WordPress Malware Issue On Thousands of GoDaddy Hosted Sites!

by Cliff Ravenscraft on September 17, 2010

in Blog

As many of you know, I've been working on a massive redesign of my blog for the past week. In fact, I've spent pretty much all day today on some final touches.

This afternoon, I noticed a strange warning pop up when I went in to preview a change that I made. My browser that gave me a warning that said that there was malware on my site. Being that I'm on a Mac, I was not too concerned about this. However, knowing that thousands of people visit my site every day with Windows based computers, I became very concerned.

I began to get reports from other folks saying they were getting similar issues. I had not been able to reproduce the errors on my computer, but when I loaded gspn.tv from my iPad, I got the following:

You can see, from the image on the right, when my site is loaded, there is some code that causes your browser to forward to another site that has this malware on it. When forwarded to this other site, it pretends to be a part of the windows operating system, running virus scanning program. Obviously that can't be right on the iPad.

I immediately turned to my friends online and found out that it's not just my site, but thousands of WordPress sites hosted on GoDaddy.com. In fact, when I found that out, I checked several other sites that I host and found that at least five of my different WordPress sites all have this same issue.

It was Mike Hirst @hirstmusic that pointed me to THIS NEWS STORY about the GoDaddy Attack. Thank you Mike!

And it was @BloggerTip on Twitter who pointed me to this potential fix. Thank you Blogger Tip! (Man I wish brands like this had a name in their Bio section on Twitter)

It is currently 8:43pm ET and I am just now doing a backup of my gspn.tv website before I go trying to fix this.

I'll update THIS POST as I progress.

Update: 9:11pm ET 9/17/2010
So I believe that gspn.tv is now completely free from this Malware threat. However, I still have several other sites to clean. Here are some things that I will share that hopefully will help others dealing with this issue or that may help me, in the future, if this were to happen again.

I was able to easily identify whether or not my site had been hacked by looking at the source code of the html. At the very bottom, just before the tag, I saw a script that pointed to “myblindstudioinfoonline.com/11(dot)php” as shown in this image:

After the FTP backup of my site was complete, I opened up each of the .php files in my root director and found that every single file had a line of code inserted at the very top, as shown in this image:

Now, I had downloaded the script file that I found on THIS SITE. However, I didn't want to test it out on my gspn.tv site to see if it worked, so I manually deleted that line of code out of 24 .php files and re-uploaded those to my site. I had looked in the wp-admin, wp-content, and wp-includes to check and see if any .php files had been corrupted there. I did not see any such code, so I have left those alone.

After uploading all the cleaned .php files to my root directory, which overwrote all the infected files, I notice that my site no longer has the malicious script just before the tag. I believe that we're all free and clear now.

Now I have to just clean the all my other WordPress installations on GoDaddy.com.

Update: 9:58pm ET 9/17/2010
Well, I got brave and used that fixfiles.php script that I found on this site. I installed it in my /ravenscraft sub-directory and ran it. It actually found that all the .php files in that folder had been infected, but it also searched and found infected .php files in several of the plugins in the /wp-plugins folder and a lot of the .php files in the wp-themes folder as well.

Now, if you can follow along here. I also have a WordPress installation in a sub-directory of the /ravenscraft sub-directory called /oldblog. When I ran this script in /ravenscraft, it also fixed all the files in /ravenscraft/oldblog as well.

Now that I knew the script worked, and knowing it actually found that tainted code in so many of the other wp-content sub folders, I figured I'd go ahead and run this script in the gspn.tv root directory. It didn't work! The reason is that there were WAY TOO MANY directories and sub-directories for it to search and the browser kept timing out before it could return a response.

So I went in and ran the script on each of the sub-directories of gspn.tv, including the wp-admin, wp-content, wp-includes, /plugins, /themes, etc, etc. I just wanted to make sure. For some reason, my main WordPress install didn't get any corrupted files in the gspn.tv wp-content folders. However, other WordPress installations did get them in the other folders.

One last note is that I had two installations that didn't get infected at all. They were just as out there as the other WordPress installations. However, I believe the difference there was that they didn't have any content or much links from other sites that would cause these “test sites” to show up in search engine results. Hmmm.

Oh well. I'm exhausted now. At least I can sleep good tonight knowing that our community can browse all our sites without getting tricked into installing Malware.

I'm so thankful that http://PodcastAnswerMan.com & http://VirtualAssistantPodcast.com were not affected. Both of those sites run on my BlueHost Hosting account. I HIGHLY RECOMMEND BLUEHOST! I'd switch gspn.tv and all my other sites over if it weren't so much work. If this happens again, I may go through the trouble anyway!

Previous post:

Next post: