Original post from http://blogcastfm.com
Sid here. I want to warn you guys about a massive exploit that has hit a large number of Godaddy Hosted WordPress Blogs this weekend
This hack appears to redirect visitors upon arrival from Google and attempts to install malware on their computers. When I was visiting the site directly, whether logged in or as an Admin, even if I could see the malicious script in my view-source window I did not have any issues and it did not redirect me. This means your site could be hacked and infected and you may be unaware.
I noticed a couple key giveaways:
- In view source, you will see <script src=”http://cechirecom.com/js.php”> located just above the </body> tag on all .php files. If you view source and see this, that’s cause for alarm
- When logged in, you’ll have a screwed up WordPress dashboard. Basically it looks like it is messing up the loading of some CSS in the WordPress Admin area, causing everything to look like the image below:
(Click for larger view)
When arriving from Google, a hacked website will redirect to http://www2.burnvirusnow34.xorg.pl/
The good news is this attack appears to be based only on your actual files – not your database. That’s relatively easy to clean up. In GoDaddy you should be able to revert to an old version of your files (Go to April 23rd or before and you should be fine)
The bad news is we don’t know at this point how the hackers are gaining access.
So far, here’s what I’ve found out about Godaddy’s stance, from another blog that’s also covering this issue:
“Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.”
Please forward this post to your friends, and help us get the word out. It looks like this has compromised a large number of blogs, and especially since it happened over the weekend, there’s a good chance many bloggers haven’t noticed it.
For more information on fixing the issue, please see this post : Cechriecom.com.js.php – WordPress Hacked on Godaddy
This is not your normal BlogcastFM blog post, but since we were hacked this weekend and unaware of the issue for a couple days, I felt we had to say something since our audience is bloggers – and help educate you guys in case you have the same problem. We’ll resume with our normal interviews tomorrow.