Early on September 21, 2010, some websites hosted at Go Daddy were hacked again with malware.
I just received a courtesy call from the Go Daddy’s Security Team so I could give you an update. They will also be releasing a statement to me soon and I will post it here shortly.
On September 17, 2010, several websites were infected with the myblindstudioinfoonline malware through a FTP breach.
Go Daddy worked diligently to clean and restore each website affected. They also advised all customers to change their FTP passwords. In a statement on 9/18/2010 they said:
Go Daddy's Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.
Currently, no website was reinfected for those that changed their FTP passwords.
Unfortunately, not all webmaster changed their passwords and those websites were hacked again.
Go Daddy has cleaned and restored all affected websites. However, during the restore process a space was added to some .php files. This caused a “headers already sent” error. Go Daddy is aware of this glitch and is currently working to fix all sites with this error and should have it restored shortly.
If your website was affected, you may also notice some files with the .INFECTED.PHP extension. These files were created as a backup during Go Daddy's restore process and they will be removing those shortly.
Important! If you've had a FTP breach, please do the following immediately!
- Change all of your FTP passwords (Check to see if you have more than one FTP account).
- Change your database passwords (If hackers got into your FTP, did they look at your wp-config.php file?).
- Change your Authentication Unique Keys and Salts (Again, wp-config.php).
- Change your WordPress username passwords (Change any “administrator” account passwords for safety measures).
- Check your permissions on your server. Make sure your directories (folders) are set to 755 and your files are set to 644 (Sometimes hackers like to change CHMOD permissions while they're in there).
- Update your virus definitions on your anti-virus program and run a full system scan.
- Make sure your firewall is on.
Update – 09/21/2010 at 3:15 pm CST:
Statement from Go Daddy
Friday, we told you about a recent malware attack affecting a small group of Go Daddy customers. Our Security Team recommended all those who believed they were affected to change their FTP passwords.
This morning, another event targeted the same hosting accounts as last Friday.
- The good news? Those who changed their passwords were NOT affected.
- The bad news? Those accounts affected by the previous wave of attacks, whose FTP passwords were not changed, were once again compromised.
If you were impacted in any way, Go Daddy “has your back.” Our Security Team cleaned the affected sites almost immediately and very few, if any sites, should be seeing errors.
If you think your site has been affected, please change your FTP password immediately — It just takes just seconds. Here's how to change your FTP password.
Thank you,
Todd Redfoot
Go Daddy Chief Information Security Officer
Update – 09/22/2010 at 12:45 pm CST:
We just got confirmation from Go Daddy's Security Team that this incident was found on shared hosting accounts only. Virtual Dedicated Servers, Dedicated Servers or Mac Powered Cloud Servers were not affected.
We'd love your feedback
If you found this post helpful or have any questions or feedback, leave your comment below.
Securely yours,
Regina Smola
WordPress Security Specialist
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
P.S. Help spread awareness by telling others, share this article on Twitter and Facebook.
Honestly, am surprised GoDaddy still has any hosting clients – as many hacks as there were in last few months against them, my sites would be off in a flash.
Not to bust on their hosting but just a note…
Hi Alex,
Thanks for your comment and stopping by the website too 🙂
We need to do a teleseminar together soon. Would be fun to put our expertise together on one call.
Hello Regina:
I believe my website hosted by go daddy was compromised. I sell skin care products on this site as well as promote my company. The pages which have been changed are my pages for “contact” and also the page for “products”. On the products page – the “add to cart” and “check out” icons have been moved so as to obscure the product information. On the contact page – emails can’t be sent when a customer clicks the email contact icon. Instead of my email address being in the header, it is preceeded by a http: which will not allow for sending to my address. Also, everyone’s being asked for a security code/password when they attempt to send emails. Sometimes, but not always – the information for contacting my publicist also seems to shift around on this page.
