Mass Shared Host Website Hack

Martin Brinkmann
May 9, 2010
Updated • Mar 25, 2021
Security
|
22

Reports began to appear on the Internet two days ago that suggested that a new mass hack was underway. It was first assumed that the hack was only targeting WordPress blogs but it soon became known that other scripts were also affected by it.

The common denominator of the hack was that all affected websites were hosted on so called shared hosting servers. These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network Solutions. It is likely that others are affected as well.

It is not clear yet how the hack was carried out. Current suggestions are either weak passwords or file access rights that allow the attacker to gain access.

We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.

How do you know if your website is affected?

All those sites had this JavaScript added to their pages:

http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php

Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).

The website WP Security Lock posted detection instructions as well.

Here's some of Zettapetta's behavior:
Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf........ or
http://www1.firesavez6.com/?p=p52dcWpkbG6HjsbIo...
This redirect page is a blank page. The source code contains the following:

404 Not Found

The page that you have requested could not be found.
All of your .php files on your WordPress contain the following malicious code... Located in the source code near the bottom of all .php files is the following script: http://zettapetta.com/js.php and http://www.indesignstudioinfo.com/
Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.

Sucuri.net has posted instructions on how to remove the malicious code from WordPress.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:

$ find ./ -name "*.php" -type f | \
xargs sed -i 's###g' 2>&1
$ find ./ -name "*.php" -type f | \
xargs sed -i '/./,$!d' 2>&1

Via web:

If you don't have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

Has your blog or website been affected by the hack? Let us know how you resolved the issue in the comments.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. AUX said on May 27, 2010 at 10:57 pm
    Reply

    This issue is still in full swing.

  2. netdragon said on May 12, 2010 at 6:23 pm
    Reply

    I looked at your script and it looks pretty good however there is one issue – it doesn’t remove newlines that are left at the top of the file that php complains about. Or am I missing something? (I haven’t tested, just inspected)

    Over the weekend, I used notepad++’s regexp abilities to remove the lines (and also the newlines left behind). I then tarred it up to the server and wrote a shell script in ssh to unpack it.

    Since this stupid thing comes back every few days until the hosting services find the cause, I can then untar the tar file each time to eliminate it again.

  3. RA said on May 12, 2010 at 6:16 pm
    Reply

    yep my website has it is on godaddy and they dont’ think it has anything to do with their server. I have been talking to the support team and they are basically saying that since I have a website that i put it there.

    what the……

    I am about to name them on my website if they dont try to fix this issue. Furthermore, my husband has taken the virus out of my site by going line by line by line ….

    and it came back 3 days later. Obvious this is a server issue
    and secondly, I have joomla, and the most up to date version.

    this virus is getting on my nerves! lol…

  4. darrell said on May 11, 2010 at 2:39 am
    Reply

    Would blocking unwanted characters (commas, apostrophes, and the such), and blocking POST requests that don’t have the referrer of your domain help against your site being the entry point for these attacks?

    http://www.hackerfactor.com/blog/index.php?/archives/342-Better-Than-Nothing-Security,-Part-IV.html

  5. Darrell said on May 11, 2010 at 12:13 am
    Reply

    When I tried visiting a wordpress site my Firefox browser when away and I had a Firefox dialog box that said I should scan my computer or something. The only option was to hit OK. So I used taskmanager to kill firefox. Opening Firefox again just loaded the page again because of the way I had killed the session. So I blocked the firesavez7 domain in my hosts file and was able to get into Firefox again to delete the website session it was attempting to restore.

  6. marcella said on May 10, 2010 at 10:27 pm
    Reply

    Just tried to open a site hosted by WordPress and was re-directed to the the www1.firesavez7.com site

  7. heidi said on May 10, 2010 at 5:16 pm
    Reply

    this happened to me today when visiting a site. can’t even remember what the site was. i was directed to the www1.firesavez7.com site where they were attempting to force a download. not thinking, i did download it but mcafee refused to allow it to be installed. (thank, goodness.) i assume this means my system is still okay? i’m currently running a full scan on my computer and files.

    what a mess!!!

    i did a screen print but not sure how to post it here. :)

  8. alexander said on May 10, 2010 at 7:42 am
    Reply

    I’ve been redirected the first time that i visited this article !!

