Exploit on WordPress Returns – Go Daddy Responds!

Godaddy speaks about WordPress hackGo Daddy continues to work around-the-clock to investigate the latest website attacks and to keep your website safe. They have added new help guides and tutorials for webmasters and are reaching out to their customers through emails and telephone calls.

In addition, on May 5, 2010 Scott Gerlach, the Manager of Information Security Operations at Go Daddy, joined us at our WordPress Security Teleseminar. He shared with us what Go Daddy Communications is doing to protect its customers, how they are reaching out to the community, and tips on how to keep your websites safe. You can still listen to the audio replay here.

UPDATE: On May 9, 2010, Go Daddy released the following statement to WPSecurityLock.com to keep you informed.

WordPress Exploit Update 5/9/2010

This afternoon some customers’ websites were affected by a new, lighter wave of malware attacks.

Go Daddy is reaching out to those whose sites were compromised, and reminds customers to be vigilant about updating all software in their hosting account (see below for additional help).

Though we understand this issue is frustrating, Go Daddy believes the situation is moving in the right direction. We have identified — and are attempting to work with — the key service providers the attackers are using, are are collaborating with the authorities to ensure the individuals will be prosecuted.

- Todd Redfoot
Chief Information Security Officer

On May 7, 2010, Go Daddy released this statement to WPSecurityLock.com to share with you.

WordPress Exploit Returns

As you know, a new wave of attacks aimed at compromising websites running outdated versions of online applications, such as WordPress, recently hit across numerous Internet hosting providers. The bottom line resolution is to be sure you have the most up-to-date versions of your applications within your entire hosting account.

Go Daddy has launched an extensive investigation into this security issue with other hosting providers and the appropriate authorities. We can help you determine if your site is affected, and are also interested in learning more about your experiences with this exploit. *To diagnose your site and/or provide info, please visit www.godaddy.com/securityissue .

Customers who were once impacted, but have cleaned and updated all of their sites to the latest version, are no longer having issues.

For a step-by-step guide to update WordPress, please visit http://help.godaddy.com/article/6072.

- Todd Redfoot
Chief Information Security Officer

If you have hosting at GoDaddy.com, be sure to click here to learn how to upgrade your WordPress installation. And if you think your website has been compromised, please submit your information to their Security Team as soon as possible.

* Is your hosting under a reseller account with Go Daddy? If so, you can send an email to safeguard@secureserver.net and have them diagnose your site and/or provide information.

Help other webmasters by tweeting this post and linking to it on Facebook.

If you find out any new information about the most recent exploits, please be sure to leave us a comment below.

Securely yours,

Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter

P.S. I’d like to personally thank Go Daddy for keeping us informed, as well as all the wonderful comments and emails we’ve received from the community to help us all keep our websites safe.

Comments

  1. Rick says

    Not to sound like a broken record here, but that doesn’t account for all of us who WERE up to date with our wordpress, etc. updates – as well as employing hardening practices.

    The youtube video you posted here:

    https://wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/

    is very disturbing. I hope GoDaddy and all of the hosting companies are paying attention. These people are smart and will expose your vulnerabilities. You need to step up your customers’ protection.

    I for one am sick of reading these posts (although I thank WPSecurityLock for writing them) and seeing all of the comments about website owners getting hacked.

    I’d like to go to bed at night and feel good about waking up and logging into my sites again.

  2. Philip M. Hofer (Frumph) says

    And Godaddy passes the buck yet once again.

    Most all of the sites were of the latest 2.9.2 release and even some of them were not WordPress at all, just PHP sites.

  3. says

    Go Daddy is reaching out to all of us with a new statement. I have updated this post (see above) with new information from Todd Redfoot.

  4. Kristi says

    I love how they keep saying it is a problem with outdated versions when all three times I have had my site hacked has been after updating to the latest version. Ironically, sites I have hosted under separate hosting accounts and client sites hosted elsewhere were not hacked and were definitely not updated to the latest version.

  5. Skyphire says

    if you look at the source: view-source:http:// zettapetta [dot] com [dot] js.php (in Firefox) you will see that it looks for a PhpMyAdmin Cookie. That PhpMyAdmin software is likely vulnerable, based upon the Cookie name used in various PhpMyAdmin themes. Goodluck.

  6. user says

    A new mass Godaddy attack is possibly imminent. I found an unknown php file containing the known eval(base64… code among my files. No other php files was changed. They may be testing the waters and checking if their exploit works before launching it.

    Godaddy should check if there are other Linux hosting accounts to which a single new file was uploaded recently. Let the security team know this if you can.

  7. Michelle says

    I’m running the latest version and I have been hacked AGAIN for the third time! This is unbelievable! I spent hours making sure there was no trace of anything left behind from the last hack by deleting EVERYTHING and giving my site a fresh install. I have no subdomains or any other versions running except 2.9.2. ITS NOT WORDPRESS and its definitely GoDaddy!

  8. Bubba Gump says

    further proof godaddy sux. all they are is a registrar. their automated installs for CMS is handy, but the install itself is way too insecure. you’d spend just as much time installing the CMS by hand and fixing all the security flaws than you would using the automated install and having to hunt down all the garbage that was left insecure.

    these hosting companies that put 1000 virtual websites on one box and falsely advertising outrageous bandwidth and storage space that they’ll never allot to you should be taken through the ringer either by hackers or the consumer protection agency. It’s a hosting company not a greasy fingered insurance company. No need to use actuaries to earn a living in the hosting world.

  9. Hrmmm says

    Anyone remember the wp-config.php hack that was turning WP sites into malware sites?

    I don’t quite understand how it was done… even if your permissions on wp-config.php are wide open, how could you read it? It just opens a blank page.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge