Sign in to follow this  
Followers 0
TonyLock

GoDaddy Got Hacked Yesterday

73 posts in this topic

Just caught GoDaddy spying on me, just as I had suspected.

This screenshot is of my profile as of 12:23 AM PDT. Look who is spying on me and on this thread at 10:27 PM rather than fix the security holes in their servers:

post-15711-12728715472814.png

GoDaddy specifically made their Neowin account to comment on this thread and to address me directly. Clearly they are worried and don't have a clue what is going. Funny actually.

And seriously, to expand on what andrew said.

The guy asked for what other domains you knew of that had been compromised, you could have provided that here or sent him a pm. instead you came up with another anonymous godaddy friend without wordpress. it could very well be they have unused wordpress files on the server or that wjatever the do use is based on wordpress

1 person likes this

Share this post


Link to post
Share on other sites

And seriously, to expand on what andrew said.

The guy asked for what other domains you knew of that had been compromised, you could have provided that here or sent him a pm. instead you came up with another anonymous godaddy friend without wordpress. it could very well be they have unused wordpress files on the server or that wjatever the do use is based on wordpress

Clearly, you have never called GoDaddy tech support before. They know the sites have have been told on the phone. I have no need to mention them here.

Anyway, GoDaddy don't need to know about any more domains, considering all the net chatter about this enter issue.

All they need to do is lock does their accounts so one account cannot write to another. PERIOD! PROBLEM SOLVED!

Share this post


Link to post
Share on other sites

Seriously, you sound like you're on some kind of crusade against GoDaddy, throwing out claim after claim, without a single shed of proof.

and no, net chatter isn't proof.

2 people like this

Share this post


Link to post
Share on other sites

Seriously, you sound like you're on some kind of crusade against GoDaddy, throwing out claim after claim, without a single shed of proof.

and no, net chatter isn't proof.

+1

Plus I just spied on you...

Share this post


Link to post
Share on other sites

+1

Plus I just spied on you...

OH NOEZ!!!!! :p

Share this post


Link to post
Share on other sites

Dunno, the GoDaddy representative's being fairly reasonable whereas you're over-exaggerating and seem a bit paranoid. They're "spying on you"? Seriously?

Share this post


Link to post
Share on other sites

Apology? How old are you son? Apology for speaking the truth? Only on Neowin!

Thereal issue is responsibility.

///cut////

I hope GoDaddy accept responsibility for it's failing and accepts whatit needs to do to set things right by it's customers.

But if there are back handers going out (as evident by theapologist for the GoDaddy's apologist) then I highly doubt it.

GoFigure GoDaddy!

I think you what we call in UK a 'Bigoted' person. Note to ALL I never called him a 'Bigot'.

Share this post


Link to post
Share on other sites

lol

1 person likes this

Share this post


Link to post
Share on other sites

Hi,

I searched few days and I got some conclusion hope help somebody.

1. Goddady have a executing multi-extension files security hole example:

somthing.php.jpg

This is a known security issue:

http://core.trac.wordpress.org/ticket/11122

to fix that on GoDaddy try add this in .htaccess

RemoveHandler application/x-httpd-php .php

<FilesMatch "\.(php|php5|php4|php3|phtml|phpt)$">

SetHandler x-httpd-php5

</FilesMatch>

<FilesMatch "\.phps$">

SetHandler x-httpd-php5-source

</FilesMatch>

I tested on my site and seams that work.

2. The injections affected two my sites with custom cms, one site do not have upload at all (no wordpress, no joomla).

3. I find some hacking tool on my account with all nice staff for injection things.. I think they passes deep

4. put all php files to unwritable seems to stop injection

I think that injections come from inside server becouse GoDaddy hosting will easly find it if starts from outside.

Hope this can help

Share this post


Link to post
Share on other sites

Apology? How old are you son? Apology for speaking the truth? Only on Neowin!

<< SNIP >>

This post is full of false claims, no evidence or proof of any of this, and inaccurate claims against GoDaddy.

I suggest you just stop pointing fingers and start telling your friends that they are lying.

And you have absolutely NO proof that GoDaddy has never gone around the Internet and signed up on other forums to speak directly to people.

If I were you, I would just let this go. You're trying to turn nothing into something, and you don't even have an account with GoDaddy! So just stop talking.

And seriously, to expand on what andrew said.

