Found code used to inject the malware at GoDaddy

jld said 1 year, 9 months ago:

While GoDaddy was busy blaming its users, one of our friends, Kevin Reville, got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.

What did he found? He found the malware used by the attackers to infect everyone.

Just to be clear: Nothing to do with Wordpress. In fact, in one site we were monitoring, nothing got logged related to Wordpress, except this script being called and then deleted. We also saw Joomla sites getting hacked and many other web applications.

So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.

Analysis:

The script in this situation was called “simple_production.php” (but we heard reports of different names being used). It is a base64 decoded file that looks like this: (see it in full MW:SIPRO:1)

[Code snippet removed for security purposes.]

Decoded, this is what it does: (see the full content here)

1-First, removes itself:

[Code snippet removed for security purposes.]

2-Encodes the javascript:

[Code snippet removed for security purposes.]

3-Scan all directories and add the malware to all php files. After that, prints the number of infected files and exits:

[Code snippet removed for security purposes.]

So a simple PHP script is doing all this mess. The issue now is how are they able to inject this file on all those sites at GoDaddy. Permissions on most of the sites we checked were correct. It is not a web application bug. What is left is an internal problem at GoDaddy.

If you are a GoDaddy customer that got hacked, send this link to them. Let’s hope for a good response this time.

scottg said 1 year, 9 months ago:

This is information that we have been aware of and are currently working on determining the source of the file. This is not an issue that is localized to Go Daddy. Several other hosting companies are seeing this same attack and we are working with them to determine the source of the attacks and the best way to mitigate them.

jld said 1 year, 9 months ago:

Credit: Sucuri for the article.

Also, as a result of this article I went and took a screen shot of my root via file manager from the date of the attack. Inserted into my root was a file named gabriel_deer.php… in my ROOT, not Wordpress, not Joomla not any other CMS or application. It was run and deleted. That file name varies from target to target. I have seen examples like rheba_jacqueline.php, simple_production.php, him_vivie.php, and on and on and on. These files, with different file names, were uploaded and executed simultaneously.

jld said 1 year, 9 months ago:

Other hosting companies are not blaming their customers for the breech.

I took a screenshot of my root via file manager from the 3rd wave and saw the injected file. The name of the injected php file is different for every account.

If this is something you have been aware of why has blame been placed on your customers, Wordpress, Joomla, etc., etc? These files are appearing, executing, and deleting itself in the root and is targeting all php.

WolfD60 said 1 year, 9 months ago:

ScottG,
I think what is irritating your customers is GD is minimizing the situation. You knew this and were looking into it?
Yet you tell no one ? Why ? For PR >?
I think honesty would go a long ways as opposed to being vague and minimizing everything.
I put GD at a higher standard then I would most hosting companus. As Bill P, boast a huge marketing about customer trust ? Is this how GD earns trust by vagueness and minimizing ? Sounds like Enron. Its not me its you syndrome. I think all we expect of big corporation if they would listen is honesty if nothing else when we ask questions.

jiippe said 1 year, 9 months ago:

In my opinion it’s all about communication. If you call them in frustration and angry, blame them for not doing this and that, i’m so sure that you may get something like that back at you as well. It will be fixed soon. I’m just curious. A few years ago there was privilege escalation bug in linux kernel and it was widely exploited. I suppose it’d be too old to be the cause of this because it’s just simply too risky to keep that kind of a severe bug unpatched.