Early on September 21, 2010, some websites hosted at Go Daddy were hacked again with malware.
I just received a courtesy call from the Go Daddy’s Security Team so I could give you an update. They will also be releasing a statement to me soon and I will post it here shortly.
On September 17, 2010, several websites were infected with the myblindstudioinfoonline malware through a FTP breach.
Go Daddy worked diligently to clean and restore each website affected. They also advised all customers to change their FTP passwords. In a statement on 9/18/2010 they said:
Go Daddy's Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.
Currently, no website was reinfected for those that changed their FTP passwords.
Unfortunately, not all webmaster changed their passwords and those websites were hacked again.
Go Daddy has cleaned and restored all affected websites. However, during the restore process a space was added to some .php files. This caused a “headers already sent” error. Go Daddy is aware of this glitch and is currently working to fix all sites with this error and should have it restored shortly.
If your website was affected, you may also notice some files with the .INFECTED.PHP extension. These files were created as a backup during Go Daddy's restore process and they will be removing those shortly.
Important! If you've had a FTP breach, please do the following immediately!
- Change all of your FTP passwords (Check to see if you have more than one FTP account).
- Change your database passwords (If hackers got into your FTP, did they look at your wp-config.php file?).
- Change your Authentication Unique Keys and Salts (Again, wp-config.php).
- Change your WordPress username passwords (Change any “administrator” account passwords for safety measures).
- Check your permissions on your server. Make sure your directories (folders) are set to 755 and your files are set to 644 (Sometimes hackers like to change CHMOD permissions while they're in there).
- Update your virus definitions on your anti-virus program and run a full system scan.
- Make sure your firewall is on.
Update – 09/21/2010 at 3:15 pm CST:
Statement from Go Daddy
Friday, we told you about a recent malware attack affecting a small group of Go Daddy customers. Our Security Team recommended all those who believed they were affected to change their FTP passwords.
This morning, another event targeted the same hosting accounts as last Friday.
- The good news? Those who changed their passwords were NOT affected.
- The bad news? Those accounts affected by the previous wave of attacks, whose FTP passwords were not changed, were once again compromised.
If you were impacted in any way, Go Daddy “has your back.” Our Security Team cleaned the affected sites almost immediately and very few, if any sites, should be seeing errors.
If you think your site has been affected, please change your FTP password immediately — It just takes just seconds. Here's how to change your FTP password.
Go Daddy Chief Information Security Officer
Update – 09/22/2010 at 12:45 pm CST:
We just got confirmation from Go Daddy's Security Team that this incident was found on shared hosting accounts only. Virtual Dedicated Servers, Dedicated Servers or Mac Powered Cloud Servers were not affected.
We'd love your feedback
If you found this post helpful or have any questions or feedback, leave your comment below.
P.S. Help spread awareness by telling others, share this article on Twitter and Facebook.