Interestingly enough, I had a cyber stalker once and I knew who this person was, by name. When I google or Yahoo search this persons name; MY WEBSITE APPEARS! I suspect this is the person who broke into or “hacked” my website since there is a “connection” somehow between this person and my website when I type her name into a search engine. How does this get fixed and how can my site then be made hacker proof, if possible? I apologize that I’m not more computer savvy but if someone doesn’t correct this problem for me (i.e. go daddy) then I’m at a disadvantage because I’m not computer techno literate enough to know how to fix this myself. Help!
Dawn,
Regina’s team would be happy to help you. You can see the services offered at https://wpsecuritylock.com/services/
It does sound like your site/email was compromised but without seeing inside, we can’t really give you an answer.
Angie
Alex – It is “interesting” how Go Daddy! keeps getting hit. I wonder if it is disgruntled employees? I agree with Regina that you guys ought to get together on a call and keep educating the WordPress users out there to lock it down!
Do we know if its shared hosting being exploited or does this include VDS and DS?
Best regards
Yev
Yev,
Thanks for your question. I will contact them and find out for you. I’ll let you know shortly.
Yev, no response from GoDaddy yet. I believe it’s only on shared hosting. But when I get an answer, I’ll let you know.
Yev, I just got confirmation back Go Daddy.
This hacker attack was only on shared hosting. No VDS or DS accounts were affected.
Hi Regina
Thank you so much for confirming this. I believe this to be a very important part of information. At least we understand that its specifically godaddy and other hosting providers who use shared hosting in a similar way who have this problem. (ie: networksolutions)
At least there is a solution of upgrading to a VDS or a DS and taking security in to your own hands.
I know how inexpensive shared hosting is with godaddy (~2.99 per month) but we really get what we pay for.
Thanks again for all your hard work in keeping up with this topic.
Warmest regards
Yev
Regina I am so glad I found your site about 6 months ago and subscribed to your Hack Alerts! You are always on top of it and provide useful “how to fix” info too! Thanks much, Kimberly
Aw, thanks so much Kim. I’m glad I can help.
I hope all those folks that were attacked AGAIN learned a lesson this time around. And I hope they realize that they could eventually be marked by the red box of Google death if they keep allowing their sites to be compromised and gain a reputation as a site NOT to visit.
Thank you for staying on top of things.
Kathy Pop
Thanks Kathy.
I have seen some websites that were attacked over the weekend blacklisted on Google. It’s a nightmare to get Google to lift the ban, but it’s even worse when our visitors get their computers infected and don’t trust the websites anymore.
Can someone please explain why GoDaddy is such a huge target? They are going to lose so many clients from this.
Daniel,
All hosting providers and ANY website is a target. Malicious hackers spend their time trying to outsmart all of us. Go Daddy just seemed to be their target of choice this week. Hopefully, next week they’ll grow a conscious and stop messing with websites.
The best we can do is be proactive and protect our websites. We all need to lock our websites just like we lock our doors at night.
Fortunately, I changed my FTP password after the incident the other day, so my site was not affected. But all these problems with GoDaddy is leaving me less than secure. And why is GoDaddy such a target??
Glad to hear you changed your FTP Saturday and that you have remained unaffected. Please keep passing the word, everyone should be checking their sites and watching closely. Pass on our updates link so folks stay informed.
Regina, I appreciate your diplomatic response in regards to why GoDaddy is such a huge target. I know that using them doesn’t seem like the wisest choice to many, but I am still there, and will be there for at least a bit longer. The idea is to be vigilant, and I know that at least in my case, I was very naive in leaving old, unused versions of WordPress on my server, not changing my FTP for nearly TWO (!) years, and generally just adopting a “it won’t happen to me” attitude. I can’t necessarily blame GoDaddy for that! I feel more educated now and will do what *I* can to keep from being hacked again. Now, if despite my very best efforts my site continues to be hacked via GoDaddy, then I’ll reconsider my approach. But for now, I’ll pay attention to sites like yours and what I can be doing to protect myself.
