Reports began to appear on the Internet two days ago that suggested that a new mass hack was underway. It was first assumed that the hack was only targeting Wordpress blogs but it soon became known that other scripts were also affected by it.

The common denominator of the hack was that all affected websites were hosted on so called shared hosting servers
. These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network Solutions. It is likely that others are affected as well.  We were not affected by this attack.

It is not clear yet how the hack was carried out. Current suggestions are either weak passwords or file access rights that allow the attacker to gain access.

We are seeing multiple reports today of Wordpress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.

How do you know if your website is affected?

All those sites had this javascript added to their pages:

http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php

Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).

The website WP Security Lock posted detection instructions as well.

Here’s some of Zettapetta’s behavior:

Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf…….. or
http://www1.firesavez6.com/?p=p52dcWpkbG6HjsbIo…
This redirect page is a blank page. The source code contains the following:
404 Not Found

The page that you have requested could not be found.
All of your .php files on your Wordpress contain the following malicious code… Located in the source code near the bottom of all .php files is the following script: http://zettapetta.com/js.php and http://www.indesignstudioinfo.com/
Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.

Sucuri.net has posted instructions on how to remove the malicious code from Wordpress.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:

$ find ./ -name “*.php” -type f | \
xargs sed -i ’s###g’ 2>&1
$ find ./ -name “*.php” -type f | \
xargs sed -i ‘/./,$!d’ 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

Has your blog or website been affected by the hack? Let us know how you resolved the issue in the comments.