Mass Shared Host Website Hack
Reports began to appear on the Internet two days ago that suggested that a new mass hack was underway. It was first assumed that the hack was only targeting WordPress blogs but it soon became known that other scripts were also affected by it.
The common denominator of the hack was that all affected websites were hosted on so called shared hosting servers. These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network Solutions. It is likely that others are affected as well.
It is not clear yet how the hack was carried out. Current suggestions are either weak passwords or file access rights that allow the attacker to gain access.
We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.
How do you know if your website is affected?
All those sites had this JavaScript added to their pages:
http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.phpWhich came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).
The website WP Security Lock posted detection instructions as well.
Here's some of Zettapetta's behavior:
Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf........ or
http://www1.firesavez6.com/?p=p52dcWpkbG6HjsbIo...
This redirect page is a blank page. The source code contains the following:404 Not Found
The page that you have requested could not be found.
All of your .php files on your WordPress contain the following malicious code... Located in the source code near the bottom of all .php files is the following script: http://zettapetta.com/js.php and http://www.indesignstudioinfo.com/
Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.
Sucuri.net has posted instructions on how to remove the malicious code from WordPress.
Via SSH:
If you have SSH access to your server, run the following commands on your web root:
$ find ./ -name "*.php" -type f | \
xargs sed -i 's###g' 2>&1
$ find ./ -name "*.php" -type f | \
xargs sed -i '/./,$!d' 2>&1Via web:
If you don't have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
Once you are done, go back to your site and remove this file.
Has your blog or website been affected by the hack? Let us know how you resolved the issue in the comments.
Advertisement
This issue is still in full swing.
I looked at your script and it looks pretty good however there is one issue – it doesn’t remove newlines that are left at the top of the file that php complains about. Or am I missing something? (I haven’t tested, just inspected)
Over the weekend, I used notepad++’s regexp abilities to remove the lines (and also the newlines left behind). I then tarred it up to the server and wrote a shell script in ssh to unpack it.
Since this stupid thing comes back every few days until the hosting services find the cause, I can then untar the tar file each time to eliminate it again.
yep my website has it is on godaddy and they dont’ think it has anything to do with their server. I have been talking to the support team and they are basically saying that since I have a website that i put it there.
what the……
I am about to name them on my website if they dont try to fix this issue. Furthermore, my husband has taken the virus out of my site by going line by line by line ….
and it came back 3 days later. Obvious this is a server issue
and secondly, I have joomla, and the most up to date version.
this virus is getting on my nerves! lol…
Would blocking unwanted characters (commas, apostrophes, and the such), and blocking POST requests that don’t have the referrer of your domain help against your site being the entry point for these attacks?
http://www.hackerfactor.com/blog/index.php?/archives/342-Better-Than-Nothing-Security,-Part-IV.html
When I tried visiting a wordpress site my Firefox browser when away and I had a Firefox dialog box that said I should scan my computer or something. The only option was to hit OK. So I used taskmanager to kill firefox. Opening Firefox again just loaded the page again because of the way I had killed the session. So I blocked the firesavez7 domain in my hosts file and was able to get into Firefox again to delete the website session it was attempting to restore.
Just tried to open a site hosted by WordPress and was re-directed to the the www1.firesavez7.com site
this happened to me today when visiting a site. can’t even remember what the site was. i was directed to the www1.firesavez7.com site where they were attempting to force a download. not thinking, i did download it but mcafee refused to allow it to be installed. (thank, goodness.) i assume this means my system is still okay? i’m currently running a full scan on my computer and files.
what a mess!!!
i did a screen print but not sure how to post it here. :)
I’ve been redirected the first time that i visited this article !!
My nod32 NO STOP the threat and i saw a quick fake AV scanning while few seconds.
No see strange processes or threats but i’m worry after that.
I’m infected ??? What i supposed to do ???
thanks in advanced.
The site you fall on would have tried to make you download some executable file. If you didn’t download and install that executable, you’re fine.
Happened to me earlier today accessing this page. Avast stopped it cold.
Sorry, didn’t note the redirect.
sorry didn’t make a screenshot, i was rather in a hurry to kill firefox with taskmanager before it would do damage, and i’m certainly not going there again. I could tell you the URL it redirected me to though i don’t think it’d be wise to post it here. I’ll just use your contact form to send a message.
Ok I now know what happened. My blog was not hacked (thank god). the text that i copied from one of the sites (the second quote) contained script references to the two JavaScript files which would get loaded if a user opened the blog article. I have edited the script reference and it should now display as safe again.
So if I understand correctly, you accidentally hacked your own site?
Well it was never hacked. Just the script tags were embedded in the quote from the other site that load the Javascripts.
Yup i got redirected too to some scam page when i clicked the article link to this article.
Happened only the first time though…can’t seem to reproduce it…yet
sure thing!
One thing i know, it automatically forwarded me to one of a few urls, 1 who don’t seem to work anymore
http://www4.suitcase52td.net/?p=p52dcWpkbmmHnc3KbmNToKV1iqHWnG2cXpO…
^^^^ that one works still
http://www1.firesavez7.com/?p=p52dcWpkbmmHjsbIo216h3de0KCfYWCcU9LXoKitaVzHysd2lJN%2Fel6orKWeY5WWZWRkZ2VonJOIo6T….
nvermind, the 2nd one works again, sometimes it 404’s, sometimes it doesnt
i cut it like in your article to make sure nobody clicks on it…
one is similar to the one in your article oddly enough :-/
Thanks Stef and everyone, should be sorted out by now.
And what about ghacks? 2 times on 3 i tried to read this article from my rss reader, and i got forwarded to another page that try to scam you into believing you have a virus and trying to get you to install some crapware.
Anyone else experiencing this?
Looks like it stopped now. It happened twice to me on 3 visits but stopped after that.
Can you do me a favor and make a screenshot of the issue if it happens again and save the source code of the page? Need to investigate the issue.
TRUE. my Trend WTP reports that you have a horjan problem.