Malware infection
emperor said 1 year, 9 months ago:
Hi,
My forum is infected by “http://61.4.82.212/js.php” this code is inserted into all my php files. When I searched in google about this I found that many of the godaddy hosting sites are infected with this… Is it true ?
eristoddle said 1 year, 9 months ago:
Yes, this is on my site too. Hosted with Godaddy. Downloaded all my files, cleaned them reinstalled Wordpress. Still there. A Godaddy issue.
rob_angeles said 1 year, 9 months ago:
I have this infection in my Wordpress Blog. I did the same, cleaned all my files, restored them from a previous week and viola! Nothing solved the problem. And when I tried email customer support, they said it’s my problem.
emperor said 1 year, 9 months ago:
Even I have mailed them but still there is no reply..
@ Rob
If they are saying its our problem then what next can we do because even when we solve it yet again it will re-appear so the only solution is change the host.. what else can we do ?
logidelic said 1 year, 9 months ago:
This happened to me too. I assume this is because GoDaddy’s servers were (are??!) infected with something. Whatever it was altered your wp-config.php file and inserted something at the top of the file. See:
http://forums.digitalpoint.com/showthread.php?t=1777198&page=
I got rid of this for my site (check all your PHP files to be safe), but I’m scared that the servers are still infected, and would love some word about this from GoDaddy.
matt42 said 1 year, 9 months ago:
There is nothing within the Apache serving process which would cause this behavior. As the thread linked by ‘Logidelic’ indicates, this issue occurs when a customer’s password is compromised. The malware code is then injected by the attacker.
If you are experiencing this, the best plan is to first change all of your Go Daddy passwords. Then restore from a backup of your site which does not contain the malware code.
Further information on identifying malware can be found here:
Information on configuring a strong password can be found here:
http://support.godaddy.com/help/2007/03/22/generating-a-strong-password/
The ‘many of the godaddy hosting sites are infected with this’ comment above may be accurate. However, bear in mind that this is not due to a lack of security from Go Daddy’s position. We are simply one of the largest webhosts in the world. As such, we have *many* sites which are running third party applications. We rely on our customers to secure their own applications. Generally, keeping applications on the latest patch revision and using a strong FTP/SSH password will prevent a compromise from occurring.
Hi all,
I think before addressing your individual issues regarding WordPress infections, we need to address the cause of such issues. If the proper steps are taken to prevent such problems in the first place, you will find that once resolving any current issues, they will not occur further. You need to keep in mind that the majority of malware attacks come from vulnerabilities in passwords, software, and files uploaded and not due vulnerabilities that are server based.
Firstly, we need to address why such errors have occurred. The type of infections you have all referenced and Emperor linked to (though not on Go Daddy servers) are caused by malware which has been allowed access to your hosting files. There are three primary vulnerabilities that can cause for easy access to your content. This is your FTP, Database and WordPress Administrative passwords. To begin your defense against such malware, you will need to ensure that you are following procedures to generate a strong password. This includes creating a password that is 7 or more characters, is part of a phrase, and contains letters, numbers and capitalization. Take a look at the following information for help and ideas in generating this:
http://support.godaddy.com/help/article/2653
Second, and the key to continuing to protect yourself from malware is keeping your software up to date. Most malware comes from vulnerabilities in software, viruses on your local computer and weak FTP passwords. You will need to ensure that you are installing the most stable and up-to-date version of whatever software you are using. As updates become available, you will need to make sure to install the latest available version and all available patches for 3rd party software you’re using on your site. This is very important. If the 3rd party software you are using has a security vulnerability, your site will be vulnerable. Staying current with provider releases and security patches will lessen those vulnerabilities. Take a look at the link below for additional information:
http://support.godaddy.com/help/article/5612
Finally, content being uploaded can be infected prior to ever reaching the server due to an infected local computer. You will need to ensure you have scanned your machine for any virus content and make sure that anything being uploaded is clean of malicious content.
To resolve current issues you are having, I recommend that you restore your site from a clean backup before the issues occurred. Be sure that any backup content used is clean of the issue prior to uploading or the issue will continue as described.
emperor said 1 year, 9 months ago:
There are many sites and many users telling that its infected only godaddy servers.
