Forgot your password?
typodupeerror
Google Security IT

Massive Number of GoDaddy WordPress Blogs Hacked 112

Posted by CmdrTaco
from the sucks-to-be-them dept.
A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.
This discussion has been archived. No new comments can be posted.

Massive Number of GoDaddy WordPress Blogs Hacked

Comments Filter:
  • by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Monday April 26, 2010 @11:56AM (#31985210)

    Their hosting services are pretty spotty, from what I've heard. On the other hand, they have commercials that really appeal to me.

    The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]

    Goddamned Perl strikes again.

    • Re: (Score:3, Insightful)

      by Locke2005 (849178)
      Unless you've got a Danica Patrick fetish, there is a lot better porn than GoDaddy commercials available for free on the 'net. But then, I think anybody that selects GoDaddy for hosting without googling for the many complaints about their service probably deserves anything they get.
      • by elysiana (1152995) on Monday April 26, 2010 @01:36PM (#31986286)

        You know, a while back a friend of mine told me he had bought hosting at GoDaddy and was wondering if I'd help set up a site for him. I told him I wouldn't touch it until he got a better host, and he was shocked. His reaction was roughly, "What do you mean they're not reputable? They had Super Bowl commercials and everything!" Apparently people think that if a company spends millions on advertising, they must be upstanding.

        I worry.

    • Re: (Score:3, Informative)

      The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]

      I was redirected to a few 'malwarename'.xorg.pl sites on Saturday when clicking links pointing to wbir.com from CNN. I notified WBIR with several e-mails but they hadn't addressed it as of 11pm last night. CNN pulled the link after 16 hours so I don't know if they just moved on to other stories or acted on the warings I sent.

      I wonder if infected sites should be held accountable for PC's that get infected. Luckily I wasn't running Widows so the Setup_422.exe that downladed was harmless.

      • by ircmaxell (1117387) on Monday April 26, 2010 @12:18PM (#31985474) Homepage

        I wonder if infected sites should be held accountable for PC's that get infected.

        I wonder if Godaddy should be held accountable for PC's that get infected. After all, it was on their servers, and they have the power to either pull the plug on the affected server(s) or to roll back backups (assuming they take backups). Considering this is a mass attack, does it imply that a weakness in their servers allowed the attack (As in one site was compromised, and the attacker gained access to the entire server through that one site)? If so, Godaddy is absolutely responsible. In fact, I would think they'd be liable to both the end users (people who got infected) and their customers for not adequately protecting them and affecting their reputation (Just take down the server already)...

        • Re: (Score:3, Interesting)

          It looks like the 'WP Admins' (if that's what we're calling them) used weak passwords for their hosting account, FTP and/or DB, used 'Admin' username and possibly even used the same password for all of them. Rocket surgery, indeed!
          • Looks like they did not take their own advice, then.

            http://help.godaddy.com/article/2653 [godaddy.com]

            It's amazing how often 'Admin' etc. works...the other day I was invited by a CIO to take a look at their security, (which he thought was great; (they'd actually done a pretty good job).
            Since they were in the middle of rolling out their new 'secure' portal, I tried 'demo' and 'demo'...worked fine, and with full access rights too...Oops

        • by Lumpy (12016) on Monday April 26, 2010 @01:55PM (#31986506) Homepage

          No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?

          This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

          If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ [wordpress.org] and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.

          • by MobyDisk (75490)

            You are assigning the responsibility to the wrong person.

            No it's a weakness of Wordpress, AND weak passwords

            Do we know that this was because of a weakness in wordpress, or a weak password?

            If N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance.

            If someone makes a one-click install, and it has security holes in it, then it is not the fault of the user for using the one-click install. It is the fault of the creator of that install.

            This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

            It probably would be Ford's fault if they had a one-click button that dispensed alcohol to the driver while the vehicle was moving. Why should an end-user have to be a security expert i

          • Re: (Score:1, Troll)

            by Khyber (864651)

            "No it's a weakness of Wordpress, AND weak passwords.. "

            Proof and full code documentation required for your claim, please. Exact sections with comments.

            That's what I thought.

            • by Khyber (864651)

              Troll mod away, guys! I want proof of this. If the guy can't back up his claim he really shouldn't be speaking about it. he can rationalize it all he wants but until he provides exact details, what is said is pure hyperbole and conjecture.

              Have fun cracking my password. Going to have to figure out which three languages it's in first, then which words I'm using, and even version of the word in the case of one of the languages!

              And then there's another 16 non-alphanumeric characters. Completely RFC3629 complian

              • If the guy can't back up his claim he really shouldn't be speaking about it.

                I agree 100%. My OP was pure speculation, and I noted it as such. Based on TFA, there was no details about how the attack took place, so we are only left to assume. And in my experience, most times when thousands of hosts on a single server are attacked (and no word of attack on other servers), it's typically the result of a flaw in that server. That's why I made my original statement. I have no proof other than my past experi

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      I bet they're really glad they switched to Windows server a few years ago after Microsoft paid them to do so.

  • Google is also responsible for the hacking because they made themselves available to be referred.

  • by eldavojohn (898314) * <eldavojohn.gmail@com> on Monday April 26, 2010 @11:57AM (#31985224) Journal
    But but when I registered for a hosting service on GoDaddy, their commercial lead me to believe that even stripping sexy models use GoDaddy so how could something like this happen to such a reputable and honest company?!
    • Re: (Score:3, Funny)

      by Thanshin (1188877)

      their commercial lead me to believe that even stripping sexy models use GoDaddy

      I don't really follow your line of reasoning. You want to use the same things stripping sexy models do?

      So before GoDaddy you went for coke and rich old guys?

      • I'd figure they probably have to have pretty good web servers, just to handle the amount of traffic...

    • Re: (Score:2, Funny)

      by jemtallon (1125407)
      You keep using that word. I do not think it means what you think it means.
    • by elrous0 (869638) * on Monday April 26, 2010 @12:09PM (#31985388)
      It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that. I'm not sure what they were trying to accomplish by running commercials more appropriate to Hooter's or a strip club chain. But if their goal was to drive away their serious customers, I'd say they picked the right strategy.
      • Re: (Score:1, Insightful)

        by Anonymous Coward

        But if their goal was to drive away their serious customers, I'd say they picked the right strategy.

        The Internet is serious business!

      • by Hatta (162192) on Monday April 26, 2010 @12:38PM (#31985694) Journal

        That probably was their strategy. McDonalds doesn't get a lot of business from serious diners, but they're not doing too badly. There's a lot of money to be made catering to the general public who's too ignorant to know good service from bad.

        • by u38cg (607297)
          MacDonald's provide an unbelievably good service. They serve something like half a billion Big Macs a year and vanishingly few of them contain cockroaches or dead rats or severed employee fingers. I'd like to see you do better ;)
      • I believe their goal was to make their name well known (a.k.a. brand recognition). they did this by any means necessary and it worked. ask anyone (who does not work in the field) to name an website hosting / registration company and it is likely to be GoDaddy.
        Ask for a second one and I would be very surprised if you can get a response.
        Brand positioning on the other hand; well it leaves much to be desired (all sorts of puns intended)

        http://en.wikipedia.org/wiki/Positioning_(marketing) [wikipedia.org]
        http://en.wiki [wikipedia.org]
      • Was it because they were advertising in a direct, in-your-face, honest way that you were bothered? Would you have preferred dulcet tones to make it sound like the company cares for you? Or a pretentious douche mocking a fat guy on a white background? Or do you just feel religious guilt when you see a scantily clad woman?

        I mean, a serious customer cares for service that's good enough at a price that's affordable, no? Why would he care what adults voluntarily do in a marketing production?

      • by tsm_sf (545316)
        It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that.

        It was their decapitation of seclists that did it for me. The only things that differentiates DNRs and hosts from each other are reliability and customer service, and Godaddy proved to be awful at both. They are simply off the table for a lot of admins, it seems.

        I'd really like to see some kind of registrar co-op, where the person registering the name is able to take complete liabilit
    • by thijsh (910751) on Monday April 26, 2010 @12:14PM (#31985432) Journal
      What makes you believe the stripping sexy models weren't already infected to begin with? ...
    • by igaborf (69869) on Monday April 26, 2010 @12:22PM (#31985522)

      Wait, those commercials were selling something? I never noticed.

