![Home](data:image/svg+xml;utf8,%3Csvg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"%3E%3Cpath fill="rgb(0,166,128)" d="M280.37 148.26L96 300.11V464a16 16 0 0 0 16 16l112.06-.29a16 16 0 0 0 15.92-16V368a16 16 0 0 1 16-16h64a16 16 0 0 1 16 16v95.64a16 16 0 0 0 16 16.05L464 480a16 16 0 0 0 16-16V300L295.67 148.26a12.19 12.19 0 0 0-15.3 0zM571.6 251.47L488 182.56V44.05a12 12 0 0 0-12-12h-56a12 12 0 0 0-12 12v72.61L318.47 43a48 48 0 0 0-61 0L4.34 251.47a12 12 0 0 0-1.6 16.9l25.5 31A12 12 0 0 0 45.15 301l235.22-193.74a12.19 12.19 0 0 1 15.3 0L530.9 301a12 12 0 0 0 16.9-1.6l25.5-31a12 12 0 0 0-1.7-16.93z"/%3E%3C/svg%3E)
After the previous episode of Mass Zettapetta malware infection on PHP based websites, this time the malware changes platform to point to holasionweb.com
holasionweb.com – The New Platform Triggering The Infections
After the previous episode of Mass Zettapetta malware infection on PHP based websites, this time the malware changes platform to point to holasionweb.com
Once again, Sucuri Security Labs and WPSecurityLock Team are working on this conundrum.
How Does This Malware Work?
It appears that the first part of the attack is to change all of your PHP files and injecting its own malicious crypted code. The second part comes when you browse your pages; the malicious code is triggered causing it to load the attack from another source residing on a remote server. This malware has been tagged with code name MW:MROBH:1 by Sucuri Labs:
Name: MW:MROBH:1
Description: Code used to insert a malicious javascript on many
wordpress sites. Loading the malware from:
http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php
http://holasionweb.com/oo.phpGenerally infecting the footer.php (or all PHP files in some cases).
No It’s Not WordPress At Fault!
Sucuri Labs insisted that those infections do not stem from WordPress Package:
All the sites we checked so far were updated (WordPress 2.9.2) and using good permissions. Plus. not all of them were using WordPress. I don’t want to see the “users were not updated” excuse again, please.
Notice that this is not related to one specific platform. Most of the sites we checked were using WordPress, but some were on Joomla or using other web applications. Plus, very annoying since all the PHP files get modified.
How To Know You Have This Infection?
1) In your html source code, you will find ‘holasionweb.com‘ somewhere in the header section
2) You are suddenly redirected to a page with the url: www.1.realsafe-23.net/
3) The WPSecurityLock Team also alerted that infected sites get redirected to a fake AV alert page
Solution If You Are Infected
- Sucuri Security Labs – Simple cleanup solution for the latest WordPress hack
No Clue Yet About Those Attacks
Let me remind you that it’s been like more than 2 weeks now these infections are being targeted at PHP based websites and the primary house targeted are GoDaddy’s servers. Till now no Security Team has been able to find the cause of this problem.
If you have any clue or idea, would like to hear from you..