Follow BlogTips via RSS Get BlogTips updates via Email Follow @SM4NP - Social Media for NonProfit

GoDaddy sites hacked again

Posted on Sep 18th, 2010 by

hacker

After the massive hacks injecting malware into shared hosted sites from several providers back in April and May, it seems they are back at work.

Many sites hosted by GoDaddy are being hacked at the moment I am writing this post. Two of mine were affected an hour ago.

Update: Hit again this morning (Sept 21).
Here is a record of the September virus spree, as I saw on my sites (all CET – Central European Time):

  • Friday Sept 17, 2010 – 23:30 CET
  • Tuesday Sept 21, 2010 – 08:30 CET

The scenario is the same as a few months ago: Malware is injected into the .php files on the hosted sites, and the visitors of a site are getting redirected to a third website which injects a virus into the visitors’ computer.

At this moment, it seems also other hosting providers were/are attacked, so monitor your blogs. Check if it is infected regularly during the next days. If you get infected, run the script from this post, and your site will be cured in a minute.
You can also use the same script to verify if your site was infected. If you get the message

0 Infected Files in ./

… then your site is clean. If you get a list of infected files, click “Fix Files”, and within a few seconds, your site will be cleaned up. If you use a cache-plugin, don’t forget to clear your cache!

Note that if your site was infected, and you loaded the site yourself, your computer might be infected too. Many antivirus (MacAfee, Norton,..) programmes will NOT catch the infection. Download the free malware scanner from MalWareBytes to verify and cure the infection.

Best of luck to you.

Picture courtesy thenewnewinternet




33 Comments to “GoDaddy sites hacked again”

  1. Todd Redfoot says:

    Go Daddy’s Security team quickly identified the source of this afternoon’s PHP exploit and expects to have the approximately 150 affected sites restored shortly. We are continuing to monitor for any related activity and appreciate customer feedback.

    As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    • Peter says:

      Thank you Todd. I would encourage anyone who got hacked to at least let you know through the form. (as I was one of the first ones, I let your support know via Twitter too).

      It is true that GoDaddy support was quick to ackowledge the problem (at least on Twitter), contrary to the April/May hacks which took weeks before the problem was recognized as a hack.

      On the other hand, it is very discouraging to see this type of hack re-occurring. Certainly after the days-long downtime shared hosts on GoDaddy had this week…

      Anyways, I am starting to move my sites off to another host one by one as I just don’t have the time to monitor for problems and cure them.

      Peter

    • Peter says:

      By the way, Todd:

      1/ by the amount of tweets floating around from people complaining they were hacked, I would doubt only 150 sites were affected…

      2/ When I reported the hack, GoDaddy support emailed me back saying one of my sites was clean, and on the other, they still found malicious code which they cured.
      I doubt that, first of all because I cleaned all files on that site, and secondly, when I list all PHP files, the date/time stamp of the last modification is the same on all: the time I cured the site.
      I asked for them to confirm they still found malicious code (as typically they only hack a site once per day. But still waiting for the answer…

      Peter

  2. Avi says:

    Hi,
    Thank a lot.
    Thank a lot.
    Thank a lot.
    It saves my blog.
    Thanks

  3. [...] hosting providers — including mine — were hacked yesterday, and this attack continues through today. Cyclelicious, along with probably hundreds of other blogs and websites, are victim to this [...]

  4. blkcatgal says:

    Todd, I think my website was hacked too. Contacted GoDaddy 3 times today and each time I was told they were not aware of any issues. Finally, last call, they did agree to run a scan on my site and claim nothing was found. I still feel less than secure about the whole thing.

  5. Todd Redfoot says:

    UPDATE:

    An exploit affected PHP files on approximately 150 Go Daddy accounts Friday afternoon. Go Daddy’s Security Team worked quickly to clean and restore these websites, however, we have detected additional customer sites that may currently be experiencing difficulties due to this same attack.

    Go Daddy’s Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.

    Meantime, our team is working swiftly to restore all affected websites and appreciates customer feedback. Go Daddy will continue to monitor as long as it takes to ensure our customer accounts are clean.

    If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

  6. [...] Thanks blog tips for this trick. [...]

  7. Cyclelicious Hacked! « Bike Monkey Magazine says:

    [...] hosting providers — including mine — were hacked yesterday, and this attack continues through today. Cyclelicious, along with probably hundreds of other blogs and websites, are victim to this [...]

  8. Sachin says:

    Hey I got it on the hub pages…
    It explains all what you need in a very easy manner… :)
    Save yourself…

    http://hubpages.com/hub/Godaddy-Malware-Issue-Fixed

  9. Joe says:

    I sometimes wonder if we are sane. To put up with this crap.

    • Peter says:

      @Joe

      Sometimes I wonder too.. That was the mood I was in, when i wrote an earlier post “Is blogging still fun”.

      • Joe says:

        I’m with Network Solutions. We’ve been cut off since yesterday from the outside so we can not upgrade what have you. I suspect this has something to do with this current Kamikaze attack underway on Go Daddy, so they have shut off and sealed any potential “holes” just to be on the safe side. Still frustrating as hell. I need to do some upgrading. As in like TODAY.

        Just the fact the Hilary Kneber group is still pulling off this crap is disturbing. We need to run them down and put them in jail and slam the door and toss away the key.

        • Peter says:

          @Joe

          I think this is the ultimate measure any hosting provider (or any type of whatever service provider) can take: close shop on the fear of a possible intrusion.
          I guess that shows how ‘sure’ they are of themselves, and their security system.

          Luckily it is not that bad on Godaddy. Especially this weekend, where I am revamping a site for one of the NGOs I work for.

          I would pay money to hear the security inside story of the Hilary Kneber group (that scam has been going on for years already)…

          I have to say though, that the malware infection on Godaddy was not as widespread as the one in April/May. But I might change that thought, if there is another attack in the next days.

          Anyways, i am moving off the sites one by one to Hostgator VPS hosting. I needed to try something else. Even if it was only to get better performance for one of my sites which completely outgrew Godaddy’s hosting.

          Best of luck to us all. :-)

  10. My site was hacked in May and I moved it from GoDaddy to TigerTech and so far I’m really happy with the move. At the time my site was hacked, I noticed my Trend security system warning would come up when I visited many other sites, indicating they too were hacked. I would contact the site owner and tell them. It’s interesting that there is a rash of hacks again. I’m also glad to see it openly discussed because it seems to be a fact of life for us.

  11. Todd Redfoot says:

    The exploit affecting PHP files on several Go Daddy accounts this past weekend has been resolved.

    Go Daddy’s Security Team worked quickly to clean and restore all affected sites. The exploit was caused by mailicious files uploaded via FTP to customer websites.

    As a good security practice, Go Daddy recommends all customers change their FTP passwords on a regular basis. To modify your FTP password please follow the steps provided in our help documentation at http://gdhelp.godaddy.com/article/6

    As always, Go Daddy’s Security Team is here for you. If you ever suspect your site is under attack, please fill out our security submission form, located here – http://www.godaddy.com/securityissue – and notify Go Daddy’s 24/7 Customer Support.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    • Peter says:

      Dear Todd,

      Thanks for the update.

      How do you explain that hundreds of of websites get infected via FTP, all in the same period? How do that large amount of FTP passwords get out there?

      Peter

  12. Todd Redfoot says:

    The link to the help documentation explaining how to change your FTP password was incorrect.

    Please find the article at the following link:
    http://help.godaddy.com/article/6

    Thank you.

  13. Peter J says:

    I was considering moving over to godaddy but after stumbling across this post i don’t think i could. I know its cheap hosting but you get what you pay for, which is a host riddled with security flaws.
    I wish there was a way of securing wordpress more so the hacks wouldn’t happen. :|

  14. Doug Worrall says:

    It happened to me, was no Big deal to repair, amd go daddy keeps a back-up of all your data base.

  15. Leslie Holbrook says:

    It’s baaa-aaack…Kneber / Waledac. GoDaddy support beyond poor. Claiming all is clean on the sites…just change your passwords, and sorry about all that rogue PHP in your database…

  16. [...] my hosting company attacked and [...]

Leave a Comment

*