While these attacks are nothing new – our Security team identifies and defeats dozens of them every day – this current wave is sophisticated and large in scope. Many hosting providers are reporting similar issues this week.

We believe we have mitigated much of the attack, but there is a chance you could be affected as it continues. Because of the security measures we must put in place to address this, some customers have experienced difficulty accessing the admin pages for WordPress® or Joomla!®, while others have had intermittently unresponsive sites because of the attacks.

While we continue to take preventive and active measures to mitigate this attack, there’s also something you can do.

What We’re Doing

Our Security team continues to identify these attacks, down to the IP address, and block anything that looks malicious. Additionally, we’ve installed new features on every single one of our thousands of servers to block these bad actors more quickly.

What You Can Do

Regardless of whether you use WordPress or Joomla! for your website, this worldwide attack could affect you. That’s why it’s imperative that you use strong passwords.

We all know that “password123” is not a wise idea for a password, but neither are dictionary words, your dog’s name, or the name of the street you live on. Attackers have libraries of the most common passwords, and use those lists in attacks like we’re experiencing.

The tougher and more sophisticated your password, the more difficult it will be for an attacker to gain access. See x.co/strongpass for more information on creating a strong password.

And remember, if you use the same password for your hosting that you do for your bank account, an attacker could compromise much more than your website. Make sure your passwords are unique for all your accounts.

Thanks for your patience while we fight these attackers.

Knowing that an outside party accessed one of your accounts can be incredibly frustrating and exhausting. But there are practical steps you can take to protect your accounts and the information you store in them.

7 basic ways you can make sure your accounts stay secure:

1. Use a strong password. Eight characters is really not sufficient, a strong “passphrase” is the better choice. A creative device to help with generating strong passwords is to use a phrase that has special meaning to you. For example, “I need a strong password to make sure I’m completely secure,” could become the password InaspTmsIc$. Passwords should consist of a minimum of nine (9) characters and contain at least one special character.
2. Change your password – often. This can be as simple as setting a reminder on your calendar to change your password at the beginning of every month.
3. Use a variety of passwords. You should never use the same password for multiple accounts. It simply makes it easier for hackers to access all of your accounts. If you find it difficult to remember all these crazy passwords, try a password safe. There are many free ones out there that will safely store all your passwords in an encrypted database on your machine. Make sure you do your research before downloading anything you find on page 1 of a Google search.
4. Always, always, always log out. This is particularly true if you’re using a shared computer, such as one at work or in an Internet café. Regardless of the account you’re in, whether it’s Facebook or Wells Fargo, take this precaution every time.
5. Make sure your account is up to date. Some digital spring cleaning can also protect you. Remove expired credit cards you have stored in accounts and make sure your phone number and address are correct. Not only does this make your account secure, it also ensures that companies you do business with can contact you if there’s ever an issue.
6. Beware of Wi-Fi hotspots. Sure, they’re convenient. But you shouldn’t use them to access secure accounts. Hackers are known to roam hotspots looking for their next victim.
7. Protect your PC. Be careful what you download – only use trusted, well-vetted sources – and invest in anti-virus software to keep your computer safe.

When you’ve done “everything,” what else can you do?

• Do the 2-Step. Two-step authentication adds another layer of security by texting you a validation code to enter whenever you log in or make important account changes. If it’s available to you, take advantage of it. Go Daddy offers two-step authentication in the US and Canada. You can find out more information about it here.
• Never share your account with others. By giving others access to your account, or purchasing products with someone else’s payment method, you are giving them full access to your account details. If you need to delegate management of your resources check to see if you can assign permissions via account management settings. Go Daddy provides “Account Administrator” functionality. This allows management of your resources from separate accounts, limiting direct access to account details and billing information. Read more here.
• Check for keyloggers on your computer. Your computer might have malicious software, known as keyloggers, installed that records every keystroke you make — including your user names and passwords. Run anti-virus programs regularly to detect keyloggers. We recommend using your favorite search engine to find software that removes key loggers from your computer.
• Don’t fall for a phishing scheme. Cybercriminals look to create a sense of urgency to trick unsuspecting victims into downloading malicious files. Many attackers try to lure you into their schemes by sending emails that look legitimate, but include links to fake login pages that closely resemble the legitimate website. Hover over links, check for misspellings (acmebnak instead of acmebank), but don’t click. Go directly to the website and log in as you would normally; any message, important action, etc. will be there if the email is legitimate. Emails from Go Daddy, in most cases, include your first and last name, a clear first indicator of legitimacy.

Protecting you data is as critical as locking your car or your house – don’t give an attacker an easier route by using weak passwords or unsafe networks.

