WordPress on GoDaddy.com hacked [Updated]

Update: GoDaddy has posted a message on Neowin.net, confirming that the sites that were compromised do have an outdated version of WordPress, either active or inactive on their hosting plans.  GoDaddy also mentioned that the compromise might be present on other hosting providers too.

"TonyLock and All,

I work on Go Daddy's Social Media Team and we're working with our Security Operations Center to locate examples of non-WordPress sites that have been compromised. If you're comfortable with sharing example domains, please feel free to PM them to me.


Please know that we're actively working to identify the issue and resolve it. Further, we've published steps to correct the issue at
http://fwd4.me/MFK. As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware that were not WordPress blogs have the commonality that an outdated version of WordPress is either powering part of the site or that it is not in use, but is still present on the hosting plan. Additionally, we have heard reports of the compromise occurring on other hosting providers.

Again, we are actively and aggressively working to identify the cause and we've published a means to correct it -
http://fwd4.me/MFK .

^Salem"

Some WordPress users using GoDaddy hosting servers may have been seeing malware injections into their code.  The compromised sites were usually outdated WordPress versions or had weak FTP passwords, according to godaddy.com.

Users began seeing lines of added code at the top and bottom of their websites, linking to the website http://kdjkfjskdfjlskdjf.com.

GoDaddy was aware of the situation today, tweeting that they are looking into the issue, but have confirmed the injection and posted a message on their community forums how to correct the malware injection.

According to Godaddy.com:

Users who maybe or are at risk are warned to backup their databases and restore WordPress:
1. Backup the database http://community.godaddy.com/help/2009/10/12/backing-up-and-restoring-mysql-or-mssql-databases/
2. Make a note of the customizations, such as plugins or any other modifications you've made.
3. Remove all files from the site, be sure to save anything that isn't part of WordPress!
4. Reinstall WordPress through Hosting Connections
5. Restore the database (see the above article)
6. Verify the WordPress users are correct and authorized
7. Re-install any plugins you were using
8. Reload any additional .php files from known clean copy

Users are also strongly cautioned to create a strong admin password, including their FTP and database password, using different passwords for each, to ensure that they are as secure as possible.

thanks to TonyLock for the tip!

Report a problem with article
Previous Story

Google acquires BumpTop

Next Story

TechSpot's PC Buying Guide: Our latest update

34 Comments

Commenting is disabled on this article.

Just an FYI, Network Solutions had a series of similar hacks a few weeks back and are still recovering. The problem is a hacker gets a foothold on one of their servers and starts exploring the local network from within the server company's machines for other wordpress (or drupal or whatever) installs.

Its sort of a new type of attack: Become a customer and attack from within. No ftp passwords are needed or used, nor is any http connectivity ever requried (so you won't see things in your log data).

Having said that, folks make sure you chmod your wp-config.php file as tight as you can.

Actually, this type of attack is not all that new and I believe it is only possible when security is lax on shared web hosting servers. Granted, I'm no server security expert (especially on Linux / Apache), but one would think getting to root privileges from a compromized site should not be possible.

Glen said,
Actually, this type of attack is not all that new and I believe it is only possible when security is lax on shared web hosting servers. Granted, I'm no server security expert (especially on Linux / Apache), but one would think getting to root privileges from a compromized site should not be possible.
They aren't getting server root login. They seem to be getting FTP login from weak passwords, and possibly exploiting old versions (or improperly set up installations) of wordpress. This especially is true if customers set up their account with wordpress but aren't actually using it. It would be like leaving sshd running on my Linux box with weak passwords and I never use or update it.

If they totally owned root on the box, we would see more sweeping changes.

Glen said,
Actually, this type of attack is not all that new and I believe it is only possible when security is lax on shared web hosting servers. Granted, I'm no server security expert (especially on Linux / Apache), but one would think getting to root privileges from a compromized site should not be possible.

Could be this is different, but at netsol, no root was required, they use the "other" permissions to obtain read access and in some cases write access.

It just sounded initially like a copy cat of the technique. netsol even came out initialy and said the same things godaddy is saying.

Edited by dugbug, May 3 2010, 5:58pm :

My site wasn't hacked, it was two of my friend's site that got hacked; I'm just annoyed as if this happens at my work place, I would lose my job. Pity GoDaddy can't get their act together.

TonyLock said,
My site wasn't hacked, it was two of my friend's site that got hacked; I'm just annoyed as if this happens at my work place, I would lose my job. Pity GoDaddy can't get their act together.

Imo, any good corporate environment has some kind of protection.... for example, at college back then, they had a hardware protection called PC Sentinel..... everytime the computer would get rebooted, it would get restored to the image in seconds....

Heck I even tried formatting the PC once, rebooted, BAM windows is back XD

We should not have to supply any data to GoDaddy. They should employ security experts that do this as a matter of professions. If GoDaddy wants any advise or direction from me, they can pay me for my council. Other than that, if is their job to ensure security, no mine or any of their customers.

Or, since you were already on the phone with them, desperate to get your site and file contents back in order. My suggestion would just to let GoDaddy handle the rest, and help diagnose the problem.
And I do agree, it is their job to 'ensure security', but this is the Internet after all, and stuff like this happens.. sad, but it happens.

TonyLock said,
We should not have to supply any data to GoDaddy. They should employ security experts that do this as a matter of professions. If GoDaddy wants any advise or direction from me, they can pay me for my council. Other than that, if is their job to ensure security, no mine or any of their customers.

So you tell someone an account (out of thousands) got hacked and GoDaddy are meant to know which one it is?

