The aftermath of the on-going hacks directed at major hosting services continues to cause pain with those trying to clean up and restore their sites.
Once again, we at WPSecurityLock.com want to stress that these attacks are not limited to any one platform or any one hosting company. We have had reports for not only WordPress installations, but Joomla, Pligg and “Simple Machines Forum” as well.
Monday, May 3, 2010, Go Daddy reached out to us to join them on a conference call. Go Daddy security and communications team members participated with our WPSecurityLock team. Be assured that they, as well as the blogging community, are frustrated but persistent on working through these problems.
We at WPSecurityLock want to emphasize that all parties must work together against the common enemy – the malicious hackers. WordPress, Go Daddy, Network Solutions and users with weak passwords are NOT the enemy. The attackers should be the focus, not the attacked.
The following is a statement from Go Daddy Communications:
Go Daddy Cares! Here's some info…
We do take our position as an Internet leader seriously, especially when it comes to security. This is why we are going the extra mile to get the word out. We appreciate your invitation to answer the question, ‘What is Go Daddy doing to help?'
As the world's #1 Web host provider, Go Daddy is a logical target for speculation and misinformation. With this exploitation issue, both the prevention and the cure are not under our control — because the customer decides whether to update the software they run. (If you think about it, it's like forgetting to lock your car and blaming the auto manufacturer when your car is stolen.) Our job is to help identify issues and inform our customers about how they can protect their sites.
This is why we are working to proactively communicate and educate Internet users about this situation.
Here are a few of the initiatives we have going right now.
As a service to our customers and all Internet users:
- Go Daddy scanned our 4M hosted sites to identify sites impacted (we did this immediately upon learning about the issue last week, and again over the weekend).
- Contacting Go Daddy customers impacted by phone and/or email to let them know how to protect their sites (in some cases, we've alerted them even before they realize they are impacted).
- Go Daddy is also taking the leadership role with educational communication — posting Help Articles to our Community & Customer Service pages to provide “1,2,3 Info” on how to properly update software.We'll update the Help Articles as needed and also be posting another Help Article with actual illustrations/screen shots to make the security update process easy for even the most remedial of Web users to follow.
Phil Stuart
Go Daddy Communications
We at WPSecurityLock are committed to educating our readers and getting the word out that security is no longer optional. Please take your blog and site security seriously and take the steps needed to lock down your blog. Go Daddy is making some strong efforts to keep out the attackers. We hope that GoDaddy.com reaching out to us and directly to their customers becomes a refreshing trend in customer service.
The customers out there are scared, mad and tired of restoring and rebuilding. Your voices are being heard! The tide of comments from you, our readers, has got their attention. Have you heard from Go Daddy? Have they reached out to you?
UPDATE 5/4/2010 at 3:15pm CST: Here's an updated statement from Go Daddy…
All info with Help articles can be found on our Community Page
Phil Stuart
Go Daddy Communications
UPDATE 5/5/2010 at 3:00pm: We'd like to thank Scott from Go Daddy's IT Security Operations department for speaking at our teleseminar today. The audio replay is now available on the webcast page.
Scott has provided the following helpful links for you:
Upgrading WordPress the “best practice” way:
http://help.godaddy.com/article/6072
Form to contact our Security Team:
www.godaddy.com/securityissue
UPDATE 5/5/2010 at 5:00 pm: We have just uploaded a portion of today's WordPress Security Teleseminar with Scott from Go Daddy. You can listen to the audio by pressing the play button below:
Get Secure! Stay Secure!
Allen Dresser
for WPSecurityLock
http://InternetTechGuy.com
Regina Smola
Owner
http://WPSecurityLock.com
REGISTER NOW TO LISTEN TO THE AUDIO REPLAY WITH GO DADDY AND WPSECURITYLOCK!
You can still listen our WordPress Security Teleseminar Replay with special guest, Scott from Go Daddy recorded on May 5, 2010.
