holasionweb Aka Zettapetta v2 – And The Saga Of Mass Infection For PHP Based Systems Continues At GoDaddy’s Shared Hosting [Code Name MW:MROBH:1]

After the previous episode of Mass Zettapetta malware infection on PHP based websites, this time the malware changes platform to point to holasionweb.com

holasionweb.com – The New Platform Triggering The Infections

After the previous episode of Mass Zettapetta malware infection on PHP based websites, this time the malware changes platform to point to holasionweb.com

Once again, Sucuri Security Labs and WPSecurityLock Team are working on this conundrum.

How Does This Malware Work?

It appears that the first part of the attack is to change all of your PHP files and injecting its own malicious crypted code. The second part comes when you browse your pages; the malicious code is triggered causing it to load the attack from another source residing on a remote server. This malware has been tagged with code name MW:MROBH:1 by Sucuri Labs:

Name: MW:MROBH:1
Description: Code used to insert a malicious javascript on many
wordpress sites. Loading the malware from:
http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php
http://holasionweb.com/oo.php

Generally infecting the footer.php (or all PHP files in some cases).

No It’s Not WordPress At Fault!

Sucuri Labs insisted that those infections do not stem from WordPress Package:

All the sites we checked so far were updated (WordPress 2.9.2) and using good permissions. Plus. not all of them were using WordPress. I don’t want to see the “users were not updated” excuse again, please.

Notice that this is not related to one specific platform. Most of the sites we checked were using WordPress, but some were on Joomla or using other web applications. Plus, very annoying since all the PHP files get modified.

How To Know You Have This Infection?

1) In your html source code, you will find ‘holasionweb.com‘ somewhere in the header section

2) You are suddenly redirected to a page with the url: www.1.realsafe-23.net/

3) The WPSecurityLock Team also alerted that infected sites get redirected to a fake AV alert page

Solution If You Are Infected

  • Sucuri Security Labs – Simple cleanup solution for the latest WordPress hack

No Clue Yet About Those Attacks

Let me remind you that it’s been like more than 2 weeks now these infections are being targeted at PHP based websites and the primary house targeted are GoDaddy’s servers. Till now no Security Team has been able to find the cause of this problem.

If you have any clue or idea, would like to hear from you..




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.