What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?
Date Submitted: 5-12-2010 by 
Go Daddy
Go DaddyUPDATE: For up-to-date information, please visit the most recent blog post on the topic, The Latest Information on Compromised Sites. Thank you.
When a customer complains of a compromised website, Go Daddy takes it very seriously. You pay us to host your site; we want you to be satisfied, not frustrated with your experience.
Here are some facts to clear up misinformation regarding the recent malware attacks that hit users across the Internet. Though the problem was not unique to Go Daddy, we went above and beyond to help fix the issue. Remember, if you think you’ve been impacted, please fill out the Security Submission Form and our team will investigate for you.
Todd Redfoot
Go Daddy Chief Information Security Officer
WHO IS AFFECTED
- We’ve confirmed with or seen reports from customers of BlueHost, DreamHost, Media Temple, Network Solutions, Go Daddy and other hosting providers
- Individuals running outdated applications and software, including forgotten files
- Sites running WordPress blogs and other PHP-based platforms, including Zen Cart eCommerce
- Tens of thousands of users across the Internet
- Of Go Daddy’s more than 4.3 million hosted sites, this impacted less than 0.05% of our customers
WHAT THE ATTACK IS
- A PHP exploit affecting older versions of hosted software, such as WordPress
- An injection of malicious JavaScript, redirecting visitors to virus-ridden scareware domains
- Malware that changed its point-of-entry several times, adapting to defenses
- A security compromise that came back in multiple waves, finding new vulnerabilities
HOW GO DADDY IS HELPING
- Scanning our servers upon first instance of the attacks, to identify impacted customers
- Contacting affected users directly by phone and e-mail to alert them of the issue
- Creating a “Security Submission Form” for users to submit their site for review by our Security Team
- Reaching out to other large hosting providers, our competitors, to share best practices and protect the Internet community
- Developing Help Articles to inform users how to keep their sites safe and avoid the problem
- Participating in webcast and blog discussions to educate the public about the attacks
WHY THE ATTACKS ARE HAPPENING
- Powerful, robust applications like WordPress have lots of code … one tiny vulnerability is all it takes
- Old software versions require updates to patch security holes, customers aren’t always aware
- Neglected, once-used applications with security holes are sometimes overlooked
- Security is only as strong as its weakest link, one bad file in a hosting account can bring everything down!
- If a site is already compromised, updates themselves won’t always fix the problem
REMEMBER… WE’VE GOT YOUR BACK!
- We’re listening to what our customers are saying on Twitter and other social forums
- Go Daddy is here to help you avoid the issue and solve the problem.
- Please see the following important links:
0 min expected wait time
32 Comments on "What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?"
Not just WordPress, SMF also got infected on my subdomains.
I was hacked, twice, and I do not run any outdated apps. My wordpress is always up to date.
I was able to recover from the attacks by using the history/restore feature in the file manager.
I was hacked. I do not have wordpress. I only have php files and a brand new installation of Magento (latest version) which I am still developing and not seen by customers. Therefore I don’t believe anything written above.
eyewearcases.com is the domain. I found some tools to remove this but when you have sooooo many php files the script times out ;/
I don’t expect godaddy to do anything about it, or even admit that it’s not the customers/3rd party software’s fault
I really wish you guys would stop trying to claim this is your client’s fault. This is not due to outdated WordPress or any other script:
http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/
I too was hacked,(3 times now) I have SMF Forum, latest updates, even got developer from SMF to check it all out for me, and to \\\”clean\\\” it, apparantly it is a hosting server weakness in security. Full reply from SMF is below.
I got email from tech support saying they \”…only offer limited support for virus attacks.\” I was hit 3 times on one site, after purging everything, and updating to the latest WordPress. WP blog cleaned up beautifully, thanks to Sucuri, but my Drupal installation borked, first I lost my menus, then I had server errors and then database connection errors. Two different sites of mine and two different blogs were all hit, but only one reinfected three times. The others seem to still be clean.
Having to wipe clean and reinstall. Lost recent updates and content. Not happy, but wouldn’t have been upset, it wasn’t GoDaddy’s fault, except outward display of assistance shown here when in reality I was told by tech support, “…I do not have specific details on you current infection of how to completely resolve it.”
I’ve been down two days. We’ll try again tonight, but if it reinfects…Can’t keep doing this every day. Had the most recent versions with updates and patches all current. This wasn’t a vulnerability due to outdated whatever.
Hacked 3 times! Only godaddy gets hit. My WP websites are not outdated & just reinstalled fresh copies 2 wks ago. Have MAJOR concerns that you are writing this off as a weakness with WP from outdated plugins/versions. This is not the issue. The worst is calling & your staff has no idea what is going on. Been with you since day 1, have reseller accounts, servers, unlimited shared hosting accounts. Godaddy servers ARE getting hit more often. Plz look into it, I don\’t want to move.
I had every update as well and still got hacked.
This is the best fix I’ve found on the web – it’s fixed all my GoDaddy infected sites: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
Did you read the posts in that blog? Everyone said they have godaddy and that they were worthless. I personally think these hacks are done by competitors. I think you all should be VERY worried and more more proactive. I am hangin on by a thread here and I know most have already given up. IF this continues, godaddy could be seriously jeopardizing the business. It doesn’t take long for a giant to get outdated and forgotten. Look at myspace.
I got hacked 3 times too on 2 of my sites in the past week; one\’s Drupal and the other phpbb3. Everything\’s updated so it\’s not due to security holes in the software. The fact that it\’s happening across different software packages tells us that it\’s NOT the software and most likely organizational (internal) security issues.