They are still blaming the site owners themselves ” let them know how to protect their sites ” . If they have figured out the true cause of this, they are not sharing it with anyone. I guess we sit back and wait for the next attack!
We’re definitely taking steps to let customers know how to protect their site. Older versions of WordPress and other PHP applications, can allow exploits that may result in site vulnerabilities. What we’ve found as the common denominator for affected sites is older versions of hosted PHP applications allowing the exploit.
Make sure to upgrade old blogs you no longer update, a test blog you may have set up, and/or other domain names that are hosted on the same plan that could have an application installed. It’s actually pretty easy to correct, but it requires several steps to confirm that it’s been removed. Here’s how: http://fwd4.me/MFK
Alicia
It seems that most of these attacks involve things easily identified and swept away. For example Base64 attacks. If all .php files are edited and that’s the change, DENY IT. It’s not legitimate.
Common sense solutions, and I’ll go with a hosting company that’s will to implement them, especially since GD is raising their hosting prices July 1, 2010; Keep a look out people!
I have all the upgraded software.
I have uploaded my site several times after being hacked. I have notified godaddy several times but they don’t have any proper solution for my website.
it’s so absurd to see that somebody can actually go onto godaddy servers and update my pages and add some php code that launches malware everytime i visit my site.
it happens after a week or so again when i upload my complete website again.
it’s amazing godaddy hasn’t found a solution for it already!
Sounds to me like GoDaddy is still pointing the finger elsewhere. If this is a weaknes in a particular CMS, or a matter of weak passwords, why aren’t sites on other hosting platforms being hit?
We have reports from early this morning that Network Solutions was hit again and there are some other hosting companies hit as well.
That’s terrifying me again.
It is very scary. But we just need to do what we can to protect our websites and ALWAYS have a backup. The bad hackers may attack, but we can recover and get stronger!
As an example, even the U.S. Treasury Department’s website was hacked on Sunday, May 2, 2010 (hosted at Network Solutions).
Read this article "Hacked US Treasury websites serve visitors malware."
This is the second time I was hacked in six months. There are still no answers as to where the problem is.
I’ve been seriously wondering if it’s time to change hosts.
I was very lucky to decide to move my blog to wordpress.com a week ago. I was hacked once on Godaddy…was tedious removing all the iframes.
It’s unfortunate you feel this way, because we have provided an answer. Take a look at it here: http://fwd4.me/MFK
Alicia
Our help page has been updated. Hopefully you’ll find it more useful.
We appreciate all of your feedback. I’ll have our security team review it.
Thanks,
Alicia
Hi Regina,
This morning i got a call from Richard @ Godaddy.
He was really helpful in explaining the Issue.
He asked me to regularly update the latest wp version and possiblities of vulnerability.
(I informed him that i’m already using the latest version)
Richard informed that they are very much concerned about the security.
Happy about Godaddy Support !
GoDaddy can spare me the blather about making sure to use the latest version… I am religious about ALWAYS using the latest version.
I can’t believe they continue to spoon the same useless vagueries. Where are the actual concrete DETAILS about what’s happened, and how??
Trying to dumb things down is no way to reassure customers, and they should know better.
I have not received any phone calls from GoDaddy. I have been hacked twice in the last two weeks, and yes I am currently migrating to a new host.
I’ve been snowed by GoDaddy on several occasions in the last two weeks while they tried to pin the attack on my lack of security.
Interesting as I already practice their secure measures, and then some.
I always update to the latest WP.
I always keep my plugins updated.
My config file is hardened.
I use .htaccess to prevent anyone from me getting access to wp-admin.
I moderate all comments.
I do not allow registrations.
Renamed the admin account.
I have ridiculously difficult passwords that are changed multiple times a year.
I have hardened file permissions.
I do not store passwords in my browser.
I run strong anti-virus and malware programs on my local machine.
I work in a secure network.
and more…
I still got hacked at GoDaddy.
Yes, I realize that Network Solutions has had great difficulty these last several weeks, however the Saturday morning attacks were on GoDaddy sites.
Will there be more hosts hit? You bet. These criminals have discovered serious vulnerabilities in many popular hosting companies, and these companies must step up their effort to protect their customers.
You can’t advertise that “anyone can have a website by tonight” and expect these people to know how to do half of what I’ve done to harden my security – and I still got hacked.
That’s basically my story right now. My next step up as regards to security is to take my blog down off the web, host it on my own computer and disconnect it from the internet. My blog will then be safe, secure, and have an audience of 1.
Nobody’s paid me for the tens of hours I’ve dedicated to my 3 hacks in 2 weeks (my blog doesn’t even make enough money to pay for hosting at the moment), so I would like to feel as if my hosting company (GoDaddy) cared a little.
I’m just waiting to get hacked again on Saturday morning, which will be problematic for me as I’ll be out of town.
Not much we can do if criminals and cyber terrorists are attacking our largest service providers from command and control servers from Russia, China, and other places.
I doubt this is some kld sitting in his mothers basement doing this stuff after school.
Rick – great comments. I hope you hear from Go Daddy, your case and security measures should be of interest them.
Rick, thank you for sharing that. I feel better, being much in the same boat. And I will also be looking at new hosting platforms.
This is a public relations nightmare for GoDaddy, and they are botching it badly IMO. Either they don’t actually know what’s been happening, or they aren’t saying. Perception is reality.
Clearly there are some folks who don’t update or pay attention to their sites, but clearly there are many others who do, and are very careful. If GoDaddy doesn’t start providing some real answers soon, some concrete examples covering all the vectors on how this got in and got back in, I will not feel comfortable and I am gone.
I miss Project Honeypot! Their site’s been down for weeks! I not only use the Bad Behavior plugin with it, but frequent their site to check IPs.
Rick and Doug – thank you so much for your exhaustive lists! You guys are great examples of security conscious folks that take it serious! Thanks for commenting and look forward to hearing from you again.
We had been hacked a few times at one site a few years ago and then moved to another hosting company.
Problem has been resolved!!!
Here is a point of view from Matt Mullenweg
http://wordpress.org/development/2010/04/file-permissions/
Makes you wonder, is it one blog/customer that’s being hacked or a whole company(s).
Remember when you point 1 finger forward there are always 3 fingers pointing back!
Thanks,
~ Pat & Lorna
http://TheCoolestCouple.com
Much like a lot of people, our sites have been hacked twice in 2 weeks, hosted on go-daddy, and causing us to spend massive amounts of time cleaning and hardening. What frustrates me is to read this article, then call go-daddy support to ask for the links to these “1,2,3 Info” articles and have them say – “we’re not responsible for this. we don’t write the WP code or the plugins, so there’s nothing we can do for you, sorry” What happened to them “reaching out to those affected?” We haven’t gotten a call, email or anything! Just the run-around by the support desk when I call to see what they recommend so I can make sure I’ve taken all the precautions. Not looking forward to it, but something tells me this Saturday will be spent much like the last two! Thanks for nothing godaddy.
The reality is, we don’t write the code or the plugins. We do, however, provide steps to fix the matter here: http://fwd4.me/MFK
We’ve been getting in touch with customers affected by this issue, but we may have missed you or don’t have a valid contact number on file. If you need to discuss this with someone, please get in touch with our 24/7 support team at http://fwd4.me/MBI
Alicia
Disappointing to hear. I’d really like to learn more about your experience. Is it okay if I get in touch with you?
Alicia
Five of my WP sites have been hacked in both of the recent attacks on GoDaddy. Unfortunately, three of those sites are ones I manage for clients, and those clients are NOT happy. Frankly, I’m a little offended by GoDaddy’s statement that it’s a user security problem. Obviously there are people out there running old versions of WP. However, those of us running updated versions or WP were ALSO hacked, therefore their statements make no sense and do nothing but insult their more savvy customers.
