Reply from GoDaddy regarding the latest attacks

GoDaddy just sent us an update. I am glad they are now acknowledging that they have a problem and are looking to fix it. They didn’t give more details to avoid revealing too much and helping the attackers.

No more blaming the users! I am glad with this response and hopefully they will find out what is going on and fix it.

“Early into our investigation, Go Daddy noticed a majority of exploited websites were all running WordPress. After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress.

Transparency is a core value at Go Daddy. We intend to continue our commitment to communications. There are times, however, when publicly revealing too much, such as specific code from the attack, helps the criminals causing the issue.

We are aggressively collecting data to see how the attack is maturing and to discover ways we can help prevent our customers from being impacted and shut down ‘the bad guys’ altogether. Go Daddy is leading an ongoing effort, working with industry security experts and other top hosting providers.

As part of our investigation, Go Daddy is encouraging customer input about their related website issues, which is why we set up a special form: http://www.GoDaddy.com/securityissue.

Look for further updates from Go Daddy on this topic, at http://Community.GoDaddy.com/support

- Todd Redfoot, Go Daddy Chief Information Security Officer”

Transparency is important and hopefully when they find out what happened they will do a full case study so we can all learn from that (or am I dreaming too much?)

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://bourgy.com Bourgy

    Wonder what will be the effect if it's really their fault?

    I mean, people have lost a fair bit of money, cumulatively.
    They should offer affected sites free hosting for the rest of the year, or a free hosting upgrade indefinitely.

  • Anonymous

    Here is something that Godaddy should know about, but I couldn't submit it to them via their website because it doesn't allow any code:

    I found a VERY suspicious looking file (I deleted it) on my website named gdform.php. Here is the code it contained (it also had the base 64 encoded code identical to all the other php files at the top)

    \n");
    fputs($fp,"$val\n");
    fputs($fp,"\n");
    if ($key == "redirect") { $landing_page = $val;}
    }
    fclose($fp);
    if ($landing_page != ""){
    header("Location: http://".$_SERVER["HTTP_HOST"]."/$landing_page");
    } else {
    header("Location: http://".$_SERVER["HTTP_HOST"]."/");
    }

    ?>

  • http://bourgy.com Bourgy

    That's just your GoDaddy email form

  • Anonymous

    …lol

  • http://www.blogger.com/profile/07967171952551962859 Dan Thornton

    Interestingly while my three sites are exploited, my urls are redirected to Posterous until everything is fixed, and I'm not making any revenue – Godaddy have chosen today to email me to claim I'm over my data limit on one site…

    Weirdly I've never even come close to the data limit until now, and it's not the highest trafficked of my sites – I'll be checking in more detail when I can get into my Godaddy account, but has anyone else seen any hugely increased data usage alongside the PHP exploit?

  • http://www.blogger.com/profile/07967171952551962859 Dan Thornton

    Just checked, and my daily disk space usage has gone from around an average of about 250MB per day, to 15,000 and 27,000+MB per day…

    It has to be directly linked to the exploit – started at exactly the same time, and the first time it happened, disk space usage went up a fair bit, but I was able to fix the sites almost immediately.

  • http://bourgy.com Bourgy

    I saw traffic loss, Dan.

  • http://www.blogger.com/profile/07967171952551962859 Dan Thornton

    I've checked Google Analytics and had no extra traffic. Indeed until I could start cleaning up the sites I was redirecting everything to Posterous.

    And yet a tiny amount of people turning up has led to a huge amount of disk usage. The actual financial amount is quite small but I'm annoyed I'm getting hit with charges when a problem with my hosting service is responsible.

  • http://www.1winedude.com 1WineDude

    Finally!

  • Anonymous

    "After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress."

    Staggering really, if they had been reading this site they would have known that weeks ago…

    You really have to wonder.

  • Anonymous

    You would think Godaddy would have been paying attention and learning something while NS was dealing with a month long crisis of this nature recently.

  • Anonymous

    "Transparency??" Who do they think they're fooling? They've been about as transparent as m-u-d…

    And I think they're being totally asinine about sharing the information, keeping it from the people who need it the most! The hackers already KNOW exactly what they're doing, you're not keeping anything from them. It's the site owners who don't!

  • http://www.1winedude.com 1WineDude

    Found the following deleted file form 5/11/2010 in my GoDaddy account, root folder:

    joana_blondie

    contains the php eval(base64_decode…) crapolla.

  • Anonymous

    They are STILL lying and ignoring customers.

    I entered a ticket at their super-secret link in the Redfoot memo you kindly provided. I got back BOILERPLATE that failed to answer ANY of my questions. It's signed by "Jacqueline S., Hosting Support". It didn't remotely address a SINGLE one of our 5 questions, and it FALSELY claimed "We have since removed the contaminated code as a courtesy." That is a LIE. They did NOTHING for 2 days. WE disinfected ourselves yesterday, thanks to the info and script at sucuri.net. GoDaddy is irresponsible and their "Chief Information Security Officer" is a liar.

  • Anonymous

    I had this problem since JANUARY – try convincing Godaddy back then!
    Its now mid MAY and there are few answers.
    Sure it can be fixed but there is only guess work as to how this happens.
    Will we get the truth at the end of the day?

  • Anonymous

    Oh the irony of it . .

    http://bit.ly/cAQnqk

  • Anonymous

    I am remembering the days when I switched from Host X, to GoDaddy shared hosting:
    The reason was:
    SECURITY leaks like this one.
    GoDaddy, you are going to lose.
    I cannot afford to lose my traffic because you are investing most of your time overselling your services.

  • http://bourgy.com Bourgy

    Anonymous, this first happened to me in Oct '09

  • Anonymous

    The problem is not solved:

    This morning i found this file in the root of my Godaddy hosting:

    lune_johnette.php

    The hacker put this file…

    I deleted it and i think i haven't any changes in my files…

  • http://www.blogger.com/profile/08850640338059899859 ReadJunk

    New virus popped up on my site this morning. 3rd time in 10 days!!

  • Anonymous

    Same here… my site was hacked again @ 3.15 AM…. :(

  • http://sincemydivorce.com Mandy

    If GoDaddy wants to be transparent how come they haven't bothered to proactively contact customers and tel them what action they're taking?

    They might care about Haiti but do they care about their customers?

  • Anonymous

    Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.