The guy asked for what other domains you knew of that had been compromised, you could have provided that here or sent him a pm. instead you came up with another anonymous godaddy friend without wordpress. it could very well be they have unused wordpress files on the server or that wjatever the do use is based on wordpress

To expand on what you said, the server block, since this is a shared host, could contain WordPress files. Each user does not have to have WordPress instead, but anyone else using the same server as you could have WordPress installed, compromising the entire server.

2 people like this

Share this post


Link to post
Share on other sites

My Godaddy site just got hacked also. It is just a simple PHP site, mostly html with .php page extensions. All the php files were hacked. Godaddy is in an extreme state of denial. They just sent a form email implying that it was somehow my fault. Definitely not just a Wordpress problem.

zyxwvut,

Thank you for posting. If you'll please PM your domain, I'll have our Security Team investigate the matter.

Salem

1 person likes this

Share this post


Link to post
Share on other sites

Hi,

A little tutorial to see if you have a issue executing multi-extension files.

Create a file with name "info.php.jpg" and add in if following code:

<?php

phpinfo();

?>

upload to your webpage and try to get it.(www.yourdomain.com/info.php.jpg)

if your file is parsed (you will see a php information) insted of get an inexistent image you have this security issue.

What this means?

This means that if you have upload file funcionality hacker can upload script on your site and run it.

It not based on single cms (wordpress, joomla...) is general issue.

I find a script that look like a image inside but is a tool.

This issue is not related to this attack maybe, but is security issue that you can check and prevent to you file injection.

Above I posted a fix for GoDaddy that is little bit different from wordpress fix.

Hope this can help somebody... and safe some working hours ;)

Share this post


Link to post
Share on other sites

Hrm, i test that on my linux box, the virus fake me that i have virus on my computer but its windows design and layout but im on linux heh, virus is force me to visit www2.warezforpc37-pd.xorg.pl then download packupdate_build107_2045.exe (the link go to virustotal.com, Im just tell you its safe link)

fake2i.jpg

I read whole code, but i dont want paste to this forum, its might block by anti-virus. :)

Share this post


Link to post
Share on other sites

Some screenshots of tool that was injeced trought multi-extension hole... nice tool :)

hack tool 1

hack tool 2

Im not allowed to add the pictures then I added links...

Share this post


Link to post
Share on other sites

UPDATE! According to: http://www.wpsecuritylock.com/dangerous-malware-alert-hacked-godaddy-responds/

there is a Godaddy response:

We do take our position as an Internet leader seriously, especially when it comes to security. This is why we are going the extra mile to get the word out. We appreciate your invitation to answer the question, 'What is Go Daddy doing to help?'

As the world's #1 Web host provider, Go Daddy is a logical target for speculation and misinformation. With this exploitation issue, both the prevention and the cure are not under our control -- because the customer decides whether to update the software they run. (If you think about it, it's like forgetting to lock your car and blaming the auto manufacturer when your car is stolen.) Our job is to help identify issues and inform our customers about how they can protect their sites.

This is why we are working to proactively communicate and educate Internet users about this situation.

Here are a few of the initiatives we have going right now.

As a service to our customers and all Internet users:

* Go Daddy scanned our 4M hosted sites to identify sites impacted (we did this immediately upon learning about the issue last week, and again over the weekend).

* Contacting Go Daddy customers impacted by phone and/or email to let them know how to protect their sites (in some cases, we've alerted them even before they realize they are impacted).

* Go Daddy is also taking the leadership role with educational communication -- posting Help Articles to our Community & Customer Service pages to provide "1,2,3 Info" on how to properly update software.

We'll update the Help Articles as needed and also be posting another Help Article with actual illustrations/screen shots to make the security update process easy for even the most remedial of Web users to follow.

Phil Stuart

Go Daddy Communications

Share this post


Link to post
Share on other sites

GoDaddy specifically made their Neowin account to comment on this thread and to address me directly. Clearly they are worried and don't have a clue what is going. Funny actually.

I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum.

:pinch: :blink: :whistle:

Share this post


Link to post
Share on other sites

I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum.

:pinch: :blink: :whistle:

I dont think so, maybe they have access to Google.com, this is not a new incident. Also Neowin is not the official support tool of Godaddy, if they follow a standard for providing services like ITIL, they would not need to ask to send the affected domains via PM, they would ask you to use the formal methods for asking for support (phone,email support). Thats why sometimes I doubt if the user Godaddy is really from @godaddy.com

I dont think they want to discuss (or disclose) attack information in public forums, they will just say something like: "Stay calm", "We are working on it",blah blah so just wait until it is sorted or for any official communication (if any).

In the meanwhile lets see what information (and DISinformation) we found about it.

