Jun 29 2010
Bluehost Malware Attack and Denial by BlueHost

So for the past couple of hours I have been dealing with the “friendly” support staff at BlueHost, one of the largest hosting companies in the US.

Apparently this past weekend many of their servers had been hacked.

You can read some user accounts here:

Also, for some reason this site is being blocked by filters at the BlueHost support locations.

https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html

So here’s the text from the site:

If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.

For Network Solutions users:

If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.

Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.

You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:

$ find ./ -name "*.php" -type f |   xargs sed -i 's###g' 2>&1$ find ./ -name "*.php" -type f |    xargs sed -i '/./,$!d' 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
https://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: https://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

That’s it and you should be clean again.

UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
https://yoursite.com/wp-admin/wordpress-fix.php , https://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!

Here’s what the script returned:

Site clean up by https://sucuri.net
This script will clean the malware from this attack: https://sucuri.net/malware/entry/MW:MROBH:1

If you need help, contact dd@sucuri.net or visit us at https://sucuri.net/index.php?page=nbi

Malware removed.
Empty lines removed.

Completed.


Share

Written by

View all posts by: