Massive Number of GoDaddy WordPress Blogs Hacked 112
A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.
I like their commercials (Score:5, Funny)
Their hosting services are pretty spotty, from what I've heard. On the other hand, they have commercials that really appeal to me.
The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]
Goddamned Perl strikes again.
Re: (Score:3, Insightful)
Re: (Score:2)
How is that supposed to be a bad analogy, guy?
Re:I like their commercials (Score:5, Insightful)
You know, a while back a friend of mine told me he had bought hosting at GoDaddy and was wondering if I'd help set up a site for him. I told him I wouldn't touch it until he got a better host, and he was shocked. His reaction was roughly, "What do you mean they're not reputable? They had Super Bowl commercials and everything!" Apparently people think that if a company spends millions on advertising, they must be upstanding.
I worry.
Re: (Score:1)
Re: (Score:1)
social darwinism is not limited to capitalist economies. i herd u liek bread lines. troll.
Re:I like their commercials (Score:5, Funny)
Explain to them that Enzyte and ExtenZe also spend millions on advertising... upstanding indeed!
The question is if GoDaddy is trustworthy. (Score:2)
Re: (Score:2)
Re: (Score:2)
Its hard to go wrong with Dreamhost. Not perfect, of course, but very good value for very little money, and they've been around forever.
Re: (Score:1)
Try out pair.com [pair.com] for basic stuff. If you're trying to do anything resembling real work, however (such as hosting commercial websites) you're going to want the physical hardware all to yourself and $10-15 simply isn't a reasonable price anymore. At that range ($75 and up) I'd recommend serverbeach.com [serverbeach.com] but only if you know what you're doing.
Re: (Score:1)
in Europe a very competitive hosting is provided by OVH [ovh.co.uk].
Depending on the language version you may get quotes in GBP or EUR, but despite that you should be able to purchase it from USA.
Re: (Score:3, Informative)
The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]
I was redirected to a few 'malwarename'.xorg.pl sites on Saturday when clicking links pointing to wbir.com from CNN. I notified WBIR with several e-mails but they hadn't addressed it as of 11pm last night. CNN pulled the link after 16 hours so I don't know if they just moved on to other stories or acted on the warings I sent.
I wonder if infected sites should be held accountable for PC's that get infected. Luckily I wasn't running Widows so the Setup_422.exe that downladed was harmless.
Re:I like their commercials (Score:4, Interesting)
I wonder if Godaddy should be held accountable for PC's that get infected. After all, it was on their servers, and they have the power to either pull the plug on the affected server(s) or to roll back backups (assuming they take backups). Considering this is a mass attack, does it imply that a weakness in their servers allowed the attack (As in one site was compromised, and the attacker gained access to the entire server through that one site)? If so, Godaddy is absolutely responsible. In fact, I would think they'd be liable to both the end users (people who got infected) and their customers for not adequately protecting them and affecting their reputation (Just take down the server already)...
Re: (Score:3, Interesting)
Re: (Score:2)
Looks like they did not take their own advice, then.
http://help.godaddy.com/article/2653 [godaddy.com]
It's amazing how often 'Admin' etc. works...the other day I was invited by a CIO to take a look at their security, (which he thought was great; (they'd actually done a pretty good job).
Since they were in the middle of rolling out their new 'secure' portal, I tried 'demo' and 'demo'...worked fine, and with full access rights too...Oops
Re:I like their commercials (Score:5, Insightful)
No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?
This is as much go-daddy's fault as a drunk drivers crash is Fords fault.
If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ [wordpress.org] and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.
Re: (Score:1)
You are assigning the responsibility to the wrong person.
No it's a weakness of Wordpress, AND weak passwords
Do we know that this was because of a weakness in wordpress, or a weak password?
If N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance.
If someone makes a one-click install, and it has security holes in it, then it is not the fault of the user for using the one-click install. It is the fault of the creator of that install.
This is as much go-daddy's fault as a drunk drivers crash is Fords fault.
It probably would be Ford's fault if they had a one-click button that dispensed alcohol to the driver while the vehicle was moving. Why should an end-user have to be a security expert i
Re: (Score:1, Troll)
"No it's a weakness of Wordpress, AND weak passwords.. "
Proof and full code documentation required for your claim, please. Exact sections with comments.
That's what I thought.
Re: (Score:2)
Troll mod away, guys! I want proof of this. If the guy can't back up his claim he really shouldn't be speaking about it. he can rationalize it all he wants but until he provides exact details, what is said is pure hyperbole and conjecture.
Have fun cracking my password. Going to have to figure out which three languages it's in first, then which words I'm using, and even version of the word in the case of one of the languages!
And then there's another 16 non-alphanumeric characters. Completely RFC3629 complian
Re: (Score:2)
I agree 100%. My OP was pure speculation, and I noted it as such. Based on TFA, there was no details about how the attack took place, so we are only left to assume. And in my experience, most times when thousands of hosts on a single server are attacked (and no word of attack on other servers), it's typically the result of a flaw in that server. That's why I made my original statement. I have no proof other than my past experi
Re: (Score:2)
I was asking for proof from Lumpy, not you.
Lumpy made the nonsense claim.
Re: (Score:1, Interesting)
I bet they're really glad they switched to Windows server a few years ago after Microsoft paid them to do so.
In Brazil (Score:1)
Google is also responsible for the hacking because they made themselves available to be referred.
Inconceivable! (Score:5, Funny)
Re: (Score:3, Funny)
their commercial lead me to believe that even stripping sexy models use GoDaddy
I don't really follow your line of reasoning. You want to use the same things stripping sexy models do?
So before GoDaddy you went for coke and rich old guys?
Re: (Score:2)
I'd figure they probably have to have pretty good web servers, just to handle the amount of traffic...
Re: (Score:2, Funny)
Re:Inconceivable! (Score:4, Insightful)
Re: (Score:1, Insightful)
But if their goal was to drive away their serious customers, I'd say they picked the right strategy.
The Internet is serious business!
Re:Inconceivable! (Score:5, Insightful)
That probably was their strategy. McDonalds doesn't get a lot of business from serious diners, but they're not doing too badly. There's a lot of money to be made catering to the general public who's too ignorant to know good service from bad.
Re: (Score:1, Insightful)
The point is that not everyone has the same needs as you do. Most people talk to their hosting companies more than once per decade. For anyone who is with GoDaddy and has to talk to them often, its rather painful.
Re: (Score:1)
Re: (Score:3, Funny)
Did you renew for 10 years by chance because it took so long for their admin panel to load, you didn't want to have to do it again any time soon?
Re: (Score:2)
You'd have to be ignorant to consider what McDs sells a burger. Even if you don't care about quality, the value (quality per price) at McDs is much worse than average. Go spend $6 at Hardees instead of $5 and you get a burger that's worth a lot more than 120% of that greaseball McDs sells. If all you care about is price, go to Taco Bell and spend $3 and get just as many calories. On all 3 counts, quality, price, and quality:price ratio, McDonald's fails.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Ask for a second one and I would be very surprised if you can get a response.
Brand positioning on the other hand; well it leaves much to be desired (all sorts of puns intended)
http://en.wikipedia.org/wiki/Positioning_(marketing) [wikipedia.org]
http://en.wiki [wikipedia.org]
Re: (Score:2)
Was it because they were advertising in a direct, in-your-face, honest way that you were bothered? Would you have preferred dulcet tones to make it sound like the company cares for you? Or a pretentious douche mocking a fat guy on a white background? Or do you just feel religious guilt when you see a scantily clad woman?
I mean, a serious customer cares for service that's good enough at a price that's affordable, no? Why would he care what adults voluntarily do in a marketing production?
Re: (Score:2)
It was their decapitation of seclists that did it for me. The only things that differentiates DNRs and hosts from each other are reliability and customer service, and Godaddy proved to be awful at both. They are simply off the table for a lot of admins, it seems.
I'd really like to see some kind of registrar co-op, where the person registering the name is able to take complete liabilit
Re:Inconceivable! (Score:4, Funny)
Re:Inconceivable! (Score:4, Funny)
Wait, those commercials were selling something? I never noticed.
Don't put any details in the post or anything... (Score:1)
Re: (Score:2, Informative)
Posting a story on Slashdot is almost as bad as having a botnet DoS a site anyway. No exploit needed, just exploits of the common geek.
Re: (Score:3, Interesting)
Wordpress the opensource Blogging software, not wordpress.com the hosted blogging provider.
This attack did not target Google at all. Whoever modded you interesting failed.
Re: (Score:2)
China is still punishing Google huh?
If by China you're referring to the ruling Communist Party dictatorship, then sure they are [google.com].
Incidentally "GoDaddy also withdrew from China" [washingtonpost.com] around the same time, mainly due to the new (now more and better) draconian registration rules for individuals wishing to operate their own domains.
My hat's off for both of them for not collaborating with that regime's repressive policies.
Possible mirror; (Score:1)
I couldn't get on the article linked in the summary, but I found this in google which is probably the same thing. It's nearly 2 months old, but that's not reason enough for it not to be on
Revenge of the Nerds V: Shameless (Score:1)
Well, I suppose it was only a matter of time before those nerds [youtube.com] got their revenge.
This weekend, or two weeks ago? (Score:5, Informative)
Re: (Score:3, Interesting)
That one was likely different. In that earlier one the interesting bit was the use of a cookie. So you would only be redirected one time (if the cookie was not there).
Re: (Score:2)
The permissions issue vulnerability allowing the attackers to hack the sites could very well be the same, even if what they do after gaining access to the accounts is different.
Re: (Score:2)
Slashdotted to death. (Score:4, Funny)
Re: (Score:2)
Are you saying that the Chinese own Slashdot or that we're all viruses?
Wait, don't answer that...
Only php4 users affected (Score:2, Informative)
Well you're asking for trouble running php4.
It baffles me why people still do it but it also baffles me why people still use Windows. Go figure?
http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/
Network Solutions had a similar thing (Score:4, Informative)
happen about a week ago, though I believe they indicated their FTP accounts had been hacked.
http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/
It was annoying, but I just restored from the prior days backup and went on. I only had one FTP account and a strong password and mine got hit.
Re:Network Solutions had a similar thing (Score:5, Insightful)
there is no such thing as a strong password on a FTP account.
If you did not upgrade to SSH and SFTP from your control panel then you should not be managing a hosting site.
We reported this to them on 3/11 (Score:4, Informative)
Google? (Score:1)
umm.. (Score:1)
no mention of google (Score:3, Informative)
This may be referring to the same attack:
http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/ [wpsecuritylock.com]
Re: (Score:2)
Using google I was able to get the original post (it's pretty worthless, I think it linked to a podcast):
When arriving from Google, a hacked website will redirect to http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]. The good news is this attack appears to be based only on your actual files not your database. That's relatively easy to clean up. In GoDaddy you should be able to revert to an old version of your files (Go to April 23rd or before and you should be fine)
Re: (Score:2)
Considering that this is linked to from TFA, well, no shit, Sherlock!
Re: (Score:2)
When I posted that the site would 403.
Don't you mean the worst part? (Score:5, Funny)
I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?
Re: (Score:2)
Who's side are you on?
The most exciting side.
Re: (Score:2)
The best part is that the exploit only executes when the traffic is referred by Google
I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?
Depends on your definition of hacking. At the very least you'd have to give them points for creativity.
Alt Link (Score:3, Informative)
Attacks against hosting providers (Score:2)
We noticed another attack against a hosting provider recently, but it wasn't GoDaddy; it was ThePlanet, or at least someone who uses their IP block. A number of phishing sites suddenly appeared on our list [sitetruth.com], and we noticed they all mapped to the same server. Multiple domains on the same server were all hosting the same phishing attack.
Annoyingly, the domain registration for the server's main domain ("websitewelcome.com") was "private". That's actually part of HostGator's system; there's no reason it sho
cPanel Sites? (Score:2)
Have a friend who had the same situation but on a different ISP. I believe both GoDaddy and this other ISP use cPanel for access and content control. And the issue only occurred when referred from Google. I perused his site's code but couldn't find anything that stood out. I'm not even sure how the virus is activated (people would visit his site from a Google redirect and their antivirus would cry foul).
Uh, Ok... (Score:2)
After reading the article it said that some of the Wordpress Blogs hosted by GoDaddy were hacked, but that the issue/vulnerability wasn't on GoDaddy's side.
I took a look at the source of my files after logging into the admin area, as well as did a find on the directory of the files for the malicious code from the article and I can't seem to find the script anywhere nor am I experiencing any issues of any kind.
The article didn't mention what type of WP accounts were hacked either...which brings up a question
Sadly nothing new with Wordpress (Score:4, Informative)
I have been dealing with a large number of Wordpress installs in the past 2 years and I am hear to tell you this is NOTHING new. This is a very common attack that is being used and its hard as shit to find. Sometimes they embed it in Javascript, sometimes its in PHP. Sometimes they encode the PHP or Javascript in base64. Sometimes they have it binary encoded inside image files. They go to great lengths to hide the code.
There is also a large number of free themes out there that come with this crap included. You can typically find it by looking at the footer include file. Look for a large base64 string. Most people ignore those because there are a number of developers who find it amusing to put that crap in their footers that if removed it will prevent the theme from working. Sure, I understand they want to prevent people from removing their credit but come on. Its leading to security issues across the board.
The only thing that I have found that helps limit these attacks is to only make the wp-content/uploads directory writable by the webserver. Everything else is owned by the user or root. To take things further, each install is placed inside a unique directory name that is chmod'd to 701 (its parent is also 701). If an attack manages to crack one install, they can't just attack another by going through the file system.
Not trying to trash Wordpress here, its just too popular and they have had a number of security mistakes in the past. Wordpress installs require a lot of maintenance to keep up to date. Wordpress makes it easy on attackers by listing the version number right in the damn HTML. Sure, they say that it doesn't matter because people can figure it out anyway. But hey, why not just leave your house unlocked at night. Attackers are just going to get in anyway.
Re: (Score:1)
Your understanding of permissions is a bit off. What's the point of 701? 511/444 for files/dirs will perform just as well, and be logical too! If you want it really safe, then chattr +i, and ensure the partitions are mounted noatime. Obviously it'll be a pain to maintain the site, but the chances of it being hacked will diminish dramatically. Who said security was easy (:
Re: (Score:2)
Nope, it works perfectly. 1 is the execute bit, which when applied to a directory allows you to read a file from inside that directory ONLY if you know the absolute path to the file. However, since the parent is 701 you can't find out what that unique directory name is without already knowing it.
Apache can read this because its looking for index.php inside that vhost's DocumentRoot. Now, you might be asking ... well, just look at the vhost and grab the DocumentRoot from there. You can't, the directory t
Re: (Score:1)
Has nothing to do with Godaddy (Score:2, Flamebait)
Re: (Score:1)
You are seriously bucking the group-think around here.... hence getting modded to hell.
Too bad.
FWIW: I agree with your assessment. I have been very happy with GoDaddy's service as well.
Re: (Score:2)
Re: (Score:2)