I just cleaned every single php file and uploaded back but as soon as i opened the page through browser and checked the source code the malicious code is back, my pc is clean coz now after that attack I am using my laptop which is just formatted today for this purpose only
matt42 said 1 year, 9 months ago:
In that case, please contact our support team so that they can evaluate your hosting account. They will be able to access your hosting details and see when the files were updated. Thanks.
Phone Support: (480) 505-8877
Email Support: https://www.godaddy.com/community/contactus.aspx?section=emailus
mrga said 1 year, 9 months ago:
Hello,
I have the same problem and I think that I find a hole. I think this is GoDaddy security hole and I want to help them and other people.
I didnt find the script that update files becouse I need at least 7 days to backup my site… but it will be good that GoDaddy tell us how we can track all changes and from where started or some logs.
I find 5 injected scripts on my site it was verry funny that I find the injected tools witch hackers can browse trought my site, upload files, download files, send comands to linux ect.
The problem or one of the problems:
The extension filter does not work correctly.
example if somebody upload a file:
“image.php.jpg” – the file will be parsed (if code exist in it will be execuded)!
everithing that have .php in filename will be parsed example:
“something.php.whatisthat”
this file will be executed like “.php” file does metters if extension is “.whatisthat”
I got few injections from image file upload becouse hackers make file like a image that imagemagic doesnt understend that is a script…
try on your sites to upload file like above and you will see
Hope that its help
mrga said 1 year, 9 months ago:
Hello,
I think that I find the hole or one of the problems. Is GoDaddy security hole and I hope I will help them and other people.
It was verry funny that I find 4-5 scripts injected on my site. This injected scripts is tool with wich hacker can access my site… upload files, download files, execute linux commands, start automated injections scripts ect. very nice tool I didnt have a time to undersend it complitly 
Ok The hole or one of the problems…
Extension filter of parsing file work wrong!
All injected scripts have a names:
image.php.jpg
somthing.php.jpg
and this files was executed like normal “.php” files I tried a file with name “somthing.php.whatafuckisthat” and server normaly executed cod in it … bat I dont have a reistred extenson “.whatafuckisthat” but server is parsing it why ?
Hacker fake my checking if image becouse he writed in file content to look like a image… and after it is passed the uploaded … the file “image.php.jpg” was nice parsed by server like php code.
I thing that GoDaddy extension sistem that decide which file to parse like php code have a bug.
Hope this will help!
tpiro said 1 year, 9 months ago:
I just wanted to add that my site was infected by malware this morning (May 1st) too. In addition, I have 4 friends that also had this problem, all of them also on GoDaddy. My friends have wordpress sites, but I do not–my site is my own code.
This is the second time in two weeks that my site has been infected. My GoDaddy friends were also infected. Even though my site was easily cleared up by erasing all the files and reloading them to my server, I really think this is a GoDaddy issue and I hope you guys fix it because this is taking a negative toll on my business.
If it helps, each time something like this is added to all my PHP code:
[Code snippet removed for security purposes.]
tpiro said 1 year, 9 months ago:
I just wanted to add that my website was also infected with malware this morning (May 1st). I have multiple friends who also had this problem and they all use Goddady for hosting. My friends all have wordpress sites, but my site is written by myself.
I’m pretty sure this is a GoDaddy issue.
mrga said 1 year, 9 months ago:
Hello,
I want to add that my site is custom made cms too and that I have on (May 1 st) another time same injection and that I have few website on same ftp on GoDaddy and that just that one was infected with this code. This means that is not going trought http://ftp...
I just on first attack changed on one file to unwritable and this file wasnt change on second attack… this can be maybe some temporary solution… but I dont know from where it triggers….
I know that attack starts on (May 1st) at 12:40am on my server and I want to see my log files from this period but on my account is not yet available log data from April 26th – May 1st … becouse of that I can not see if is triggered from outside… or is in some thread or is triggered from insaid server…
I soppose if log files give us negative result that is not triger from outside we than must start to search from inside.
Hope helps to figure out where is locates this script.
tpiro said 1 year, 9 months ago:
I just wanted to add that people complaining about his GoDaddy problem is all over the internet now, for example:
http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html
Also try searching on twitter for “Godaddy malware”
0 min expected wait time