Share this post


Link to post
Share on other sites

I dont think so, maybe they have access to Google.com, this is not a new incident. Also Neowin is not the official support tool of Godaddy, if they follow a standard for providing services like ITIL, they would not need to ask to send the affected domains via PM, they would ask you to use the formal methods for asking for support (phone,email support). Thats why sometimes I doubt if the user Godaddy is really from @godaddy.com

I dont think they want to discuss (or disclose) attack information in public forums, they will just say something like: "Stay calm", "We are working on it",blah blah so just wait until it is sorted or for any official communication (if any).

In the meanwhile lets see what information (and DISinformation) we found about it.

I don't care what you think--that's what happened. @GoDaddy replied to me minutes after I tweeted about the thread/blog on Neowin. Moments later they joined Neowin and posted a response.

Perhaps you don't understand the part about social mediums. People are hired for specific positions. They don't need to be involved with any technical resolutions. Did you read his post where he stated his job position? "Go Daddy's Social Media Team" THIS IS HIS JOB. He can post on as many forums as he sees fit if he is looking to help people resolve any issues that are present with GoDaddy. He can reply to as many people on Twitter as he has to. Or any other social networking platform.

It's evident that you only came to Neowin to post in this GoDaddy thread for one reason. Stop being a nuisance and go back to the hole you came from.

Share this post


Link to post
Share on other sites

I don't care what you think--that's what happened. @GoDaddy replied to me minutes after I tweeted about the thread/blog on Neowin. Moments later they joined Neowin and posted a response.

Perhaps you don't understand the part about social mediums. People are hired for specific positions. They don't need to be involved with any technical resolutions. Did you read his post where he stated his job position? "Go Daddy's Social Media Team" THIS IS HIS JOB. He can post on as many forums as he sees fit if he is looking to help people resolve any issues that are present with GoDaddy. He can reply to as many people on Twitter as he has to. Or any other social networking platform.

It's evident that you only came to Neowin to post in this GoDaddy thread for one reason. Stop being a nuisance and go back to the hole you came from.

Oh my god, another kid posting on neowin... Great you got the credit I will send you my diploma

I did not know the companies are looking everywhere on the internet on how to solve the problems, they have their own trained support staff.

I can read his job position, but did you check: http://www.godaddy.com/SocialMedia/social-media.aspx?ci=17624 ?

I dont see neowin listed, then carefully read the description of the 4 social networks. Godaddy social team is just for MARKETING (and apparently also for calming the scared existant and potential customers of issues like this)

Share this post


Link to post
Share on other sites

Oh my god, another kid posting on neowin... Great you got the credit I will send you my diploma

I did not know the companies are looking everywhere on the internet on how to solve the problems, they have their own trained support staff.

I can read his job position, but did you check: http://www.godaddy.com/SocialMedia/social-media.aspx?ci=17624 ?

I dont see neowin listed, then carefully read the description of the 4 social networks. Godaddy social team is just for MARKETING (and apparently also for calming the scared existant and potential customers of issues like this)

really... Gee the rest of us didn't figure that out at the point when he said he was going to forward it to the actual tech staff in his first post.... :rolleyes:

it's what social media staff is for, he never tried to do any tech support or said he would. basically, he's like an escalation, without needing to actually call them and fight with the phone guys and then fight with the supervisor.

Share this post


Link to post
Share on other sites

I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum. :pinch: :blink: :whistle:

Well thanks for bringing them here :)

I had a one-on-one phone conversation with Todd Redfoot, a security expert at GoDaddy, be sure to read this:

http://www.neowin.net/news/exclusive-wordpress-exploit-explained

Share this post


Link to post
Share on other sites

So not GoDaddys fault, just some idiots who had an old install on their hosting...doh

Share this post


Link to post
Share on other sites

The break-fix Solution will be enough just for this attack, however GoDaddy needs to isolate the accounts and tighten the privileges in order to avoiD future problems (cause some users complain that their site were "infected" even without having WP installed, also other users upgraded to. 2.9.2 and were "reinfected")

Share this post


Link to post
Share on other sites

The break-fix Solution will be enough just for this attack, however GoDaddy needs to isolate the accounts and tighten the privileges in order to avoiD future problems (cause some users complain that their site were "infected" even without having WP installed, also other users upgraded to. 2.9.2 and were "reinfected")

Speaking with the security expert at GoDaddy, Todd Redfoot, he mentioned that they did not see the exploit on users accounts that were running WordPress 2.9.2.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.