netdragon May 12, 2010 at 6:23 pm #

    I looked at your script and it looks pretty good however there is one issue - it doesn't remove newlines that are left at the top of the file that php complains about. Or am I missing something? (I haven't tested, just inspected)

    Over the weekend, I used notepad++'s regexp abilities to remove the lines (and also the newlines left behind). I then tarred it up to the server and wrote a shell script in ssh to unpack it.

    Since this stupid thing comes back every few days until the hosting services find the cause, I can then untar the tar file each time to eliminate it again.

  13. AUX May 27, 2010 at 10:57 pm #

    This issue is still in full swing.

Leave a Reply