  • The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. Apache/1.3.33 Server at blogcastfm.com Port 80
  • Click [themelab.com]

    I couldn't get on the article linked in the summary, but I found this in google which is probably the same thing. It's nearly 2 months old, but that's not reason enough for it not to be on ./
  • Well, I suppose it was only a matter of time before those nerds [youtube.com] got their revenge.

  • by devjoe (88696) on Monday April 26, 2010 @12:15PM (#31985458)
    I found this story [thetechherald.com] mentioning a similar incident regarding WordPress blogs, but it happened two weeks ago, rather than this weekend. The original site is slashdotted, so I can't tell if this is really the same incident or not.
    • Re: (Score:3, Interesting)

      by mzs (595629)

      That one was likely different. In that earlier one the interesting bit was the use of a cookie. So you would only be redirected one time (if the cookie was not there).

      • by kalirion (728907)

        The permissions issue vulnerability allowing the attackers to hack the sites could very well be the same, even if what they do after gaining access to the accounts is different.

    • by Intron (870560)
      There is also this article from March 2 [mediatemple.net] about a Wordpress vulnerability.
  • by gimmebeer (1648629) on Monday April 26, 2010 @12:25PM (#31985554)
    Who needs viruses and chinese hackers to take down blog sites when you can just use slashdot?
    • by Yvan256 (722131)

      Are you saying that the Chinese own Slashdot or that we're all viruses?

      Wait, don't answer that...

  • by Anonymous Coward

    Well you're asking for trouble running php4.
    It baffles me why people still do it but it also baffles me why people still use Windows. Go figure?
    http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/

  • by Anonymous Coward on Monday April 26, 2010 @12:32PM (#31985626)

    happen about a week ago, though I believe they indicated their FTP accounts had been hacked.

    http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/

    It was annoying, but I just restored from the prior days backup and went on. I only had one FTP account and a strong password and mine got hit.

  • by isThisNameAvailable (1496341) on Monday April 26, 2010 @12:36PM (#31985666)
    One of our departments decided to do their own thing and host a site on GoDaddy. Not sure if it was Wordpress or not, but the same thing happened to them. We reported it back on 3/11 and moved the site. Way to get in front of this thing GoDaddy! Oh, and it wasn't just Google. Referrers from Bing and Yahoo would redirect to the same link spam page.
  • I'm not coming from Google but the given link [blogcastfm.com] gives me 403 (Forbidden)!
  • Now you know why we all call it "NO DADDY" lame hosting by lamer people.
  • no mention of google (Score:3, Informative)

    by mzs (595629) on Monday April 26, 2010 @12:41PM (#31985718)

    This may be referring to the same attack:

    http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/ [wpsecuritylock.com]

    • by mzs (595629)

      Using google I was able to get the original post (it's pretty worthless, I think it linked to a podcast):

      When arriving from Google, a hacked website will redirect to http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]. The good news is this attack appears to be based only on your actual files not your database. That's relatively easy to clean up. In GoDaddy you should be able to revert to an old version of your files (Go to April 23rd or before and you should be fine)

    • by arth1 (260657)

      Considering that this is linked to from TFA, well, no shit, Sherlock!

  • by DigitalReverend (901909) on Monday April 26, 2010 @12:50PM (#31985786)
    The best part is that the exploit only executes when the traffic is referred by Google

    I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?
    • by H0p313ss (811249)

      Who's side are you on?

      The most exciting side.

    • by rdnetto (955205)

      The best part is that the exploit only executes when the traffic is referred by Google

      I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?

      Depends on your definition of hacking. At the very least you'd have to give them points for creativity.

  • Alt Link (Score:3, Informative)

    by MrTripps (1306469) on Monday April 26, 2010 @12:51PM (#31985798)
    Not sure if this is the same thing, but "Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hoster specific." http://www.ghacks.net/2010/04/12/wordpress-hack-terrifies-webmasters/ [ghacks.net]
  • We noticed another attack against a hosting provider recently, but it wasn't GoDaddy; it was ThePlanet, or at least someone who uses their IP block. A number of phishing sites suddenly appeared on our list [sitetruth.com], and we noticed they all mapped to the same server. Multiple domains on the same server were all hosting the same phishing attack.

