Godaddy hacked again. Another way to cure your site.
If you host your blog on Godaddy, you would do well to check your site regularly for any malware, and here is how.
The hack is the same as the previous 4 hacks, affecting thousands of sites: A oneliner malware code is inserted in every single .php file on your site, starting with:
?php /**/ eval(base64_decode("goobledegoob"))
I described before how to cure it, but here is another, slightly more sophisticated way which first lists the infected files, prompts to continue, deletes the oneliner malware in all of your .php files, and lists the cured files. It is inspired by a script written by Andy Stratton in this post.
Running the script, even for a large site, will only take half a minute.
The script will not only work for Godaddy + WordPress, but for any .PHP based site (I used it this morning to cure a Drupal site) on any host.
The script is also a quick way to find out if your site is actually infected. Just run it as described below. If there are no infected files, it will say so and won’t prompt to cure anything.
Here are the right steps to follow:
- Make sure you backup your site, just to make sure. There are many tools to do so, but a “brute force” copy of your entire blog directory to your local computer using an FTP tool like Filezilla, works fine.
- ….Lemme double check: you made a backup, right? If you did not, or you do not know how to make one, don’t proceed, and get some help.
- Download this zip file. It contains a file called “fixfiles.php”. Extract it and store it on your computer.
(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.php)
- FTP the “fixfiles.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):
If you only want to clean a subdirectory (and its underlying tree), put the file in that the subdirectory, but remember also the command in the next line will have to reflect that.
- Then execute the code with the command:
if you put the script in a sub directory
- The code will first scan for the malware code in your files, in both the directory it is put, and all underlying directories.
If you get the message:
0 Infected Files in ./
…then your site is clean.
If any malware is found, the script will list the infected files and prompt you to fix them:
Click on “Fix Files”, Click OK on the prompt to proceed:
The script will scan through all files again, and clean the malware. It will list all files that were cleaned.
- Delete the “fixfiles.php” file from your site after execution.
- If you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code.
All of that is “curing” the problem. I have looked everywhere, but am yet to find a way to “avoid” the infection. It looks like the hackers found a loophole in Linux shared hosts (and not just those on Godaddy) in combination with PHP vulnerabilities, which the hosting companies have been unable to identify and/or close.
Until such time, scan your sites regularly, and cure the problem immediately before your visitors get infected.
Picture courtesy Owning Pink