Support » How-To and Troubleshooting » 2.9.2 site hacked

2.9.2 site hacked

  • I visited my WP 2.9.2 site today to get a warning about my site having malware associated with it. Looking at the source, I see a script entry in the HTML body going to http://zettapetta.com/js.php

    Looking at the index.php file, I see that the first line has been hacked with an eval command and a lot of garbage that obviously comprises part of the hack. The timestamps of a lot of WP files has been changed, indicating that they were modified sometime yesterday afternoon.

    Anyone else seen this hack yet; is there a fix? I only found one or two mentions of this online, but all my plugins are up to date and I’m not sure how to ensure this won’t happen again after I do a restore from backup on the site.


Viewing 15 replies - 91 through 105 (of 187 total)
  • you guys – Sucuri – are doing an awesome job of tracking this
    the whole process has been enlightening


    Thanks very much for your excellent and speedy response! Beers all round. In my email to them I linked directly to your site. Which I done already. Also telling them to

    1. Read the email – they seem to read the first sentence or work on keywords. I don’t know.

    2. Pass it on to their security team.

    3. Don’t tell me to update and change my pwls. Which I did extensively the last time.

    4. Pass it on to all the companies that are fronts for GD hosting.

    I just want to see the email response now.

    I’m having the same problem. It happened 4 days ago too. I changed all the passwords for everything – WP users, FTP users, Hosting account, etc, double checked the database for breeches and then did a clean WP install. It was just hacked again using the same code this morning.

    Very “relieved” to hear I’m not the only one having this problem, and that it’s an issue at GoDaddy and not something stupid I did.

    The response of Godaddy:

    Thank you for contacting the Hosting Security Team.

    We have checked and confirmed that your hosting account had php files which contained a javascript malware injection. We have since removed the contaminated code as a courtesy. Please note, that this is not a permanent solution because it does not remove the vulnerability that allowed the malicious code to be inserted.

    To address the specific vulnerability, please ensure that you fully upgrade all installations of web based software such as WordPress or Joomla to the most recent version.

    More information can be located at:



    We appreciate your cooperation in this matter.

    Please contact us if you have any further issues.


    Incredible!!! I can’t believe this reponse…

    I have written another e-mail to godaddy support: I put all the links in internet that think the problem is in Godaddy hosting… I hope they do something…

    It’s a customer support keyword response. I’ll expect mine shortly.

    calvin13: They removed it as a courtesy? How nice of them… LOL

    I got this yet again. This must have been the 5th time overall, twice in a week!! last week i did a clean install, deleted everything and started from scratch. I changed the passwords yet GoDaddy continues to play the users and wordpress.

    Anyone know how to restore your blog postings after you did a file manager restore on GoDaddy? I did a restore from last week thinking it would clean JUST the files, and now my blog postings are missing from may 3rd to the 11th. and i did twice to go back to restore my files thru GD on May 10th and May 11th. And nothing. Shouldn’t this be something Go Daddy should do? Any help would be appreciated!

    I don`t know what they removed because i did it this morning with your script…

    An the first time i delete all my files and upload a backup…

    Thank you dd@sucuri.net for your help. Looks like your script removed the malware. The login page looks fine in Google Chrome but not normal in Firefox yet. Also going through all the files in my hosting account at GoDaddy I saw that all were showing “current” in the History of Linux snapshots.
    Thank you once again for this great and easy fix. Have to figure out the Firefox issue now.

    I’m on dreamhost, and I’m doing live chat, I don’t know if my site is hacked or not?

    dd@sucuri.net are you still in contact with Neil Warner, GoDaddy’s CSO?


