Check Your Website: New Round of Hacks Going Around

September 17, 2010

WordPress

For those of you who purchased my ebook on securing WordPress, you probably have signed up for my exclusive security newsletter.

I just sent out an email to all my subscribers but really felt everyone needs to know this information because there’s been another round of hacks targeting web hosts, WP Blog Host included.

So here’s my newsletter’s content. I hope you find it insightful.

—————————–

You know how much I HATE those freaking malicious hackers, well guess what? They did it again and there’s not much we can do to stop them.

Just finished reading a warning on Sucuri.net which mentioned that GoDaddy (and I’m sure possibly other web hosts) got hit with another round of hacks today.

Here’s the article

If your site is hosted on GoDaddy, please make sure you have an updated (and good) Anti-Virus program installed on your computer before visiting your site.

Here’s the Anti-Virus program I use. It works really well and always warns me and blocks virus sites when I go to them.

To check if your site has been hacked without actually visiting your website, do the following:

1. Log into your web hosting control panel
2. Find any file with the extension .php – for example, index.php
3. View that file’s source code in your web hosting’s file editor. If you don’t have a file editor, download the file to your computer and open it up with a text editor.
4. If at the very top of your file you have a huge block of code which obviously shouldn’t be there, then you’ve been hacked.

What does that code look like?

Something like this at the very top (with a long on going string of random characters – the dots):

eval(base64_decode(“aWYoZnVuY ………

How To Fix Your Site Easily If You’ve Been Hacked With This

Sucuri.net has an awesome script which will quickly and easily remove this hack for you, all automated.

Get their clean-up script here.

Follow the instructions on the website which basically tell you to:
1. Download the file
2. Rename it to wordpress-fix.php
3. Upload it to the root folder of your website
4. Run the script by visiting http://yourblog.com/wordpress-fix.php
5. When it’s finished, check your .php files and see if the hacked code is gone
6. When it’s finished, delete the file from your server.

Please note that this hack was a hack which came through on the server level, which is above anything we can do to prevent our sites from getting hacked.

The good news is if you have the WordPress File Monitor plugin installed, at least you’ll be notified of the changes.

If you run into any issues, my door is always open, but it is getting late and I may not get back to you until tomorrow.

Like
, ,


BTC Newsletter Signup
Improving blogging experiences one lobe at a time.




About John Hoff

John is the lead instructor inside the Blog Training Classroom Video Course. He's been blogging since 2007, authored a WordPress Security ebook, and was recently featured at Niche Profit Classroom as an affiliate rising star.

View all posts by John Hoff

8 Responses to “Check Your Website: New Round of Hacks Going Around”

  1. Aaron Says:

    I’ve posted this elsewhere, but the cause is below. Your post has the fix :)

    Cause: The most likely method they used was a fairly common network sniffer in which they sniffed wp login details when you submitted the admin form, or sniffed your FTP connection if you connect via FTP and not SFTP to modify files. I’d suggest anyone having these types of “modified files” on their hosts to first consider that they have malware on their system that is sniffing their network traffic. It might sound far fetched, but I’ve had to fix this for several clients recently and it all came back to this type of malware running on their PC or a PC on their network. Hope it helps :)

    Reply

  2. John Hoff Says:

    Hi Aaron. Definitely good tips but I believe this was a different kind of hack.

    I use both a secured FTP connection and run my blog through SSL and yet this blog itself had the hack on it.

    What the problem is– is that there is someone or some people who are targeting web hosts (not websites) and are finding some kind of entry point / access into servers and installing a virus script into people’s accounts.

    Then the file runs, installs the hack, and then deletes itself when finished.

    The problem with this kind of hack is that website owners are helpless in defending against it because the intrusion comes from the server level. Make sure we have good backups and can restore things easily.

    Reply

  3. Todd Redfoot Says:

    An exploit affected PHP files on approximately 150 Go Daddy accounts Friday afternoon. Go Daddy’s Security Team worked quickly to clean and restore these websites, however, we have detected additional customer sites that may currently be experiencing difficulties due to this same attack.

    Go Daddy’s Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.

    Meantime, our team is working swiftly to restore all affected websites and appreciates customer feedback. Go Daddy will continue to monitor as long as it takes to ensure our customer accounts are clean.

    If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    Reply

  4. John Hoff Says:

    Thank you, Todd.

    Reply

  5. Todd Redfoot Says:

    UPDATE:

    The exploit affecting PHP files on several Go Daddy accounts this past weekend has been resolved.

    Go Daddy’s Security Team worked quickly to clean and restore all affected sites. The exploit was caused by mailicious files uploaded via FTP to customer websites.

    As a good security practice, Go Daddy recommends all customers change their FTP passwords on a regular basis. To modify your FTP password please follow the steps provided in our help documentation at http://gdhelp.godaddy.com/article/6

    As always, Go Daddy’s Security Team is here for you. If you ever suspect your site is under attack, please fill out our security submission form, located here – http://www.godaddy.com/securityissue – and notify Go Daddy’s 24/7 Customer Support.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    Reply

  6. Todd Redfoot Says:

    The link in my the previous comment to the help documentation (explaining how to change your FTP password) was incorrect.

    Please find the correct link to the article here:
    http://help.godaddy.com/article/6

    Thank you.

    Reply

  7. John Hoff Says:

    Todd, would you say that what happened then is an intruder cracked into someone’s FTP connection and uploaded a file to the server which in turn affected everyone’s websites who were on that shared server?

    Thanks.

    Reply

  8. Paisley the Facebook Games Girl Says:

    Sweet, that’s precisely what I was looking for! You just saved me alot of work

    Reply

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Twitter
Tweet
GetSocial