Which is created by this code added to the top of all or many of your .php files.
Many Wordpress, Drupal, and Joomla as well as other CMS and PHP driven sites could be affected by this so watch out. Luckily it is not a huge deal to disinfect your files thanks to the people at http://blog.sucuri.net/2010/09/godaddy-sites-hacked-myblindstudioinfoonline-com-and-hilary-kneber.html for the info posted earlier today and
http://www.blogtips.org/godaddy-hacked-again-another-way-to-cure/ for the easy to follow instructions. In case you want the details right now, here is the meat of it.
The script will not only work for Godaddy + WordPress, but for any .PHP based site (I used it this morning to cure a Drupal site) on any host.
Here are the right steps to follow:
- Make sure you backup your site, just to make sure. There are many tools to do so, but a “brute force” copy of your entire blog directory to your local computer using an FTP tool like Filezilla, works fine.
- Download this zip file. It contains a file called “fixfiles.php”. Extract it and store it on your computer.
(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.php)
- FTP the “fixfiles.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):
- If you only want to clean a subdirectory (and its underlying tree), put the file in that the subdirectory, but remember also the command in the next line will have to reflect that.
- Then execute the code with the command:
if you put it in a sub directory)
- The code will first scan for the malware code in your files, in both the directory it is put, and all underlying directories.
If you get the message:
0 Infected Files in ./
…then your site is clean.
If any malware is found, the script will list the infected files and prompt you to fix them:
Click on “Fix Files”, Click OK on the prompt to proceed:
- The script will scan through all files again, and clean the malware. It will list all files that were cleaned.
- Delete the “fixfiles.php” file from your site after execution.
- If you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code
All of that is “curing” the problem. I have looked everywhere, but am yet to find a way to “avoid” the infection. It looks like the hackers found a loophole in Linux shared hosts (and not just those on Godaddy), which the hosting companies have been unable to identify and/or close.
Until such time, scan your sites every day, and cure the problem immediately before your visitors get infected.
Picture courtesy Owning Pink
October 31, 2010 UPDATE – Shared hosting on godaddy is again hit by hackers. This time the offending first line in all your .php files begins with -php /**/ $_8b7b=”\x63\x72\x65\x61\x74\x65′
Here is a link to a modified blog-cleaner.php that will take care of this exploit exactly as the last one did.
FTP the file to the root of your compromised website and hit the http at http;//yourblog/blog-cleaner-new.php
Thanks to Dougie Fresh from http://pics4twitts.com for noticing the problem and thanks to the people above for the original solution.