The attack inserts a PHP tag that does eval(base64_decode({a chunk of encoded text})) which gets output into Javascript at the bottom of the page, which causes the page to redirect to a malware site.
Here’s what happened with my sites (added the – in the tag so it doesn’t get filtered) :
Output on 5/8 :
Output on 5/13 and 5/15 :
I encourage others to post as much detail as possible when they get hacked; knowing the enemy is the first step.
OK the Javascript I posted got filtered in my last post. Retrying here with “skript” instead of “script” :
Output on 5/8 :
Output on 5/13 and 5/15 :
OK the Javascript I posted got filtered in my last post. Retrying here without the script tags. The src property of each tag is shown :
On 5/8 : http://indesignstudioinfo.com/ls.php
On 5/13 and 5/15 : http://holasionweb.com/oo.php
All you have to do are: backup your db, re-install everything from scratch, restore your db. That would do the tricks as long as godaddy will be infected again in the future.
My site is now infected again. Go Daddy seem powerless to stop this
I emailed GoDaddy to ask for instructions on my infected blog (which has always been up to date) They went in and deleted my infected php files as a courtesy. I found out that they deleted all my posts. I emailed them back & they said ‘Sorry, we don’t offer support on WordPress. Visit http://www.wordpress.org‘ Then why did you delete my WordPress files if you don’t offer support. Time for me and all my clients to investigate HostGator of Network Solutions.
I have been hit AGAIN by that malware the third time (today) in the last two weeks.
What is the status about curing that security breach on GoDaddy’s shared hosting servers?
This known malware is active on GoDaddy’s servers for almost 3 weeks now – this is an unacceptable situation for the Web’s no. 1 Web hosting company.
I’m just waiting for the next time it hits until you tell me that you’ve found the infection source.
Each time it happens I am losing a lot of money.
GoDaddy – We want to hear your voice!
We’ve got a Joomla site which has been hacked 3 times with the same attack. We’ve updated all scripts, passwords, permissions (644/755), everything. Still hacked.
We run the scrubber script but we need to know what’s really happening so we can protect our sites. This is NOT a site vulnerability issue as we’ve seen sites with as little as one php file that was locked down on Godaddy still get re-hacked.
Let’s not pull a Toyota, I’ve got a stack of clients ready to move hosts…
My site ThePeoplesCube.com was attacked twice in May. I have the latest phpBB3 SEO premod installation.
My site was hacked on 5/8 and I had the latest WordPress 2.9.2. installed under that hosting plan. A 2.8 version of WordPress installed under separate hosting plan was not affected. I don’t think you can blame this on outdated WordPress installations – if only it were that simple!
My site and other wordpress installations on my hosting are infected 3 times in one week.. I have installed latest version of wordpress, all security updates, made all chmod configurations.. Still infected… I don’t want to move anywhere else but if this goes by this way there are not another solution..
THIS IS ******** hit again!!!! I can’t frickin believe this. GOdaddy keeps claiming they aren’t the only one then how come my networksolutions, fatcow, and datapipe sites are all ok?!?!? I am going right now and moving all 65 of my websites & all 211 domains,the reseller accounts, etc to fatcow. Sorry, I hung in as long as I can. GoDaddy? NO DADDY!
Honestly, if you want to lecture your customers about how they invited the attacks by using outdated software, you probably shouldn’t be using an old (and inherently insecure) version of WordPress for THIS BLOG. A huge security hole was fixed in 2.8.6
You’re running 2.8.5
Hi dani808 I am looking to leave as well. What do you take for a transfer of 7 WP blogs to Hostgator?
I have a solution. I have to keep this short due to the 100 word comment limitation here. For WordPress website owners on GoDaddy visit my website for more info AITpro.com or do a search for BulletProof Security WordPress. For HTML website owners on GoDaddy my secure.htaccess file included with my WordPress plugin will work for you as well. Just needs one minor edit that I will post on my website today. Tested on both GoDaddy WordPress and GoDaddy HTML websites and is 100% effective. 2 months of use on GoDaddy and 0 hacked websites.
My hosting was hit, and after going through each file found that the malware was using javascript files to insert a javascript on each index.htm and index.php file, as well as the same scripting on .js and .css documents. To fix all I did was transfer my site over to my computer, run Avast! antivirus scanner and whatever files were found to be contaminated I went through and removed the javascript (which in each case was located at the bottom of each document).
I forgot to mention that I do not run wordpress at all on my site. The only software I use are som flash apps, and phpBB3, and then some .js files to power some of my pages. This malware still effected me badly though. Just because you’re not running wordpress doesn’t mean you couldn’t be effected.
Please see the latest information posted by our Chief Information Officer at http://support.godaddy.com/godaddy/the-latest-information-on-compromised-sites/ – it may change your perspective on this.
What’s super-frustrating to me is that it was blamed on outdated versions of WordPress. Literally every site of mine that was affected (there were four) was running 2.9.2.
What’s extra frustrating is that when I tried to post a comment here for support, I got a 505 error. Insult to injury.
I am an affiliate. I recommend GoDaddy to all of my customers, and handle dozens of sites a year. I will not continue to do so if I am blamed for malware attacks, and if the support is handled in such an insulting manner.
The irony of all this of course is that even this page itself comes up with the malware warning!
My site is hit again, and mine is not a WP or SMF its a mybb software. I have contacted godaddy many times this is 8th or 9th infection, The responce they gave me made me think that they are allowing their server to be exploited forcing us to purchase more facilities from them
Thanks to their many back policy which i am going to apply now and changing host.