GoDaddy Targetted Once Again – WordPress Hacked
GoDaddy is perhaps the favorite target of hackers these days because of their size and their delightful tendency not to keep their security correctly enforced.
Beginning approximately December 21st, 2010 WordPress sites on GoDaddy (And GoDaddy Resellers) were again attacked and compromised.
Rather than the usual code injection attacks that are all too common but generally not hard to clean up, this attack inserted data into the database.
Signs & Symptoms
For infected sites, the homepage looks unaffected, but opening any post caused the visitor to be redirected to one of the many notorious “Fake Antivirus” sites (that are themselves viruses).
You can find out if your site is infected by going to your dashboard, opening any of your post’s in HTML view, and scrolling to the bottom. If you see this, you’re affected:
<script src=”http://acrossuniverseitbenet (dot) com/ js.php?kk=10″></script>
(Please don’t go opening that link)
I’ve been monitoring the attack and helping with cleanups since December 22nd.
Because this is not a typical code injection attack – it does not call for the usual overlay upgrade that we use to clear that type.
If your site is currently infected, the first step you want to do is to notify GoDaddy of the infection so that they can run their own script against your site when they get to you in line.
However, most of us want our sites up faster than a host that is trying to clean up thousands can accommodate so here’s your next steps…
You have to remove these malicious entries from each and every post of an infected site.
While it’s long and tedious the average blogger can do this themselves, re-saving each post after they remove the infected script.
For those comfortable with it however, there is a much faster way to clean up these sites.
Step 1: Put your blog into maintenance mode so your visitors and search engines don’t get to the redirected page. There are a dozen maintenance mode plugins in the search, most are about as good as the next for this, just find a highly ranked one that supports WP 3.0. Do this step even if you do not have time to clean up the site immediately.
Step 2: Now we need to access your site’s database. This can either be done from the hosting access to the database or using a plugin called WP-phpMyAdmin.
Step 3: If using the plugin, go into Tools -> phpMyAdmin. Click on SQL in the top menu of the plugin interface. Run this SQL command:
UPDATE wp_posts SET post_content = replace(post_content,’<script src=”http://acrossuniverseitbenet(dot)com/js.php?kk=10″></script>’,””)
Step 4: Re-check a few posts to be sure they are clear of the script code. Assuming they look good (and they should) then you are safe to deactivate the maintenance mode plugin.
Step 5: Consider whether hosting with GoDaddy and continuing to deal with WordPress related malware and setting issues remains a viable solution for your site. I highly prefer, recommend and affiliate for HostGator hosting.
Please do not skip the stop of contacting GoDaddy as they still need to do a check from there level to ensure they solve HOW they left you vulnerable.
Special thanks to Sucuri for sounding the original alarm and to HowToMakeMyBlog for the plugin suggestion that makes this easy for the average user to fix themselves.
I know that Christmas is not a day you want to deal with this type of headache (is there ever really a day?) but please be sure to give your site a quick check to ensure you do not leave it sitting infected all weekend as the SEO and credibility impacts would be painful.
There is some additional discussion and questions about this attack going on on my Facebook thread where I announced this issue on Thursday. Please give it a read if you’re looking for a quick answer but I do not suggest replying there as I will not get notifications you have commented and will not be able to follow up with you there.
Have a Happy, Prosperous and SAFE Holidays!
PS: As usual, if you need help, let me know!