Huge props to Estelle Weyl for alerting me to the fact that one of my websites (Don’t panic! Not this one!), alexisgo.com was compromised by sweepstakesandcontestsnow.

It looks like a number of people running WordPress on Dreamhost fell victim to this.

There is a great write-up of the issue here: http://www.travelswithakazoo.com/2011/09/how-embarassing/ and here http://sucuri.net/new-malware-sweepstakesandcontestsnow-com.html

To summarize, what seems to have happened is these lovely folks inserted a base64-encoded string at the top of every PHP file in your root directory. This string evaluates to some code that adds the following line (which I’ve modified) of JavaScript to every html file in your root directory:

[code]
script src="http://do not go to sweepstakesandcontestsnow.com/nl.php?nnn=1"[/code]

So, what about this site? It looks like I was saved by some of the custom tweaks I made to this particular WordPress install, as it appears that the malicious script tried to do the same to this site, but, well, failed (the script tried the wrong directory).

I haven’t heard back from Dreamhost on how this all went down, but I have since changed all my logins and thoroughly chastised myself. If you have visited alexisgo.com in the last 10 days, especially if you were running IE, you will want to do a full system scan. I deeply apologize for this.

If you use Dreamhost and run WordPress, you should check out your sites while running NoScript in Firefox, and make sure you don’t have cause to feel as embarrassed as I do right now. Here is the cleanup for the effects of this should your site have been a target: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html