holasionweb.com – The New Platform Triggering The Infections
After the previous episode of Mass Zettapetta malware infection on PHP based websites, this time the malware changes platform to point to holasionweb.com
How Does This Malware Work?
It appears that the first part of the attack is to change all of your PHP files and injecting its own malicious crypted code. The second part comes when you browse your pages; the malicious code is triggered causing it to load the attack from another source residing on a remote server. This malware has been tagged with code name MW:MROBH:1 by Sucuri Labs:
wordpress sites. Loading the malware from:
Generally infecting the footer.php (or all PHP files in some cases).
No It’s Not WordPress At Fault!
Sucuri Labs insisted that those infections do not stem from WordPress Package:
All the sites we checked so far were updated (WordPress 2.9.2) and using good permissions. Plus. not all of them were using WordPress. I don’t want to see the “users were not updated” excuse again, please.
Notice that this is not related to one specific platform. Most of the sites we checked were using WordPress, but some were on Joomla or using other web applications. Plus, very annoying since all the PHP files get modified.
How To Know You Have This Infection?
1) In your html source code, you will find ‘holasionweb.com‘ somewhere in the header section
2) You are suddenly redirected to a page with the url: www.1.realsafe-23.net/
3) The WPSecurityLock Team also alerted that infected sites get redirected to a fake AV alert page
Solution If You Are Infected
- Sucuri Security Labs – Simple cleanup solution for the latest WordPress hack
No Clue Yet About Those Attacks
Let me remind you that it’s been like more than 2 weeks now these infections are being targeted at PHP based websites and the primary house targeted are GoDaddy’s servers. Till now no Security Team has been able to find the cause of this problem.
If you have any clue or idea, would like to hear from you..