Last week attacks – Some comments and updates

Last week as a busy one.

First, thousands of GoDaddy sites got hacked with that kdjkfjskdfjlskdjf.com malware.

A few days later, hundreds of Network Solutions sites got hacked by using the php.ini/cgi-bin malware (including the US Treasury site).

The next day, more thousands of sites at different providers (GoDaddy, Dreamhost, hostgator, etc) got hacked with the MW:MROBH:1 malware.

So, what was going on?

Network Solutions attack

The problem at Network Solutions was caused by an internal application used on their hosting platform that allowed the exploit to happen. They fixed it already, so the problem should not reoccur. The number of infected sites was around 500.

GoDaddy

GoDaddy blamed the users (saying they were using old WordPress versions) and didn’t provide us with information regarding what happened. We know that WordPress wasn’t the problem (we saw sites using the latest version getting hacked), so no one knows what happened. Probably thousands of sites got hacked.

DreamHost

DreamHost contacted us and explained that in their platform the issue was caused by a “specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.”. Around 500 sites got hacked. Their statement:

We’ve seen a dozen or so examples of this passed to us via support and have researched it ourselves . It seems to be related to a specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.

A scan across all our server files for known shells was done across customer HTTP servers and they were deleted . 550 account owners were contacted with notification of the finding of this backdoor shell file and the changing of their related FTP passwords. They were also provided directions for removing some of the common derivative hacks that have been associated with it, including a link to your web site and further directions to make use of SFTP exclusively due to FTP’s inherent security constraints. The great majority of these shells were added (as indicated by file date) in late November and December .

How are they getting in?

The Network Solutions issue was explained and fixed. At Dreamhost, it was a PHP shell. But how about the others? How were the attackers able to inject content on all these sites?

Skyphire (and others), in our comments, mentioned that the infected files had a PHPMyAdmin cookie added, which would indicate a bug (maybe 0-day) on PHPMyAdmin. That would be a possible cause since all those shared hosts are using PHPMyadmin. This is the cookie added:


getCookie("pma_visited_theme1");

We can’t prove it, but we will keep an eye to find out exactly what is going on. Have more info? Let us know.


As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • Anonymous

    Been a tough 5 weeks. Appreciate all your coverage and help.

  • http://bourgy.com Bourgy.com

    Any guesses on the GoDaddy exploit?

  • http://bourgy.com Bourgy.com

    Just been hijacked again

  • http://www.blogger.com/profile/04538310097855103213 tintin

    Hey Great post. Really a very nice piece of information.
    Thanks for sharing this

    Regards
    Web development solution

  • Anonymous

    Godaddy is full of shit. They blamed wordpress on our case too. Do you think it might have been through our openx install? Thank you for your cleaner. That did the trick for us for now.

  • Anonymous

    This is one of the best posts I've seen in a month of this crap, and believe me I've read a lot of them… This morning my site got hacked for the 3rd time, and I'm REALLY TRULY ABSOLUTELY POSITIVE it's nothing I am or am not doing, do you hear that GoDaddy?? (and yes I've been running WP 2.9.2 since February, but as the good detective here points out, WP is NOT the issue – it's something with PHP).

    One thing for sure I discovered today: GoDaddy FAILS this test on PHP (this was also posted elsewhere on this excellent site):

    http://www.neowin.net/forum/topic/897610-godaddy-got-hacked-yesterday/page__view__findpost__p__592577078

    http://core.trac.wordpress.org/ticket/11122

    GoDaddy had better come clean with the details about what's truly going on (they did not reveal significant details during their WPSecurityLock conf. call), or they will find customers leaving by the THOUSANDS, and SOON.

  • Anonymous

    People want answers! Without them we will not feel comfortable…

    Thank you Securi.net for helping provide them.

  • http://www.blogger.com/profile/04995577706898013568 lukeprog

    I think my website got hacked by way of a virus getting on my machine and stealing my FTP password. My XP machine got a virus and within a few hours somebody said my website was showing them a virus. I'm on MediaTemple.