Exclusive: WordPress exploit explained

As Neowin reported earlier this week, WordPress blogs were compromised on what was originally thought to be GoDaddy servers.  Neowin spoke exclusively with Todd Redfoot, a security expert at GoDaddy, who explained the exploit.

GoDaddy reassures customers that the attack was via WordPress and not an attack on the GoDaddy servers themselves.  The coordinated attack on WordPress was formed in a botnet-like attack, which targeted outdated versions of WordPress, however, the exploit was not found in version 2.9.2.  Reports indicate that GoDaddy was not the only hosting company to be attacked, even including the US Treasury website.

In some instances, users not running WordPress were also hacked, but did have an active or inactive WordPress installation on their account.  In as many cases, users were unaware that an installation of WordPress was present on their account.

The attacker, or attackers launched a coordinated attack on outdated versions of WordPress, adding lines of code to users' webpages.  The attack was first spotted in the early morning on May 1, 2010, when users files were compromised. 

Out of the 4 million GoDaddy users, “very few” were compromised.  The exploited accounts were all located on shared hosting servers.  Redfoot confirmed that they are currently performing their own investigation into the attacks.

Concerned GoDaddy users are urged to upgrade their WordPress blogs to version 2.9.2.  If users have been compromised, or fear they have been, they are asked to follow these step-by-step instructions to fix the issue.

If users need help determining if they're site has been affected by the malware, They can submit their domain to GoDaddy's Security Submission Form: www.godaddy.com/securityissue

Report a problem with article
Previous Story

T-Mobile announces MyTouch 3G slide

Next Story

US Treasury websites hacked

24 Comments

Commenting is disabled on this article.

except Mr. Redfoot is wrong!!! They said that wordpress to me bit too and i told them I don't have wordpress nor files with wordpress, I have joomla and I still got attacked, it has to do with PhP script!!!!!

ugh. They don't know what is going on and that is the problem. they want to blame the customer rather than themselves.

Did anyone care to read Matt Mullenweg's response to all this?

" WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn't matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system â€" like they appeared to have in this case â€" it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years. "

http://wordpress.org/development/2010/04/file-permissions/

My basic coded from scratch PHP site was infected. There is no trace of anything to do with Wordpress anywhere in the document root directory and never has been. If there is Wordpress somehow associated with my account otherwise, it's nothing I had anything to do with and know nothing about.

zyxwvut said,
My basic coded from scratch PHP site was infected. There is no trace of anything to do with Wordpress anywhere in the document root directory and never has been. If there is Wordpress somehow associated with my account otherwise, it's nothing I had anything to do with and know nothing about.

Doesn't mean that your code didn't have a similar security hole/exploit though.

zyxwvut said,
My basic coded from scratch PHP site was infected. There is no trace of anything to do with Wordpress anywhere in the document root directory and never has been. If there is Wordpress somehow associated with my account otherwise, it's nothing I had anything to do with and know nothing about.

Please read my comment above, this should answer your question.

So, if this truly was just a WordPress exploit attack and not a GoDaddy targeted attack, where are the other stories of the other web hosting companies affected? I have no doubt that WordPress has a vulnerability (as explained in several articles), but it's a bit odd that we're not seeing other hosts affected. Just doesn't add up for me...

Glen said,
So, if this truly was just a WordPress exploit attack and not a GoDaddy targeted attack, where are the other stories of the other web hosting companies affected? I have no doubt that WordPress has a vulnerability (as explained in several articles), but it's a bit odd that we're not seeing other hosts affected. Just doesn't add up for me...

Other companies get affected also, but they are better at dealing with it, or just make sure word doesnt go out.

Reb0ot said,

Other companies get affected also, but they are better at dealing with it, or just make sure word doesnt go out.

which one?.

factoid said,
"Todd Redfood" in paragraph 5...

thanks for that catch. Just a reminder, we have a "report a problem" link under each article, which gets our staffs attention and makes fixing issues easier.

Andrew Lyle said,

thanks for that catch. Just a reminder, we have a "report a problem" link under each article, which gets our staffs attention and makes fixing issues easier.

heh never noticed that before.

GoDaddy focuses more on domains. I'd rather buy hosting from experienced people.

asmallorange, lunarpages, bluehost come to mind.

Out of the 4 million GoDaddy users, “very few” were compromised.
I dont really believe that, I have been dealing with hackers since I started my professional career. Most of the time I am getting web hosting companies out of these messes.

I am aware of the exploit to WP, which also affects Joomla funnily enough (but injecting a different hex code into it). As I commented on my site smoothblog (Search it on google), once a site has been remotely hacked by the remote script, it will gain apache level access, meaning it has access to the 400-1000 users on a server (shared hosting platform on the hosting company) which then crawls through every single account and injects code into each html, php file.

So more than likely only 1 or 2 of the shared hosting servers at godaddy got hacked.
Thats not to say that they wont get hacked again soon though as more than likely there will be a lot of users with old versions of wp and joomla on the other shared hosts.

These hacks happen all the time to hosting companies, to be honest the best way they could have done would have been to restore the files from backup before the hack so news wouldnt go out, then create a script to remove the injected code to all of the users. Then advice the users to upgrade their versions of CRM.

But as you can see, the bigger the company the more energy they put in sales and rather less energy on protecting their customers.

So some free advice for everyone here is to have your sites hosted with smaller hoster companies, they are easier to reach and more technical to when it comes to fixing something. After all these companies are run by real technicians and not newbies or sales men

Peace out.

Reb0ot said,
it will gain apache level access, meaning it has access to the 400-1000 users on a server (shared hosting platform on the hosting company) which then crawls through every single account and injects code into each html, php file.

Having it setup like that is an out right security risk, if anything they should be running suPHP so that the apache process executes the file under its own user. I would be very surprised if this is not already the case; if it was the sites would have likely already been infected.

XY GT said,

Having it setup like that is an out right security risk, if anything they should be running suPHP so that the apache process executes the file under its own user. I would be very surprised if this is not already the case; if it was the sites would have likely already been infected.


Indeed, godaddy runs PHP as CGI for security purpose.

Heh, clumsy to not upgrade your versions.

Actually, clumsy of the US Treasury to use Wordpress. It's not exactly geared for anything but amateur use, looking at their security history.

So all this happened because of stupid users either forgot they had WordPress installed or not updating their software.

Neither GoDaddy or WordPress should catch an ounce of heat for this IMHO.

necrosis said,
So all this happened because of stupid users either forgot they had WordPress installed or not updating their software.

Neither GoDaddy or WordPress should catch an ounce of heat for this IMHO.

I have a sneaky feeling that if just one person on your shared server had a dodgy version of wordpress, they were able to inject code into everyones files. Which might explain why some people were claiming not to have any trace of wordpress but still got infected

necrosis said,
So all this happened because of stupid users either forgot they had WordPress installed or not updating their software.

Neither GoDaddy or WordPress should catch an ounce of heat for this IMHO.

I almost agree.. If WordPress has fixed the exploit in their later versions, then they shouldn't get any heat.. GoDaddy, given that they do shared hosting, should catch heat for not enforcing some sort of minimum security policy. There is no way 1 user should be able to open up a whole server..

It was wordpress, but older versions of it that were still installed.

It would be like going online with plain XP, or with Ubuntu 4.10. Sure, it can be done, but you are likely to have security flaws that are unpatched.

There were a few vociferous (and belligerent) members insisting it was all a GoDaddy lie because of claims of not having wordpress installed.

Edited by markjensen, May 4 2010, 11:01pm :