    Annoyingly, the domain registration for the server's main domain ("websitewelcome.com") was "private". That's actually part of HostGator's system; there's no reason it sho

  • Have a friend who had the same situation but on a different ISP. I believe both GoDaddy and this other ISP use cPanel for access and content control. And the issue only occurred when referred from Google. I perused his site's code but couldn't find anything that stood out. I'm not even sure how the virus is activated (people would visit his site from a Google redirect and their antivirus would cry foul).

  • After reading the article it said that some of the Wordpress Blogs hosted by GoDaddy were hacked, but that the issue/vulnerability wasn't on GoDaddy's side.

    I took a look at the source of my files after logging into the admin area, as well as did a find on the directory of the files for the malicious code from the article and I can't seem to find the script anywhere nor am I experiencing any issues of any kind.

    The article didn't mention what type of WP accounts were hacked either...which brings up a question

  • by SnapperHead (178050) on Monday April 26, 2010 @02:25PM (#31986952) Homepage Journal

    I have been dealing with a large number of Wordpress installs in the past 2 years and I am hear to tell you this is NOTHING new. This is a very common attack that is being used and its hard as shit to find. Sometimes they embed it in Javascript, sometimes its in PHP. Sometimes they encode the PHP or Javascript in base64. Sometimes they have it binary encoded inside image files. They go to great lengths to hide the code.

    There is also a large number of free themes out there that come with this crap included. You can typically find it by looking at the footer include file. Look for a large base64 string. Most people ignore those because there are a number of developers who find it amusing to put that crap in their footers that if removed it will prevent the theme from working. Sure, I understand they want to prevent people from removing their credit but come on. Its leading to security issues across the board.

    The only thing that I have found that helps limit these attacks is to only make the wp-content/uploads directory writable by the webserver. Everything else is owned by the user or root. To take things further, each install is placed inside a unique directory name that is chmod'd to 701 (its parent is also 701). If an attack manages to crack one install, they can't just attack another by going through the file system.

    Not trying to trash Wordpress here, its just too popular and they have had a number of security mistakes in the past. Wordpress installs require a lot of maintenance to keep up to date. Wordpress makes it easy on attackers by listing the version number right in the damn HTML. Sure, they say that it doesn't matter because people can figure it out anyway. But hey, why not just leave your house unlocked at night. Attackers are just going to get in anyway.

    • by sholdowa (242332)

      Your understanding of permissions is a bit off. What's the point of 701? 511/444 for files/dirs will perform just as well, and be logical too! If you want it really safe, then chattr +i, and ensure the partitions are mounted noatime. Obviously it'll be a pain to maintain the site, but the chances of it being hacked will diminish dramatically. Who said security was easy (:

      • Nope, it works perfectly. 1 is the execute bit, which when applied to a directory allows you to read a file from inside that directory ONLY if you know the absolute path to the file. However, since the parent is 701 you can't find out what that unique directory name is without already knowing it.

        Apache can read this because its looking for index.php inside that vhost's DocumentRoot. Now, you might be asking ... well, just look at the vhost and grab the DocumentRoot from there. You can't, the directory t

    • You are absolutely correct -- I was a victim of this attack despite using stock Wordpress, with all the latest updates applied. I would have never discovered it, either, if it weren't for Duke University's IT department (the blog was on their subdomain) being incredibly on-the-ball with security checks. Wordpress has unfixed security holes that are being exploited; people need to know!
  • The assumption that GoDaddy is horrible and has horrible service is false. People make this assumption because they use sex to sell and they have low prices. People assume these two combination also mean poor service and complete incompetence. This could not be further from the truth. Ask ANY technically minded person who has given GoDaddy a chance and they will tell you about the value of their inexpensive services and domain names. I have personally used them for 3 years running to host my website http:// [shezphoto.com]
    • You are seriously bucking the group-think around here.... hence getting modded to hell.

      Too bad.

      FWIW: I agree with your assessment. I have been very happy with GoDaddy's service as well.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...