According to various reports, in the past few days a number of websites created using WordPress have been hacked. While the attack initially appeared to be limited to web sites hosted by American ISP DreamHost, it has since become apparent that blogs hosted at GoDaddy, Bluehost and Media Temple have also been affected. Unconfirmed reports by WPSecurityLock suggest that other PHP-based management systems, such as the Zen Cart eCommerce solution, have also been targeted.
The hacked web pages appear to have been infected with scripts, which not only install malware on users’ systems, but also prevent browsers like Firefox and Google Chrome, which use Google’s Safe Browsing API, from issuing an alert when users try to access the page.
When Google’s search bot encounters such a specially crafted page, the page responds by simply returning harmless code. This camouflage strategy takes advantage of the browser switch normally used by developers to return browser specific code to suit functional variations in different browser, such as Internet Explorer and Firefox.
Update 1: It seems that wordpress users start posting on their forum here:
I visited my WP 2.9.2 site today to get a warning about my site having malware associated with it. Looking at the source, I see a script entry in the HTML body going to http://zettapetta.com/js.php
Looking at the index.php file, I see that the first line has been hacked with an eval command and a lot of garbage that obviously comprises part of the hack. The timestamps of a lot of WP files has been changed, indicating that they were modified sometime yesterday afternoon.
Anyone else seen this hack yet; is there a fix? I only found one or two mentions of this online, but all my plugins are up to date and I’m not sure how to ensure this won’t happen again after I do a restore from backup on the site.
Update 2: Also users from webhostingtalk are reporting the same:
some hacker insert the following code to my footer.php
and AVG tell me that threat. Thanks AVG.
AVG tell me the threat: (removed URL)I find that code and deleted it from my file. But I don’t know how the hacker insert to my php file?
Update 3: Godaddy answers about the wordpress exploit.
Temporarly Suggestions:
If you have this issue in one of your blogs these are some temporarly suggestions from WP security Lock:
How to fix your hacked WordPress site infected with this malware
- Immediately remove your index.php file from the root of your WordPress.
- Add a temporary index.html file to the root of your website that states your site is down for maintenance. (There’s no reason to say your sites infected and scare people that haven’t been infected). If you don’t know how to make your own, you can use our index maintenance page on your own site. Just unzip the file, upload it to your server and then rename it to index.html.
- Go into your “File Manager” or FTP and find out what date and time your site’s been hacked. You can tell by looking at your php files. They will most likely all have the same date and time. (To help spread awareness, please leave a comment below or email us this information so we can help track and spread security awareness to our readers.
- Make sure you have a backup of your website, you will need it handy to reinstall your website.
- Open your wp-content/plugins folder on your server and write down the names of all your plugins you have installed on your site.
- Make sure you have a backup of all your images and media. This is usually located in wp-content/uploads. You will need them to put your site back to normal.
- Delete your entire WordPress site from your server. If you have multiple sites on the same hosting account, you will have to do the same with them too! Don’t just clean one. It could regenerate to the sites you’ve fixed.
- Go to http://wordpress.org and download a fresh copy of the latest version of WordPress.
- Unzip the download and unload it to your website via file manager or FTP. If you have SFTP or FTPES capabilities, please use this method. It encrypts all your files so bad guys can’t read them.
- Upload your backed up copy of wp-config.php to the root of your WordPress installation. This is the file that connects to your database so all your posts, pages, settings, etc. work again.
- Upload your images and/or media back on the server. This is usually contained in your backed up copy of “wp-content/uploads,” unless you chose to house your media in another folder. It contains all the images that you’ve added to your posts from within your wp-admin. If you don’t have a backup of this directory, then you will have to re-upload all your images back to your posts and pages. Yes, I know… nightmare!
- Upload your backed up copy of your theme inside of wp-content/theme directory.
- Get your list of plugins you wrote down and go to http://wordpress.org and download them fresh to your computer and upload them back up to your website. Note: you may have to reactivate or update your plugin settings, but it sure beats losing everything.
- Try logging into your WordPress wp-admin section to see if everything looks okay.
- Visit your home page and try clicking some links to see if they work. If you notice that you get 404 errors when opening a post or page, then go to your wp-admin and update your permalinks. Here’s how… Click on Settings > Permalinks > Save Changes. Whew, that was easy. Now go check to see if your links work.
- Go to your server and make sure you have the correct permissions set. All directories/folders should be a maximum of 755. All files, including your php files, images, html, etc, need to be set at a maximum of 644. Note: Never set any directory, including a recommendation from a plugin, to 777.
- Change all your passwords to strong ones and don’t use the same one!
Clean Your WordPress
Thanks to Sucuri he uploaded a little file to clean your infected wordpress. Download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.
After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
Once you are done, go back to your site and remove this file.
6 Comments
I think my seldom used blog, hosted on Netsol, has been a victim of this. It has the suspect block of code at the top of very source file.
I’ve recently been told the same exploit code is also appearing on ZenCart sites on at least GoDaddy; the commonality being PHP here.
My blogs were not hacked but now that you post this, it starts to explain why I have had issues reaching some WordPress websites and weird errors that came up today.
Well that explains a lot. One of my sites was infected with malware, though it’s hosted on 000webhost. Such a hassle…
It’s not just WordPress, I had a few basic sites hosted on Godaddy with php files that were infected (not using any 3rd party softwares like Joomla or WordPress), from various clients. The only common points were: php files and Godaddy.
I contacted their support to notify them of their vulnerability after I cleaned the sites, but they still cling to their “upgrade your 3rd party software” solution even though I didn’t even use any in those instances.
The exploit uses cookies so it doesn’t show up twice to the same user (or search engines) so some may think it is fixed when it is not.
holy crap! just this simple? darn..all my sites were hacked, well, its being placed in one shared hosting account particularly hostmonster. and what i did to fix the issue? totally wipe out all my blog posts and files..
One Trackback
[...] Bloggers that have installed wordpress in their blogs and use: Godaddy hosting, DreamHost, Bluehost and Media Temple have been affected by this Major attack Check this out: Large-scale attack on WordPress [...]