Jump to content



Photo

GoDaddy Got Hacked Yesterday


  • Please log in to reply
72 replies to this topic

#31 brentaal

brentaal

    No, I am not.

  • Joined: 31-December 04

Posted 03 May 2010 - 10:58

Dunno, the GoDaddy representative's being fairly reasonable whereas you're over-exaggerating and seem a bit paranoid. They're "spying on you"? Seriously?


#32 stevember

stevember

    'But thats just me....'

  • Tech Issues Solved: 2
  • Joined: 13-August 01
  • Location: Cornwall, UK

Posted 03 May 2010 - 13:29


Apology? How old are you son? Apology for speaking the truth? Only on Neowin!

Thereal issue is responsibility.

///cut////

I hope GoDaddy accept responsibility for it's failing and accepts whatit needs to do to set things right by it's customers.

But if there are back handers going out (as evident by theapologist for the GoDaddy's apologist) then I highly doubt it.

GoFigure GoDaddy!


I think you what we call in UK a 'Bigoted' person. Note to ALL I never called him a 'Bigot'.

#33 SMELTN

SMELTN

    Neowinian Senior

  • Joined: 23-July 05
  • Location: Alabama
  • OS: Windows 7 Ultimate, 2012 Macbook Pro, CR-48 Chromebook from Google
  • Phone: iPhone 5s

Posted 03 May 2010 - 14:27

lol

#34 mrga

mrga

    Neowinian

  • Joined: 03-May 10

Posted 03 May 2010 - 15:47

Hi,

I searched few days and I got some conclusion hope help somebody.

1. Goddady have a executing multi-extension files security hole example:
somthing.php.jpg

This is a known security issue:
http://core.trac.wor...rg/ticket/11122

to fix that on GoDaddy try add this in .htaccess
RemoveHandler application/x-httpd-php .php
<FilesMatch "\.(php|php5|php4|php3|phtml|phpt)$">
SetHandler x-httpd-php5
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler x-httpd-php5-source
</FilesMatch>


I tested on my site and seams that work.

2. The injections affected two my sites with custom cms, one site do not have upload at all (no wordpress, no joomla).

3. I find some hacking tool on my account with all nice staff for injection things.. I think they passes deep

4. put all php files to unwritable seems to stop injection

I think that injections come from inside server becouse GoDaddy hosting will easly find it if starts from outside.

Hope this can help

#35 vetAndrew Lyle

Andrew Lyle

    Don't Panic!

  • Joined: 15-December 03
  • Location: Toronto, Ontario
  • OS: Windows 7 SP1

Posted 03 May 2010 - 16:21

Apology? How old are you son? Apology for speaking the truth? Only on Neowin!
<< SNIP >>

This post is full of false claims, no evidence or proof of any of this, and inaccurate claims against GoDaddy.

I suggest you just stop pointing fingers and start telling your friends that they are lying.

And you have absolutely NO proof that GoDaddy has never gone around the Internet and signed up on other forums to speak directly to people.
If I were you, I would just let this go. You're trying to turn nothing into something, and you don't even have an account with GoDaddy! So just stop talking.

And seriously, to expand on what andrew said.

The guy asked for what other domains you knew of that had been compromised, you could have provided that here or sent him a pm. instead you came up with another anonymous godaddy friend without wordpress. it could very well be they have unused wordpress files on the server or that wjatever the do use is based on wordpress

To expand on what you said, the server block, since this is a shared host, could contain WordPress files. Each user does not have to have WordPress instead, but anyone else using the same server as you could have WordPress installed, compromising the entire server.

#36 bytes2000

bytes2000

    Neowinian

  • Joined: 20-June 04

Posted 03 May 2010 - 16:25

I just found a very detailed page related to this: http://www.wpsecurit...ddy-case-study/

It includes some findings, recommendations and the most detailed guide on how to remove the problem. I also checked slashdot and the wp problem reports started since March..

#37 GoDaddy

GoDaddy

    Neowinian

  • Joined: 03-May 10

Posted 03 May 2010 - 17:29

My Godaddy site just got hacked also. It is just a simple PHP site, mostly html with .php page extensions. All the php files were hacked. Godaddy is in an extreme state of denial. They just sent a form email implying that it was somehow my fault. Definitely not just a Wordpress problem.


zyxwvut,

Thank you for posting. If you'll please PM your domain, I'll have our Security Team investigate the matter.

Salem

#38 mrga

mrga

    Neowinian

  • Joined: 03-May 10

Posted 03 May 2010 - 23:20

Hi,

A little tutorial to see if you have a issue executing multi-extension files.
Create a file with name "info.php.jpg" and add in if following code:

<?php
phpinfo();
?>

upload to your webpage and try to get it.(www.yourdomain.com/info.php.jpg)

if your file is parsed (you will see a php information) insted of get an inexistent image you have this security issue.

What this means?
This means that if you have upload file funcionality hacker can upload script on your site and run it.
It not based on single cms (wordpress, joomla...) is general issue.
I find a script that look like a image inside but is a tool.

This issue is not related to this attack maybe, but is security issue that you can check and prevent to you file injection.

Above I posted a fix for GoDaddy that is little bit different from wordpress fix.

Hope this can help somebody... and safe some working hours ;)

#39 joker999

joker999

    GorillaZ

  • Joined: 23-October 03

Posted 04 May 2010 - 03:09

Hrm, i test that on my linux box, the virus fake me that i have virus on my computer but its windows design and layout but im on linux heh, virus is force me to visit www2.warezforpc37-pd.xorg.pl then download packupdate_build107_2045.exe (the link go to virustotal.com, Im just tell you its safe link)

Posted Image

I read whole code, but i dont want paste to this forum, its might block by anti-virus. :)

#40 mrga

mrga

    Neowinian

  • Joined: 03-May 10

Posted 04 May 2010 - 17:12

Some screenshots of tool that was injeced trought multi-extension hole... nice tool :)

http://www.flickr.co...N03/4578964068/
http://www.flickr.co...N03/4578964212/

Im not allowed to add the pictures then I added links...

#41 bytes2000

bytes2000

    Neowinian

  • Joined: 20-June 04

Posted 04 May 2010 - 18:03

UPDATE! According to: http://www.wpsecurit...daddy-responds/

there is a Godaddy response:

We do take our position as an Internet leader seriously, especially when it comes to security. This is why we are going the extra mile to get the word out. We appreciate your invitation to answer the question, 'What is Go Daddy doing to help?'

As the world's #1 Web host provider, Go Daddy is a logical target for speculation and misinformation. With this exploitation issue, both the prevention and the cure are not under our control -- because the customer decides whether to update the software they run. (If you think about it, it's like forgetting to lock your car and blaming the auto manufacturer when your car is stolen.) Our job is to help identify issues and inform our customers about how they can protect their sites.

This is why we are working to proactively communicate and educate Internet users about this situation.

Here are a few of the initiatives we have going right now.

As a service to our customers and all Internet users:

* Go Daddy scanned our 4M hosted sites to identify sites impacted (we did this immediately upon learning about the issue last week, and again over the weekend).
* Contacting Go Daddy customers impacted by phone and/or email to let them know how to protect their sites (in some cases, we've alerted them even before they realize they are impacted).
* Go Daddy is also taking the leadership role with educational communication -- posting Help Articles to our Community & Customer Service pages to provide "1,2,3 Info" on how to properly update software.

We'll update the Help Articles as needed and also be posting another Help Article with actual illustrations/screen shots to make the security update process easy for even the most remedial of Web users to follow.

Phil Stuart
Go Daddy Communications



#42 +Cupcakes

Cupcakes

    #pugs { display: block; }

  • Joined: 12-May 09
  • Location: Chicago, IL

Posted 04 May 2010 - 18:56

GoDaddy specifically made their Neowin account to comment on this thread and to address me directly. Clearly they are worried and don't have a clue what is going. Funny actually.