    My nod32 NO STOP the threat and i saw a quick fake AV scanning while few seconds.

    No see strange processes or threats but i’m worry after that.
    I’m infected ??? What i supposed to do ???

    thanks in advanced.

    1. stef said on May 10, 2010 at 12:34 pm
      Reply

      The site you fall on would have tried to make you download some executable file. If you didn’t download and install that executable, you’re fine.

  9. WayneW said on May 10, 2010 at 1:30 am
    Reply

    Happened to me earlier today accessing this page. Avast stopped it cold.
    Sorry, didn’t note the redirect.

  10. rvdmast said on May 9, 2010 at 8:34 pm
    Reply

    sorry didn’t make a screenshot, i was rather in a hurry to kill firefox with taskmanager before it would do damage, and i’m certainly not going there again. I could tell you the URL it redirected me to though i don’t think it’d be wise to post it here. I’ll just use your contact form to send a message.

    1. Martin said on May 9, 2010 at 10:15 pm
      Reply

      Ok I now know what happened. My blog was not hacked (thank god). the text that i copied from one of the sites (the second quote) contained script references to the two JavaScript files which would get loaded if a user opened the blog article. I have edited the script reference and it should now display as safe again.

      1. Alec_Burgess said on May 10, 2010 at 12:27 am
        Reply

        So if I understand correctly, you accidentally hacked your own site?

      2. Martin said on May 10, 2010 at 8:22 am
        Reply

        Well it was never hacked. Just the script tags were embedded in the quote from the other site that load the Javascripts.

  11. rvdmast said on May 9, 2010 at 8:21 pm
    Reply

    Yup i got redirected too to some scam page when i clicked the article link to this article.
    Happened only the first time though…can’t seem to reproduce it…yet

  12. stef said on May 9, 2010 at 8:08 pm
    Reply

    sure thing!
    One thing i know, it automatically forwarded me to one of a few urls, 1 who don’t seem to work anymore

    http://www4.suitcase52td.net/?p=p52dcWpkbmmHnc3KbmNToKV1iqHWnG2cXpO

    ^^^^ that one works still

    http://www1.firesavez7.com/?p=p52dcWpkbmmHjsbIo216h3de0KCfYWCcU9LXoKitaVzHysd2lJN%2Fel6orKWeY5WWZWRkZ2VonJOIo6T….

    nvermind, the 2nd one works again, sometimes it 404’s, sometimes it doesnt
    i cut it like in your article to make sure nobody clicks on it…

    one is similar to the one in your article oddly enough :-/

    1. Martin said on May 9, 2010 at 10:16 pm
      Reply

      Thanks Stef and everyone, should be sorted out by now.

  13. wow... said on May 9, 2010 at 6:55 pm
    Reply

    And what about ghacks? 2 times on 3 i tried to read this article from my rss reader, and i got forwarded to another page that try to scam you into believing you have a virus and trying to get you to install some crapware.

    1. Martin said on May 9, 2010 at 7:06 pm
      Reply

      Anyone else experiencing this?

      1. wow... said on May 9, 2010 at 7:42 pm
        Reply

        Looks like it stopped now. It happened twice to me on 3 visits but stopped after that.

      2. Martin said on May 9, 2010 at 7:44 pm
        Reply

        Can you do me a favor and make a screenshot of the issue if it happens again and save the source code of the page? Need to investigate the issue.

    2. Anonymous said on May 9, 2010 at 6:58 pm
      Reply

      TRUE. my Trend WTP reports that you have a horjan problem.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.