My client has already told me that if this happens again, they’re going to ask me to move their sites elsewhere. Fortunately they’re not angry with me, but it isn’t making me look terribly good.
GoDaddy seems to know little or nothing about crisis communications. Blaming the customers yet again is only the latest problem. They seem to be making every mistake in the book.
Agree 110%. I sure hope someone from GoDaddy is reading. If they are, then they’re being awfully quiet. If they’re not, then they’re missing the boat.
Godaddy is hearing your voices and they do care. They do visit this blog post and they’re also tweeting it – @GoDaddy Great info from @WPSecurityLock on the efforts to fix the PHP exploit: http://fwd4.me/MYk ^N
JohnR,
Regina is right, we do hear you and have responded. Please see our response at http://fwd4.me/MFK
Alicia
Thank you for your response – that page has been updated substantially from when I last checked it two days ago, when it was not very helpful. Now I see actual specific details that could be of assistance.
I still object to the “running outdated software” bit because when I called GoDaddy Support the first time this happened, the rep was under the impression I was still running WordPress 2.8! That’s because that was the version I had originally installed using GD Hosting Connection…
But I, like probably many others, never went or go back to Hosting Connection to update, but instead do it with one click direct through the WP Admin page. So I wonder how in touch GoDaddy truly is on what versions are being run, because that rep insisted I needed to update to 2.9.2, which I have already been running for months!
You’re welcome. What we’ve also found to be a cause is outdated software versions on other domains hosted on the same plan.
Though it is possible to check via the source code, not all of our staff is trained to understand the source code of every app that’s available. Once a customer updates via the WordPress admin, our Hosting Connection tool can no longer be aware of the current version.
Alicia
Blaming the customer or end user has always been the first line of defense. At least we haven’t been put through the standard humiliation of a customer care rep saying . . “okay you see that thing in front of you? That’s called a mouse. Now I want you to put your hand on the mouse, oh, is your computer turned on.? Look down and you’ll see a button on your . .
Etc., etc.
Go Daddy’s IT Security Department will be speaking at our Free WordPress Security Teleseminar on Wednesday, May 5, 2010 at 2pm EST. Space is limited, be sure to register now: https://wpsecuritylock.com/events/wordpress-security-gathering/
Now if you had Matt Mullenweg or someone from WordPress.org along with GoDaddy on the Webinar. There might be some resolution to this challenge.
Then that would be a Webinar to attend.
Just our $0.02.
~ Pat & Lorna
http://TheCoolestCouple.com
Hi Pat & Lorna,
Thanks for your comment. I sent an invitation to Matt Mullenweg. Hopefully he’ll show up.
Hi,
This is not maybe cause of injection but is general security upload issue.
I commented how you can check if you have this issue on one blog
http://www.neowin.net/forum/topic/897610-godaddy-got-hacked-yesterday/page__st__30__gopid__592582492&#entry592582492
1. Goddady have a executing multi-extension files security hole example:
somthing.php.jpg
This is a known security issue:
http://core.trac.wor…rg/ticket/11122
to fix that on GoDaddy try add this in .htaccess
RemoveHandler application/x-httpd-php .php
SetHandler x-httpd-php5
SetHandler x-httpd-php5-source
I tested on my site and seems that work.
2. The injections affected two my sites with custom cms, one site do not have upload at all (no wordpress, no joomla) just php that I wroted my self.
3. I find some hacking tool (you an see a screenshot in forum) on my account with all nice staff for injection things.. I think they passes deep
4. put all php files to unwritable seems to stop injection (on first attack I just changed this file and this file was without injection)
I think that injections come from inside server becouse GoDaddy hosting will easly find it if starts from outside.