Stacey,
Thanks so much for your comment! I’m so glad to hear you’re taking your website security seriously. We need more webmasters like you!!
Here’s are my 10 tips for Secure WordPress Hosting.
A great WordPress plugin that helps you see some server vulnerabilities is ServerBuddy.
Our website hosted by GoDaddy has been hacked for the second time in 2 days. We upgraded WordPress to 3.01 (latest version) and disabled all plugins, but that didn’t work, as today we had the same malware attack. The problem is GoDaddy, until they find a solution to this and take care of their router and servers to prevent this attack websites will have to manually clean their files (or use a script to do it) everyday for a long time. Shame GoDaddy, we have had so many problems with them.
Giuliastro,
I feel your frustration. I too have been a victim of hacker attacks over the years. And after years of research to not let it happen again, this site was evolved. My passion is to help webmasters protect their websites and kick hackers to the curb.
I’m glad you upgraded your WordPress. Did Go Daddy get your site fixed and is it working again?
If you need help, I’m here for you. Send me an email.
Thank you Regina. The fix is pretty simple, we just need to launch a script that cleans all php files. But that’s obviously a temporary fix not a permanent solution.
Hi Giuliastro
Quick question. Are you on shared hosting or on a VDS?
Yev
Linux Shared Hosting
Since signing up with GoDaddy almost a year ago, we have been hacked 4 times. After a security breach with my previous host (the first security issue we had ever experienced – coincidentally after my husband got ‘direct’ with a McPhee salesperson who wouldn’t quit calling us and trying to sell us their security software), I thought that it would be a good idea to go there, thinking it would be safe as it is more expensive and the largest hosting company. Boy was I wrong.
After 3 days inside of a ‘malware’ attack, I am at a loss as to how to fix our site. GoDaddy tell me that the site is clean and they have pretty much wiped their hands of it. I spoke with tech support the first time and the gentleman informed me “this is much worse than I thought and I’m going to escalate it”. Then, after I finally heard back from 2nd level support, they wiped their hands of it and offered absolutely no assistance. I still don’t know what the first tech guy meant by it being “much worse than I thought”.
I tried upgrading WordPress, changing all passwords, downloading all my files to my desktop and scanning my entire computer. No known infections.
I have a separate web security company signed up to monitor and fix my site – they also tell me the site is clean. Out of desperation I have completely uninstalled and deleted WordPress and am using the GoDaddy blogging tool (costs me extra) and deleted .htaccess files (it appears this was tampered with by someone, but I don’t know when – there was a new htaccess file sitting on my domain and the old .htaccess was renamed to bak.htaccess.) I asked GoDaddy if I should just delete both (wiping out all of my Site Redirections in turn), and he said he was confident that would resolve the problem. Well, thus far it didn’t…
I signed up for GoDaddy security 2 days ago (apparently a new product). I have been on the phone to GoDaddy 5 separate times since being hacked this time around and I’m still on Google’s black list after everything I’ve done. The initial vibe I get every time I get on the phone with them is that I must have done something wrong. This is in light of the fact they GoDaddy is a huge target for hackers. You would think they would be a little more humble…
At this point I am at a loss as to what to do. This might be amusing to some people, but my online business is my family’s only income right now – my husband was laid off from his job back in March. I work very hard at this job – 10-12 hour days, as well as raising 2 young children so that we can generate our own income instead of wait for corporations to start hiring. Right now I have no-one visiting my site and I’m watching as the possibility of my house being foreclosed upon grows bigger because I haven’t had any income for days since the site was blacklisted. Do hackers think about the famillies they are affecting by their actions? But I digress…
Can anyone make a suggestion as to an alternative, SECURE and HELPFUL hosting company, and other than everything I’m doing, is there something simple I’m missing about keeping my site secure?
Wow, it sounds like you’ve been through the wringer. Please click the “Contact” link above and send me you URL for your website so I can check it and see what we can do to fix your website.
Stay strong! It’s fixable.