First off, apologies to those who came to my site to find it down earlier today. Second off, bigger apologies to those who came to my site in the last few hours before it was down and had it try to give you a virus. I mean, I’m a prankster sometimes, but even I wouldn’t go that far. =P
Regardless of whether you experienced any of this, you should keep reading because this problem is affecting a lot of web sites and computers. Apparently what happened is a version of what is written about here.
Here’s the holasionweb symptoms:
1. Infected sites get redirected to a fake AV (scareware).
2. Some home pages are not showing the virus, but when clicking on a post or page, you will see the redirect [see the link for pictures].
3. Redirects to a blank page at www.1.realsafe-23.net
4. Source code reveals [something having to do with holasionweb.com] in the the header section of the infected pages.
Public Service Announcement: When your computer tells you to click OK to start any sort of “cleaning” process because it’s supposedly discovered something that shouldn’t be on your machine, be VERY careful to confirm that it’s not a program within your web browser trying to get you to accept a virus. (There are certain mean things that the program can’t do without permission from you, so it’s trying to trick you into giving it permission.) You can close the alert window by clicking the X in the corner rather than clicking the “OK” button that the program wants you to and then closing the browser window. Alternatively, you could hit Control-Alt-Delete and force the browser to close. Hell, even holding down the power button until the damn computer shuts itself off would be a better option than clicking OK. (If you choose one of these last two options, be wary when the browser asks you if you would like it to restore the tabs from the last session, since that could likely just get you back where you started.) Then you can scan the computer for viruses- just make sure that your virus software is updated to catch these new guys.
If you run a web site…well, my condolences. This issue seems to have started with sites hosted on GoDaddy servers and has since spread from there. The first thing I would do is look at the FTP directory of your site and see if there are any files that have been mysteriously updated recently. (For me it was the .htaccess file and all of the php files) If the .htaccess file has been modified, try to compare it to a backup version that you have to see what has been changed. If you have a backup of the whole site, I would just replace the infected files with the backup. If you don’t, you need to find the script that is causing all of this and remove it from ALL of the files that have it. The script will either have the URL http://holasionweb.com/oo.php in it or will be some long and obviously not supposed to be there encoded thing. You can go through each file individually to do this, you can write some Perl code to scrub the files, or you can download a free program called TextCrawler that can find and replace across documents.
Lastly, don’t believe your hosting company when they tell you this is your fault because you don’t have the most updated version of whatever package you’re using- it’s happening to plenty of people with updated software and thus needs to be addressed at the provider level. To be on the safe side, I would change your FTP and database passwords and Google your site to make sure that it’s not flagged as evil. (This will happen if the malicious code sits there for too long, and you will need to contact Google to have the warning taken off if it’s there.)
Now you know what I’ve been up to all day…and all it took to fix the problem was 2 degrees in Computer Science. =P