I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum.

:pinch: :blink: :whistle:

#43 bytes2000

bytes2000

    Neowinian

  • Joined: 20-June 04

Posted 04 May 2010 - 19:21

I need to comment on this. The only reason GoDaddy came here was because I had tweeted about it and they directly replied to my tweet which had a link to Neowin in it. The same person who replied here is the same person who manages GoDaddy's Twitter account. He doesn't need to be a tech agent to do this--he even states his position within GoDaddy is for social-related purposes.. Which would include this forum.

:pinch: :blink: :whistle:

I dont think so, maybe they have access to Google.com, this is not a new incident. Also Neowin is not the official support tool of Godaddy, if they follow a standard for providing services like ITIL, they would not need to ask to send the affected domains via PM, they would ask you to use the formal methods for asking for support (phone,email support). Thats why sometimes I doubt if the user Godaddy is really from @godaddy.com

I dont think they want to discuss (or disclose) attack information in public forums, they will just say something like: "Stay calm", "We are working on it",blah blah so just wait until it is sorted or for any official communication (if any).

In the meanwhile lets see what information (and DISinformation) we found about it.

#44 +Cupcakes

Cupcakes

    #pugs { display: block; }

  • Joined: 12-May 09
  • Location: Chicago, IL

Posted 04 May 2010 - 19:30

I dont think so, maybe they have access to Google.com, this is not a new incident. Also Neowin is not the official support tool of Godaddy, if they follow a standard for providing services like ITIL, they would not need to ask to send the affected domains via PM, they would ask you to use the formal methods for asking for support (phone,email support). Thats why sometimes I doubt if the user Godaddy is really from @godaddy.com

I dont think they want to discuss (or disclose) attack information in public forums, they will just say something like: "Stay calm", "We are working on it",blah blah so just wait until it is sorted or for any official communication (if any).

In the meanwhile lets see what information (and DISinformation) we found about it.


I don't care what you think--that's what happened. @GoDaddy replied to me minutes after I tweeted about the thread/blog on Neowin. Moments later they joined Neowin and posted a response.

Perhaps you don't understand the part about social mediums. People are hired for specific positions. They don't need to be involved with any technical resolutions. Did you read his post where he stated his job position? "Go Daddy's Social Media Team" THIS IS HIS JOB. He can post on as many forums as he sees fit if he is looking to help people resolve any issues that are present with GoDaddy. He can reply to as many people on Twitter as he has to. Or any other social networking platform.

It's evident that you only came to Neowin to post in this GoDaddy thread for one reason. Stop being a nuisance and go back to the hole you came from.

#45 bytes2000

bytes2000

    Neowinian

  • Joined: 20-June 04

Posted 04 May 2010 - 19:46

I don't care what you think--that's what happened. @GoDaddy replied to me minutes after I tweeted about the thread/blog on Neowin. Moments later they joined Neowin and posted a response.

Perhaps you don't understand the part about social mediums. People are hired for specific positions. They don't need to be involved with any technical resolutions. Did you read his post where he stated his job position? "Go Daddy's Social Media Team" THIS IS HIS JOB. He can post on as many forums as he sees fit if he is looking to help people resolve any issues that are present with GoDaddy. He can reply to as many people on Twitter as he has to. Or any other social networking platform.

It's evident that you only came to Neowin to post in this GoDaddy thread for one reason. Stop being a nuisance and go back to the hole you came from.

Oh my god, another kid posting on neowin... Great you got the credit I will send you my diploma

I did not know the companies are looking everywhere on the internet on how to solve the problems, they have their own trained support staff.
I can read his job position, but did you check: http://www.godaddy.c...a.aspx?ci=17624 ?

I dont see neowin listed, then carefully read the description of the 4 social networks. Godaddy social team is just for MARKETING (and apparently also for calming the scared existant and potential customers of issues like this)