Attacks on GoDaddy sites –

UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.

Just a quick update to this blog post: More Attacks –

We posted a few days ago that attackers were using to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using

The following domains/IP addresses are being used to spread the attack:

All the sites we’ve seen so far have the following code added to all PHP files:


Which is basically just the eval(base64_decode encoded. What is interesting is that this site is hosted at, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related:

Clean Up Action

The following script should clean up any infected site:

Updated 10/31/10 14:25 Pacific.

If you don’t have SSH access, download this file to your desktop: GoDaddy Fix 10/31/10

Once you have the file downloaded, rename gdd-fix_php.txt to gdd-fix_php.php

Upload fix file to your site via FTP/sFTP, then open in your browser (Example:

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

For old exploits please check out our Simple Cleanup Solution

If you need help cleaning up your site, contact us at or at

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.