Godaddy got hacked again this morning (This is what Godaddy has to say about it). Update: and again on May 20.
If you host your blog on Godaddy, you would do well to check your site regularly for any malware, and here is how.
The hack is the same as the previous 4 hacks, affecting thousands of sites: A oneliner malware code is inserted in every single .php file on your site, starting with:
?php /**/ eval(base64_decode("goobledegoob"))
I described before how to cure it, but here is another, slightly more sophisticated way which first lists the infected files, prompts to continue, deletes the oneliner malware in all of your .php files, and lists the cured files. It is inspired by a script written by Andy Stratton in this post.
The script will not only work for Godaddy + WordPress, but for any .PHP based site (I used it this morning to cure a Drupal site) on any host.
Here are the right steps to follow:
- Make sure you backup your site, just to make sure. There are many tools to do so, but a “brute force” copy of your entire blog directory to your local computer using an FTP tool like Filezilla, works fine.
- Download this zip file. It contains a file called “fixfiles.php”. Extract it and store it on your computer.
(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.php) - FTP the “fixfiles.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):
GoDaddy Root Directory
If you only want to clean a subdirectory (and its underlying tree), put the file in that the subdirectory, but remember also the command in the next line will have to reflect that.
- Then execute the code with the command:
http://yoursite.com/fixfiles.phpor
http://yoursite.com/subdir/fixfiles.php
if you put it in a sub directory)
- The code will first scan for the malware code in your files, in both the directory it is put, and all underlying directories.
If you get the message:0 Infected Files in ./…then your site is clean.
If any malware is found, the script will list the infected files and prompt you to fix them:
Click on “Fix Files”, Click OK on the prompt to proceed:
The script will scan through all files again, and clean the malware. It will list all files that were cleaned.
- Delete the “fixfiles.php” file from your site after execution.
- If you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code
All of that is “curing” the problem. I have looked everywhere, but am yet to find a way to “avoid” the infection. It looks like the hackers found a loophole in Linux shared hosts (and not just those on Godaddy), which the hosting companies have been unable to identify and/or close.
Until such time, scan your sites every day, and cure the problem immediately before your visitors get infected.
Picture courtesy Owning Pink
Peter. Flemish, European, aid worker, blogger, expeditioner, sailor, traveller, husband, father, friend, nutcase. Not necessarily in that order. (
{ 13 comments… read them below or add one }
Many thanks for this.
Thankfully I’ve only ever used GoDaddy as a Domain registrar service, and not used their hosting (although I recognize the fact that it’s not just them being infected but that they are a principal target) but this ‘fix’ will be very useful for my readers who have not been so fortunate in their hosting provider decisions.
Hostgator seem to be doing something right though, as their clients have not so far been effected – but maybe they have yet to be targeted!
I contacted my hosting provider in Europe who assures me that they are monitoring the situation closely and learning any security lessons that they find might need addressing.
Hi Clive,
Thanks.. I looked at Hostgator.. Indeed they seem to have been saved from the latest hacks. What was not clear, though, was if their packages include the installation services as Godaddy has where Drupal, Wordpress etc.. can be installed by a click of a button.
I am pretty savvy manipulating Drupal and WP, but am absolutely ignorant at system level, so “auto install” would be a must for me.
Another question: have you ever tried their auto-migrate services where they take an existing site and domain and migrate it to their hosting service for free?
thanks,
Peter
Sorry, leaving an answer to one of my question: It seems hostgator uses Fantastico to install 3rd party applications…
So that leaves the question if anyone ever tried their migration services?
Peter
Thanks! I used your script to temporarily bring my site back to life. I’m also sick to death of GoDaddy. Slow, unstable and now this. If you fancy a GoDaddy rant …
http://jonontech.com/2010/05/18/godaddy-godaddy-you-bastards-im-through/
Glad it helped, Jon!
I am looking for a Godaddy alternative myself… Not too happy about it neither…
Peter
Thanks for your time and script too. I ran it on two of my gd hosted sites and they were both ok. Would have taken a lot longer to do it manually.
“(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.txt)”
Do you mean “fixfiles.php”?
Sorry, my mistake… Correct: save it as “fixfilex.php”
Peter
I hope I’ll avoid the attacks now that I’ve left Godaddy and moved all of my Wordpress sites to Hostgator.
My fingers are crossed…
John,
I am seriously contemplating to move too… Did they do the migration for you, or did you move everything yourself?
Peter
Hostgator (basically the same as bluehost) are normally helpful with their live chat tech support. A request to enable shell access (required a scan of photo ID) was sorted within an hour.
However, all my sites were attacked in the same way as listed above, (around May 19th I think) so I don’t think that their security is necessarily better than godaddy’s, using this attack as evidence.
Finally, I’d recommend using their simplescripts service over fantastico, as WP upgrades are made available more quickly, and is a little more flexible.
I ran this test and got this script, am i in the green or is my site infected?
Warning: opendir(./\_db_backups\) [function.opendir]: failed to open dir: No such file or directory in D:\Hosting\4769296\html\fixfiles.php on line 35
0 Infected Files in ./
Hi Aaron:
Apart from this error opening that particular subdirectory, it looks like indeed your site is not infected.
http://yoursite.com/wp_content/fixfiles.php… Know that then, ONLY that subdirectory (and other directories beneath it) will be checked/cured, and not the whole site.P.
{ 1 trackback }