Malware issue and SimplePie

[sarina28]

I have a php website using SimplePie for WordPress feeds. This is my first php site. After 2 weeks of running the SimplePie code, I starting getting a "fake http scan 5" page popping up during loading. The first time it happened, I ran a scan on my local copy, and it was clean. I contacted GoDaddy, and they did not see any issues on their end. I deleted the remote copy, and re-uploaded my local copy. It was fine for 4 days, and it's happening again. The only thing I can see is it is happening when the rss feed is loading. I'm going to replace the rss feed with just a text link to the blog, and see what happens. I posted this on SimplePie user form as well. Has anyone ran into this problem. Any input would be greatly appreciated.

[sarina28]

I also noticed that my pages were taking forever to load, so I looked at all of my code starting with the include files. I noticed that all of them had malicious code added inside of php tags. They took up about 20 lines. I removed it from all the pages, and the pages load fine. I do not know if it is related to the rss feed. This has never happened to me, so it's all new to me. I put alot of time into this site, and this stuff really sucks. I use Core FTP LE and Dreamweaver to upload my files. I'm wondering if it that is not secure enough. The site is hosted on GoDaddy, and they have there own ftp. Should I be uploading my files through their program?

 

Again thanks for your help.

[falkencreative]

My two cents... it sounds like this doesn't have anything to do with SimplePie, but rather that your host got hacked and malicious code added to the files on the server. What you are using should be secure enough -- just keep backups and definitely change your FTP password if you haven't already.

[sarina28]

My two cents... it sounds like this doesn't have anything to do with SimplePie, but rather that your host got hacked and malicious code added to the files on the server. What you are using should be secure enough -- just keep backups and definitely change your FTP password if you haven't already.

 

 

Thanks for your input. When I first noticed the problem, I did change my passwords. I think I will reload all my pages, but without SimplePies RSS. It took 4 days for the fake http scan to re-appear again, so I'll give it a week.

[sarina28]

I did find malicious code in all of my include files. The code was about 20 lines of code within php tags, and was in red. I deleted all of it, and I re-inserted the SimplePie code. No problems so far, and the site is loading faster. I also changed all my passwords. I hope this takes care of it. I never had this problem before but, I guess it is bound to happen sometime. I have learned alot building my first php site.

[sarina28]

After changing all my passwords, I still ran into same issues. I'm at a loss. I checked my remote files this morning, and noticed the malicious script was in all my inlcude files. After deleting all of it for the third time, I noticed the same code is now attached to all my php files. Dreamweaver called it server scripts. Is there a way to prevent this code from attaching itself when the pages are being called?

 

I'm not sure how much of the code I can paste here without causing any issues, but the code starts with this:

 

eval(base64_decode....

 

There is about 20 lines of code after that.

[sarina28]

After much headache, I found it was not me after all. I just found out from GoDaddy, that there has been a Malware attack. Here is in short what they wrote. Hope this helps others that may have been affected.

 

After more attacks, further evidence suggested the target was not WordPress.

 

This is a complex attack with many components. Here is a high-level overview of how they occur:

 

1. The attacker is coordinating attacks against three different hosting providers for this to work.

* At Hosting Provider ‘A’ – A malicious file is placed on hosting accounts at this provider. No two files have the same name.

* At Hosting Provider ‘B’ – A file is uploaded listing the infected domain names and unique file names from provider ‘A.’

* At Hosting Provider ‘C’ – A malicious “scareware” site is placed on compromised accounts

2. After the attackers put their files in place, they use Hosting Provider ‘B’ to trigger the malicious files on Hosting Provider ‘A.’ When triggered, the malicious file:

* Scans the hosting account for any php file

* Injects malicious content, installing malware that directs to Hosting Provider ‘C’

* Removes any trace of itself from ‘Hosting Provider B’

3. The attack is complete when an infected website receives a visitor. The visitor, if not adequately protected, will have malware installed on their machine.

4. The malware will alert the infected computer to purchase fake anti-virus software, located at Hosting Provider ‘C.’

[virtual]

Ooh I'll have to go check my sites. What are they doing to prevent this as obviously you can't keep cleaning out your files and changing passwords all the time?

[sarina28]

Ooh I'll have to go check my sites. What are they doing to prevent this as obviously you can't keep cleaning out your files and changing passwords all the time?

 

 

They said they were jointly taking care of the problem with other host providers. About 300 php sites were affected. In the meantime, they will scan and clean any effected sites for free. You have to email them, and they will do it with a press of a button. I asked them if I could buy one of those buttons. They said they're not for sale. lol

 

If it were possible, I would create a virus that would set those loser's fingers on fire everytime they would touch a keyboard.