GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission

*UPDATE: I just got off the phone with Neil Warner, GoDaddy’s CSO (Chief Security Officer) and he explained the situation to me. Check it out: GoDaddy Security update

I have been a GoDaddy user for a while and never had problems with them. In fact, differently than some people, I had great support and service from them.

However, one recent situation is making me change my mind about them…

I have my domains and a bunch of VPS (virtual private servers) with GoDaddy and one of those servers is/was hosting the Sucuri’s official site.

I am a bit paranoid about security and on all my servers I switch the SSHD port to a different one and restrict to only a few IP addresses. On the offical SSH port (tcp 22), I install a honeypot to detect ssh scans and which passwords/users they use (you can see some of my analysis in this post: Honeypot analysis – Looking at SSH scans)

Anyway, early this year I started posting information about web-based malware and a few days after I did that, I saw on my honeypot logs:

Jan 8 06:55:28 d1 sshd[27670]: Failed password for [mygodaddyuser] from 64.202.160.65 port 49271 ssh2
Jan 8 06:55:30 d1 sshd[27670]: Failed password for [mygodaddyuser] from 64.202.160.65 port 49271 ssh2
Jan 8 06:56:38 d1 sshd[28528]: User root from nat-64-202-160-65.ip.secureserver.net not allowed because listed in DenyUsers
Jan 8 06:56:38 d1 sshd[28528]: Failed none for invalid user root from 64.202.160.65 port 50727 ssh2
Jan 8 06:56:53 d1 sshd[28528]: Failed password for invalid user root from 64.202.160.65 port 50727 ssh2
Jan 8 06:56:55 d1 sshd[28528]: Failed password for invalid user root from 64.202.160.65 port 50727 ssh2

And checking my honeypot logs, I saw:

Jan 8 06:55:28 d1 sshd[27670]: hh: user: [mygodaddyuser]|pass: [MYGODADDYPASS]
Jan 8 06:55:30 d1 sshd[27670]: hh: user: [mygodaddyuser]|pass: [MYGODADDYPREVIOUSPASS]
Jan 8 06:56:53 d1 sshd[28528]: hh: user: root|pass: [MYGODADDYPASS]

I was shocked! My first thought was that someone had stolen my GoDaddy password (that I use to login to their web page) and even my previous password! (I had changed my password a few weeks before that).

I quickly ran and started a panic mode incident response, changed passwords and started to look how I got hacked and what was going on, when I decided to look at the IP address that tried to access my box:

$ whois 64.202.160.65
[Querying whois.arin.net]
[whois.arin.net]

OrgName: GoDaddy.com, Inc.
OrgID: GODAD
Address: 14455 N Hayden Road
Address: Suite 226
City: Scottsdale
StateProv: AZ
PostalCode: 85260
Country: US

NetRange: 64.202.160.0 – 64.202.191.255
CIDR: 64.202.160.0/19
NetName: GO-DADDY-SOFTWARE-INC
NetHandle: NET-64-202-160-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
Comment:
RegDate: 2002-10-22
Updated: 2007-06-14

Hum.. It came from Godaddy’s own network. I was about to send an email to abuse@godaddy.com, whem I got this email:

It has come to our attention that the [your site name] may be infected by malware. We would like to investigate this matter further, however the login credentials we have on file for your server do not allow us access to the server. In order for us to proceed to investigate the possible infection, we require that you provide the proper login credentials to access your server with administrative rights within 48 hours or by January 10th @ 2 pm MST (GMT -0700) by using our “Password Sync” option, or your server will be suspended. To update the logon information, please follow these steps:

Log into your account.
Click on the ‘My Account’ link.
Click on the ‘Dedicated/Virtual Dedicated Servers’ link.
Select the server you need to update the log on information for.
Click on the ‘Open Manager’ link.
Click on the Support: Sync Passwords button.
Enter the current SSH and root information and save the information.

WTF!WTF!WTF! Yes, I cursed them for a while! Why?

  1. They tried to SSH to my “private” server without my authorization!
  2. They wanted my ROOT password and SSH access!
  3. They HAD MY MAIN GODADDY PASSWORD (AND PREVIOUS ONE) in CLEAR-TEXT!
  4. They almost gave me a heart attack

I don’t know if anyone find that horrifying, but I do! I would understand storing the initial password for the server in clear-text or something like that. But the main password from my GoDaddy account? Giving their admins access to them so they can SSH to my box? Keeping my old password in clear-text too? SSHing to my box without asking my first? Wow….

The end of the story… After I calmed down, I contacted them and explained about my web-based malware security research and told that I would not give anyone SSH access. If they really required that I would switched providers. They did some investigation, apologized and let me stay… How nice they are…