I often get questions on what Site Scanner can and cannot see. Here are answers to the most common questions:

• Site Scanner is for prevention, not correction. So, if your site is already infected (and it’s visibly defaced), Site Scanner can’t fix it. But, we can do an investigation on your site, for free.
• Site Scanner looks at the links that a Web browser sees, and then checks the reputation of those links to determine if they might be malicious.
• Just as a search engine crawls your site for SEO purposes, Site Scanner also crawls your site. But, instead of locating certain keywords, it locates the areas on a site that are most vulnerable to a malicious attack. (Site Scanner only looks on the front of your website, not the files you store inside your hosting account).
• Site Scanner does not clean malicious content. Ever.

I’m hoping this sheds some awesome new light on Site Scanner for you. The most important thing to remember is that Site Scanner is designed to help you prevent malicious content from getting onto your website.

Send any suspicious emails you receive as an attachment to phishing@secureserver.net.

For more information on how to handle external phishing attacks, go here.

Send any suspicious emails you receive as an attachment to phishing@secureserver.net.

For more information on how to handle external phishing attacks, go here.

Currently, we are diligently working to identify all the affected customers so that we can reverse these malicious entries.

Once we find an affected customer, we send an email that explains what happened, and then also expire their passwords to stop the spread of malware. If you receive an email from us, make sure you create a strong password.

We confirmed that this isn’t a vulnerability in My Account or our DNS management systems, so we suspect that the affected customers were either phished or their home machines were affected by Cool Exploit.

We also recommend that U.S. and Canadian customers enable Two-Step Authentication to help protect their accounts.

If you suspect that your account was attacked, contact our Customer Care team or fill out this form.

This update is recommended for all versions of Plesk, except clean installations of 10.3 +MU#5, 10.4 and 11.0.

You can find instructions at http://kb.parallels.com/en/115025.

• STOP clicking links in your email. That unfamiliar company that sent you a confirmation email receipt for a product you purchased, even though you don’t remember the purchase, is really attempting a phishing scheme.
• Hone your inner spelling-bee champ. Learn to be suspicious of any grammatical mistakes in an email. Large companies pay someone to proofread everything that’s sent out.
• Double-check the URL. If you’re still going to click links in your email messages or online, hover over the link with your mouse to see the full address. Hackers are notorious for creating websites like www.go.daddy.com, or having a link say www.godaddy.com when it actually goes to www.go.daddy.com. Safest bet: Use a search engine to locate that company and manually enter the URL you find.
• Change is inevitable. It’s always a good idea, especially if you just fell for a phishing attack, to change your passwords.
• Send out an S.O.S. Use a search engine to find out how to contact your personal email provider or the legitimate company that’s being spoofed by the phishing or malware attack.
• Don’t unzip. Never ever unzip an attachment. Legitimate companies don’t attach .zip files, or other attachments.

Be diligent. Always remember to follow these steps to minimize phishing and malware attacks. For more information on common online scams, check out this article.

Attackers use this misconfiguration to perform DNS attacks against other Internet services. For more information on these attacks, please see this blog post.

To prevent these attacks they need to reconfigure and lock down their DNS servers. For more information see these articles:

How do I disable recursive DNS queries on my Windows Dedicated or Virtual Private Server?

How do I disable recursive DNS queries on my Windows server with Parallels Plesk Panel?

How do I disable recursive DNS queries on my Linux VPS or Dedicated Server?

Disabling Recursive DNS in the Parallels Plesk Panel

What Risks Are Associated with Recursive DNS Queries?

• 1.6.x
• 1.7.x
• 2.5.0-2.5.2
• 2.5.4
• all earlier 2.5.x versions

The compromise begins with the attacker registering a user, and then escalating that user’s privileges to an administration level. In every case, we noticed the attackers add a user with a Gmail™ address beginning with xxxtxxx and the user name of alexaalexa.

Once the attackers have their user on the account, they typically come back a few days later and edit the error.php file to create a script that allows people to upload content anonymously. A few days after the creation of the file upload script, the attackers come back again and uploads the following files:

• rp.php
• indx.php
• stph.php

This attack is extremely malicious, and the stph.php file performs other aggressive attacks against other networks. To see if your site is affected, run the following query:

If the email matches xxxtxxx, the user name matches alexaalexa, and the group_id is either a 7 or 8, your account is compromised. Group_id 7 is associated with the Administrator group, and group_id 8 is associated with the Super Administrator group. As a general rule, users do not have these permissions.

If affected, we recommend taking the following actions:

1. Remove the uploaded files, and then restore the error.php file to its original content.
2. Remove any users with the group_id of 7 or 8.
3. Update Joomla to the latest version.
4. Update all themes, plugins, and extensions to their latest versions.
]]> http://support.godaddy.com/godaddy/recent-joomla-compromise-might-affect-you/feed/ 3