I just spoke to GoDaddy and they have no idea. This is poor service at it's best. I have about 18 domains under my account, and at least 10 of them are running WP.

hard to tell who is using wordpress anymore. I got nailed on a forum awhile back that might have used it. Stuck asam.exe on my computer so for 50-60 hours I was busy getting rid of it. thank goodness for malwarebytes. really good forums there

PatrynXX said,
50-60 hours I was busy getting rid of it.

Seriously? Why?

I never understand why people spend so much time trying to clean up crap when there is no way they will ever be able to know they've fully gotten rid of it. (Anybody who tells you otherwise is flat out lying.)

Even if you must try to clean something up, why spend so much time on it? You could make an image of the drive, wipe it, install Windows, install your apps and selectively restore only the data you know to be good/clean in far less time.

Edited by cowlick, May 4 2010, 9:48pm :

First of all, this is pure BS. Second, this isn't a Wordpress specific issue, so going around spreading this is only going to cause fear with Wordpress.org uses.

This is not a specific target against Wordpress but rather proof that GoDaddy's servers are not optimized and tightened for security. There are OTHER websites hosted by GoDaddy that have been infected that are NOT using Wordpress.

AGAIN this is NOT just Wordpress users. ALL users on infected GoDaddy servers have had this problem. NOT just Wordpress users, MMMKAY?

Don't jump on the Wordpress is at fault bandwagon because someone else is putting the blame on them. Take a page from Wordpress's blog post on the issue: http://wordpress.org/development/2010/04/file-permissions/

Cupcakes said,
First of all, this is pure BS. Second, this isn't a Wordpress specific issue, so going around spreading this is only going to cause fear with Wordpress.org uses.

This is not a specific target against Wordpress but rather proof that GoDaddy's servers are not optimized and tightened for security. There are OTHER websites hosted by GoDaddy that have been infected that are NOT using Wordpress.

AGAIN this is NOT just Wordpress users. ALL users on infected GoDaddy servers have had this problem. NOT just Wordpress users, MMMKAY?

Don't jump on the Wordpress is at fault bandwagon because someone else is putting the blame on them. Take a page from Wordpress's blog post on the issue: http://wordpress.org/development/2010/04/file-permissions/

Wow, you're kinda irate about this but the article doesnt particularly put a great deal of blame on Wordpress, and as I read it I can understand this is entirely a GoDaddy fault - as GoDaddy's help page willingly accepts.
Don't take things to heart, it's only a new item...

Well it is godaddy servers, but as their community forum support post says, it might be outdated versions or weak FTP passwords.

It never was really about wordpress security, but seems to be exploring only wordpress blogs at the moment

Jordan Wharmsby said,
Wow, you're kinda irate about this but the article doesnt particularly put a great deal of blame on Wordpress, and as I read it I can understand this is entirely a GoDaddy fault - as GoDaddy's help page willingly accepts.

Unfortunately the title "Wordpress on GoDaddy hacked," puts the blame on Wordpress and also goes as far as to state "The compromised sites were usually outdated WordPress versions" (whether or not quoted from GoDaddy itself.) Unfortunately for GoDaddy, an old version of Wordpress being hacked would not affect the entire server if it's utilizing proper security measures. I express distaste for the article because it's misleading and adds negative light to Wordpress.. when it's GoDaddy that's entirely at fault. I'm not taking it to heart--I'm being logical and expressing it as such. My text isn't emoting other than to call BS on it.

Cupcakes said,
First of all, this is pure BS. Second, this isn't a Wordpress specific issue, so going around spreading this is only going to cause fear with Wordpress.org uses.

This is not a specific target against Wordpress but rather proof that GoDaddy's servers are not optimized and tightened for security. There are OTHER websites hosted by GoDaddy that have been infected that are NOT using Wordpress.

AGAIN this is NOT just Wordpress users. ALL users on infected GoDaddy servers have had this problem. NOT just Wordpress users, MMMKAY?

Don't jump on the Wordpress is at fault bandwagon because someone else is putting the blame on them. Take a page from Wordpress's blog post on the issue: http://wordpress.org/development/2010/04/file-permissions/

Lol.

Jordan Wharmsby said,

Wow, you're kinda irate about this but the article doesnt particularly put a great deal of blame on Wordpress, and as I read it I can understand this is entirely a GoDaddy fault - as GoDaddy's help page willingly accepts.
Don't take things to heart, it's only a new item...

How does it not put a great deal of blame on Wordpress.... the very first word in the title of the article is "WordPress"

And when an article says "Windows exploit yadda-yadda" or "Apple owned in Pwn2own yadda-yadda", we always get these knee-jerk reactions to what the first word of the article is.

My recommendation?

Switch to decaf, people!

One of the reasons I am staying away from the whole cloud movement, people can't be trusted. Somewhere out there is a few million bored teenagers in their mom's basement with nothing better to do than to try and destroy and exploit my personal information.

CoMMo said,
One of the reasons I am staying away from the whole cloud movement, people can't be trusted. Somewhere out there is a few million bored teenagers in their mom's basement with nothing better to do than to try and destroy and exploit my personal information.
This is not "cloud". Nor is this something new.

Online data with poor passwords, or out dated versions with known exploits has been around since there's been an "online".

This has nothing to do with "cloud".

CoMMo said,
One of the reasons I am staying away from the whole cloud movement, people can't be trusted. Somewhere out there is a few million bored teenagers in their mom's basement with nothing better to do than to try and destroy and exploit my personal information.

Off this logic you shouldn't use the internet full-stop; I see relatively little difference between not updating your operating system to not updating your site's CMS (in this case wordpress)