I am very much with incrediBILL on WordPress; I kind of see it as driving a family sedan in a battle zone.

To prevent potential headaches and risks, I had been cracking my brain trying to find a flexible but secure method of managing content that's self-hosted, and came to the conclusion that if you want a blog then perhaps it's best to use desktop publishing applications. No scripts or databases used; updates are made straight through sftp. Sure you might lose some functionality/flexibility, but depending on your needs this could be the most secure solution possible since your blog will ONLY consist of pure html files.

I think my seldom used blog, hosted on Netsol, has been a victim of this. It has the suspect block of code at the top of very source file.

But I haven't gotten any alerts from AVG, or FF. The blog is the latest version, but I just updated it the other day and don't know when this hack happened.

I also don't know what to look for on my computer to see if it has been infected/affected.

And how do I get rid of this thing if it's on my machine.

No scripts or databases used; updates are made straight through sftp. Sure you might lose some functionality/flexibility, but depending on your needs this could be the most secure solution possible since your blog will ONLY consist of pure html files.

They have had this for years, it's called BLOGGER.

It will post directly to an FTP site.

But I haven't gotten any alerts from AVG, or FF.

You might not because this is so new AVG won't know anything about it and FF won't alert you because as the report says, the safe surf API is being defeated with cloaking.

The real irony here is that the malware appears to have gotten smarter than WordPress.

I've recently been told the same exploit code is also appearing on ZenCart sites on at least GoDaddy; the commonality being PHP here.

So how do we deal with this thing?

I've recently been told the same exploit code is also appearing on ZenCart sites on at least GoDaddy; the commonality being PHP here.

I thought it was suspected but not proven yet?

Always, the first impulse is to blame WordPress. And, I'm not saying it's blameless. But the article does mention that it doesn't appear the "hole" originated with WordPress. Sites on certain hosts are infected. So far my WP sites are OK. I'm on a VPS.

Also, there are reports that sites other than those on the WP platform are being infected. At the risk of violating the WebmasterWorld TOS, this site purports to have a cleanup:

[blog.sucuri.net...]

this is a Godaddy, not WP issue, without a shadow of a doubt.

this is the 4th time in 3 weeks, the same sets of servers and hosting packages, and far from only WP, many different types of websites are done every time, meanwhile other WP sites on the same hosting but different packages or servers still have old outdated WP versions & plugins and are untouched.

I think a Godaddy machine/s are seriously compromised, the hacker has a back door or something and can rehack all the same sites at will.

they are utterly hopeless.

No scripts or databases used; updates are made straight through sftp. Sure you might lose some functionality/flexibility, but depending on your needs this could be the most secure solution possible since your blog will ONLY consist of pure html files.

very interested, names please!

besides googles blogger, which no longer posts to your own FTP site :-( I guees google didn't like you having your own content.

J_RaD I think your mistaken a little on blogger. True you can't ftp now but the content is on your site or subdomain. It is the same as ftp but now real time I like it much better myself and for the most part it is more secure.
All the archives are still on my site as well as all the content the only part not on my site content is comments as it was before.

Without going too far off topic - Blogger appears to have stopped supporting FTP publish just this month!

We will no longer support FTP publishing in Blogger after May 1, 2010

[google.com...]

Oh well.

Still, the best option for WordPress IMO, if you must use it, is to use WordPress.com to host it themselves.

I still think the big news in this story is that the hackers are now cloaking malicious content to avoid the automated tools attempting to find the malware.

If the hackers are successful and thwart Google's Safe Browsing, McAfee's Site Advisor, and other similar attempts to sanitize the web, we're most likely to see a sudden surge in infected machines.

Not good.

It's not just Wordpress, I had a few basic sites hosted on Godaddy with php files that were infected (not using any 3rd party softwares like Joomla or Wordpress), from various clients. The only common points were: php files and Godaddy.

I contacted their support to notify them of their vulnerability after I cleaned the sites, but they still cling to their "upgrade your 3rd party software" solution even though I didn't even use any in those instances.

The exploit uses cookies so it doesn't show up twice to the same user (or search engines) so some may think it is fixed when it is not.

very interested, names please!

Don't mean to hijack this thread, but AFAIK there's only one desktop blog publishing application that doesn't require a third-party blogging service (ie creates and upload html files by itself) and it's a freeware called thingamablog. I think most other desktop blog publishing software like Windows Live Writer require you to have an account with Windows Live Spaces, Blogger, Wordpress.com etc.

The advantage of this is that there's no danger of losing the software to manage your blog, which is what happened with blogger.

Koan, yes theyre just utterly useless aren't they?

despite overwhelming evidence of multiple different types of sites affected, and the only common denominator being them, they're still trying to get away with blaming WP.

lame.

I think a title change to this thread should be considered, especially as Word Press's reputation is getting a trashing with this being a front page thread.

Word Press's reputation is getting a trashing

That ship has already sailed with their repeated hackings over the years.

Even if WordPress isn't at fault, it's been at fault so many times you can't blame the hosts for pointing fingers at it.

While it may or may not be WordPress allowing the infection to occur, it's still WordPress blogs being infected with cloaking malware therefore the title is accurate.

what is the best way to tell if a site has been affected?

You just need to make sure that you remove the footprint that WordPress leaves. I think that'd cut it down dramatically. I dunno how complex this viruses are, but judging from past experiences, they simply find new victims by searching "powered by wordpress".

what is the best way to tell if a site has been affected?

Checking your indexed pages in the search engine like Google is a good start. When my blog was hacked a year ago the hacker injected p-o-r-n links and keywords so all my traffic went down the drain. Check your stats. If there are some weird things happening then I might suspect that it was hacked.