Hope this can help
GoDaddy continues to blame everyone else. They actually told me at one point that they are not the best solution for GoDaddy? Really? The number one registrar and host says that? I’m most disappointed in GoDaddy’s lack of proactive communication with customers and with active tickets. I used to be a strong supporter of GoDaddy, but they have taken a serious dive in quality within the past year.
Well they hit the U.S. Treasury also. (NS)
Seems to me the criminals have pretty much launched all out guerrilla style cyber attacks on NS and GD and there’s little we can do at this point other then take cover till the shooting stops.
Seriously whats the bottom line here?
This is just ridiculous. There are some great comments above, and I hope everyone is paying close attention.
How many of us have to speak up and say “We WERE running the latest version of WordPress when we were attacked.”
Also, it WASN’T just WordPress users who were attacked.
Yes, we get it, Network Solutions has had major issues in the past several weeks, and they have admitted that it was not WordPress.
This last round of attacks – on Saturday morning (5-1-2010) – widespread GoDaddy attacks in the exact same time period. This was NOT a coincidence.
I know website owners who are sitting pretty right now even though they know nothing about website sucurity – and they’re not on GoDaddy.
To point us to a discussion thread that tells us again that it’s our fault and not yours is unacceptable.
GoDaddy, for the safety of your customers AND all the innocent visitors who go to their sites, tighten up your internal vulnerabilities.
Something you should check – An important file on our website mysteriously disappeared. It caused our product demo to fail and spit out a ton of error messages – how much money and reputation has this cost us? 🙁 This particular file contained base 64 encoded code that looked similar to the exploit code. I strongly suspect that GoDaddy deleted it in a well-intentioned effort to undo the damage wreaked by the hackers. If your site has any “Good” base 64 encoded code, you’d better check this.
P.S. At this point I’m convinced that the GoDaddy girls do more than just look sexy. I think they are also responsible for GoDaddy security and customer service!
Hi Gavacho,
Thanks for your comment. I have sent information to Go Daddy about your files disappearing. Hopefully you’ll be hearing from them soon. If I get any new information, I will be sure to share it as well.
gavacho,
We do not remove files unless we have the customer’s permission. You can also get in touch with support so they can review this with you. Contact info can be found here: http://fwd4.me/MBI
Alicia
So has anyone had better luck moving from Go Daddy to another host? Which ones? Is anyone doing it right?
Doug, thanks for being on the call today. I appreciate all your information about the C64 attack and everything your shared. The replay is available now if you want to re-listen on the same page.
I will be emailing everyone that was on the call the special links that Go Daddy provided for us today, as well as putting them on this post.
Nope. I have no clue where to find secure shared hosting at this point.
We don’t want to see you go. If there’s anything we can do to help you with your current account, please let us know.
Alicia
I would personally like to thank Scott, from Go Daddy, for speaking with us today at the teleseminar. And thanks so much for providing the helpful links to share with our audience.
You need to scan your computers. Checking your own websites will give you trojans if you have been hacked. I’ve discovered 8 new ones. All related to this stuff. These are NEW.
twitters.class
mailvue.class
skypeqd.class
ifology.class
uutecwv.class
hirwfee.class
hiydcxed.class
hieeyfac.class
They we’re downloaded in sets of four. One set on the first day I was hacked. And the second set the second day I was hacked a week later. Either I downloaded these with backups I made of my site or they downloaded and got past my firewall as I was checking out and clicking through the pages on my sites. They are sleeper virus’s that hibernate then wake up about one week later.
They also appear to be able to avoid detection while they are asleep. I’ve submitted all this stuff to Symantec.
Yes, I also picked up a nasty trojan when I pressed the override button on my anti-virus software the first time I was hacked. I figured it was a false positive because I knew my site was safe…. I now know better.
I brought in a security guy to completely clean the virus – it was deep. Then after sleeping on it, I decided to completely wipe clean and reformat my hard drive and reinstall Windows so I could be POSITIVE I didn’t not have any virus left over.
