So for the past couple of hours I have been dealing with the “friendly” support staff at BlueHost, one of the largest hosting companies in the US.
Apparently this past weekend many of their servers had been hacked.
You can read some user accounts here:
Also, for some reason this site is being blocked by filters at the BlueHost support locations.
So here’s the text from the site:
If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.
For Network Solutions users:
If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.
Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.
You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.
If you have SSH access to your server, run the following commands on your web root:
$ find ./ -name "*.php" -type f | xargs sed -i 's###g' 2>&1$ find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1
If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.
After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
Once you are done, go back to your site and remove this file.
That’s it and you should be clean again.
UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!
Here’s what the script returned:
If you need help, contact firstname.lastname@example.org or visit us at http://sucuri.net/index.php?page=nbi
Empty lines removed.