    Please wait for a site operator to respond.
    You are now chatting with 'oscar'
    oscar: hi, how can I help you today?
    you: Yes, wondering about the hacking of dreamhost sites?
    you: http://wordpress.org/support/topic/396524?replies=97
    you: http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/
    you: Checking to see if everything is alright on your end and my website?
    oscar: hmm. Let me see
    you: Breaking News: WordPress Hacked with Zettapetta on DreamHost
    oscar: hmm. Seems to be an issue with 2.9.2. Really this isn't a hack on our servers but rather wordpress. It's a really bad title for the blog as it has nothing to do with us specifically. You're not using version 2.9.2 either
    you: Version 2.9.2
    you: that's what im using
    you: states it bottom right hand side of the site
    you: well dashboard
    oscar: did you do a manual upgrade? your web panel is showing that you are not using 2.9.2 but your version.php does show that
    you: Really? i actually have a plugin that it will let me know when im @ my dashboard there will be a number above the plugin tab stating something is new and i can update it or not
    oscar: Yeah if you look at your web panel it shows "upgrade to 2.9.2"
    you: So, it's an automatic upgrade when I do it. I wouldn't know how to do it manually and i'd probably fuck myself up anyways doing it
    oscar: lol
    you: Really? but my dashboard on wordpress says "Version 2.9.2" but on my dreamhost account server thing it doesn't say Version 2.9.2 says something esle?
    oscar: It's ok since the current version you are using it 2.9.2 in any case.
    oscar: no, it's just in our web panel
    oscar: but your wordpress is showing the right versin
    you: okay? And there's no virus or anything like that of those links i sent you?
    you: cause Im reading the forums now lots of people are infected and that's why I came running here to ask you guys what's up with it, and if shit is on the way to being fixed and whatnot
    oscar: well this one is hard to tell since no one on those links seems to know what the actual root cause is (there is a lot of the host's this and that). However, I didn't see anything from our admin team or our abuse team on this one. Your site seems ok and the fix that most suggested there would seem to leave it open to getting hacked again so I would assume that WP will patch this up in the next update. I'm going to check with our abuse team and we will make a post here: http://www.dreamhoststatus.com/
    oscar: so check back there in a few hours for a general update on this one
    you: Thanks dude.. Cause I just just got wind of this, i check wordpress.org few times a week for updates and to troll the forums for whatever, and noticed that, and said shit! I don't know anything about coding, script kiddies what have you, so I just wanted to make you aware I guess if you haven't heard thats all, and wanted to see what you people were doing about it and whatnot. Thanks

    My response from support:

    Thank you for contacting Online Support. We are aware of the WordPress security issue. The easiest way to fix this issue is by forcing an upgrade on WordPress. Go to tools->upgrade and choose to upgrade to 2.9.2 even if you are on the latest version already.

    Do the same for all the plugins you have in there. It will override the malware entry.

    After that, you just have to look for those base64 evals on your themes file, making the job much much easier.

    This post also gives some tips on how to analyze/ fix malware on web sites:

    A few days ago, some customers’ websites were affected by a new, lighter wave of malware attacks.

    We are reaching out to those whose sites were compromised, and remind customers to be vigilant about updating all software in their hosting account.

    Though we understand this issue is frustrating, we believe the situation is moving in the right direction. We have identified — and are attempting to work with — the key service providers the attackers are using, are are collaborating with the authorities to ensure the individuals will be prosecuted.

    How to Upgrade WordPress and Remove Security Vulnerabilities

    Our Help Center has content on upgrading your WordPress installation here.

    It is important to understand that malware attacks can affect many items on your hosting account. The information in our Help Center specifically shows you how to update WordPress, but any plug-ins, custom PHP scripts, or applications you’ve installed (active or not) can be affected.

    Best Practices to Prevent Malicious Attacks from Affect Your Website

    * If you don’t know what files in your account do and they don’t connect to an application you’re using, consider removing it until you can verify its purpose.
    * Upgrade or remove old blogs you no longer update, inactive test blogs, and other applications you may have installed on your hosting account.
    * Use different and strong password for WP Admin, FTP, and your WordPress MySQL database.
    * If your site has been targetted by malware attacks, reset your passwords.

    If there is anything else that we may assist you with, please feel free to contact us via email or for a speedy response, you may call our support line at (480) 624-2500. We are available 24/7 for your convenience.


    Well it’s late where I am..I’ll see what they say in the morning.

    so without knowing absolutely anything the Dreamhost tech accused wordpress – before he even knew if you were hacked or not
    interesting ostrich head in the sand approach

    so far, wordpress has been proven to have NO security problems by many outside verifiable sources

    Go Daddy wanted me to pay them 150 bucks to backup database files. Yeah, have me pay 150 bucks for something they are reason why the files are gone to begin with! So pi$$ed right now.

Viewing 15 replies - 91 through 105 (of 187 total)
  • The topic ‘2.9.2 site hacked’ is closed to new replies.
Skip to toolbar