(I’m still re-adding my old programs.)
Still no phone call from GoDaddy.
I’ve got one site migrated to a new host and will be working on the rest this week.
@Steve – could you explain how you found the sleeping viruses? That’s really disturbing to think about.
@Rick, could you explain how you found the sleeping viruses?
Rick,
Running daily full system anti virus scans. It’s that simple. My security suite only caught these things on the days that they “woke up”. You can see the pattern below.
I was hacked first on the 18th.
uutecwv.class
hirwfee.class
hiydcxed.class
hieeyfac.class
On computer as of 4/18
Last used 4/23 (Caught by scan)
I was cleaned up and then hit again on the 23rd.
twitters.class
mailvue.class
skypeqd.class
ifology.class
On computer as of 4/.23
Last used 5/5 (caught by scan)
The bottom line? Check out this article.
http://www.m86security.com/i/Web-Exploits–There-s-an-App-for-That,news.1311~.asp
Thanks! Since the hacks I do run daily scans on both of my local machines, and it looks like this will be a best practice for me.
By the way, anyone else add a fraud alert to their credit bureaus?
It’s something I think GoDaddy should have mentioned. Those of us who were infected by our own sites after they were attacked – we have no idea the intent of the viruses, etc. You can call any of the three credit bureaus (i.e. Experian) and do a 90 fraud alert over the phone.
They are bound to alert the other two bureaus.
This won’t stop you from using your credit cards and such, but it will alert businesses so they must prove your identity before offering you new credit.
It’s a simple layer of protection (nothing is perfect) for the next three months while we all find out the extent of the damage.
I’m with NS and just trying to help out GD users here. Wouldn’t surprise me if these attacks at NS and GD are being launched by the same group of criminals.
The coincidence and timing of this whole debacle is suspect.
I don’t work for NS but use them. Just to clarify.
Rick,
I’d be happy to have someone get in touch with you. Please let me know.
Alicia
Hi All…
We got hit by this and were able to recover fairly easily.
Just to add our stats, we were running a pre 2.9.2 WordPress (have now upgraded) hosted on Godaddy.
We had no additional unauthorized user accounts (registration is not available on our site)
We had no unauthorized ftp access during the period that the files were changed.
No idea how this got into our files.
Finally had an email from Godaddy today telling me to upgrade WordPress (I’m on the latest version already). It’s interesting that Godaddy can’t tell you’re on the latest version if you don’t upgrade through their Hosting Connection, as this might explain why they’re so convinced it’s us ‘remedial’ webmasters who are to blame.
I’m looking to move host, if for not other reason than Godaddy’s response to my support ticket when I first got hacked – a lovely long cut and paste impersonal reply saying ‘it’s your fault’ and not saying anything else at all.
After the first attack, I had this run around with a GoDaddy rep when I called in. I was already up to date and he was in the hosting connection swearing I wasn’t.
I think you make a great point there, Arthur.
Thanks Regina for this ‘salvation’.
Malware strikes again! It redirects to holasinweb.com. This is the 3rd attack on GoDaddy. The last attack did not affect my zen cart. I had all the security measures in place. From that time I added another directory with the latest version 1.3.9b and it was password protected (directory). Everything was infected.
From looking at the files, this was the activity that happened.
5/11/10 @ 9:22pm a file called him_vivie.php was deposited and deleted from the root of my directory.*
5/12/10 @ 2.08am it infected all the files
*this means if you looked at your directory present time, you won’t find any suspicious php file since it was already deleted.
This could not have been an FTP compromise, I have changed my ftp to a very strong password and as I said, even the directories for admin and the other 1.3.9b has been password protected just to view.
Is GoDaddy going to maintain this is another case of website not updated?
All our wordpress sites at godaddy have been hacked too.
date 26 may10
There is definitely some loophole in their hosting otherwise all customers hosting wordpress didn’t had such problem between 24-30 may10