Massive Number of GoDaddy WordPress Blogs Hacked

A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.

I like their commercials

[BadAnalogyGuy]

Their hosting services are pretty spotty, from what I've heard. On the other hand, they have commercials that really appeal to me.

The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]

Goddamned Perl strikes again.

Re:

[Locke2005]

Unless you've got a Danica Patrick fetish, there is a lot better porn than GoDaddy commercials available for free on the 'net. But then, I think anybody that selects GoDaddy for hosting without googling for the many complaints about their service probably deserves anything they get.

Re:

[Yvan256]

How is that supposed to be a bad analogy, guy?

Re:I like their commercials

[elysiana]

You know, a while back a friend of mine told me he had bought hosting at GoDaddy and was wondering if I'd help set up a site for him. I told him I wouldn't touch it until he got a better host, and he was shocked. His reaction was roughly, "What do you mean they're not reputable? They had Super Bowl commercials and everything!" Apparently people think that if a company spends millions on advertising, they must be upstanding.

I worry.

Re:

[hierophanta]

welcome your capitalistic lords. these are the tools of their trade

Re:

[conspirator57]

social darwinism is not limited to capitalist economies. i herd u liek bread lines. troll.

Re:I like their commercials

[Locke2005]

Apparently people think that if a company spends millions on advertising, they must be upstanding.

Explain to them that Enzyte and ExtenZe also spend millions on advertising... upstanding indeed!

The question is if GoDaddy is trustworthy.

[Futurepower(R)]

The question is if GoDaddy is trustworthy. [slashdot.org]

Re:

[Bryansix]

I worry more. Apparently people think companies are NOT upstanding when they have no evidence whatsoever to support that. I for one have used GoDaddy for domains and hosting for three years and had no problems and found their customer service to be excellent in the one time I had to call them to upgrade MySQL versions.

Re:

[rjstanford]

Its hard to go wrong with Dreamhost. Not perfect, of course, but very good value for very little money, and they've been around forever.

Re:

[Narcocide]

Try out pair.com [pair.com] for basic stuff. If you're trying to do anything resembling real work, however (such as hosting commercial websites) you're going to want the physical hardware all to yourself and $10-15 simply isn't a reasonable price anymore. At that range ($75 and up) I'd recommend serverbeach.com [serverbeach.com] but only if you know what you're doing.

Re:

[Kvasio]

in Europe a very competitive hosting is provided by OVH [ovh.co.uk].
Depending on the language version you may get quotes in GBP or EUR, but despite that you should be able to purchase it from USA.

Re:

[WrongSizeGlass]

The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]

I was redirected to a few 'malwarename'.xorg.pl sites on Saturday when clicking links pointing to wbir.com from CNN. I notified WBIR with several e-mails but they hadn't addressed it as of 11pm last night. CNN pulled the link after 16 hours so I don't know if they just moved on to other stories or acted on the warings I sent.

I wonder if infected sites should be held accountable for PC's that get infected. Luckily I wasn't running Widows so the Setup_422.exe that downladed was harmless.

Re:I like their commercials

[ircmaxell]

I wonder if infected sites should be held accountable for PC's that get infected.

I wonder if Godaddy should be held accountable for PC's that get infected. After all, it was on their servers, and they have the power to either pull the plug on the affected server(s) or to roll back backups (assuming they take backups). Considering this is a mass attack, does it imply that a weakness in their servers allowed the attack (As in one site was compromised, and the attacker gained access to the entire server through that one site)? If so, Godaddy is absolutely responsible. In fact, I would think they'd be liable to both the end users (people who got infected) and their customers for not adequately protecting them and affecting their reputation (Just take down the server already)...

Re:

[WrongSizeGlass]

It looks like the 'WP Admins' (if that's what we're calling them) used weak passwords for their hosting account, FTP and/or DB, used 'Admin' username and possibly even used the same password for all of them. Rocket surgery, indeed!

Re:

[Bearhouse]

Looks like they did not take their own advice, then.

http://help.godaddy.com/article/2653 [godaddy.com]

It's amazing how often 'Admin' etc. works...the other day I was invited by a CIO to take a look at their security, (which he thought was great; (they'd actually done a pretty good job).
Since they were in the middle of rolling out their new 'secure' portal, I tried 'demo' and 'demo'...worked fine, and with full access rights too...Oops

Re:I like their commercials

[Lumpy]

No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?

This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ [wordpress.org] and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.

Re:

[MobyDisk]

You are assigning the responsibility to the wrong person.

No it's a weakness of Wordpress, AND weak passwords

Do we know that this was because of a weakness in wordpress, or a weak password?

If N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance.

If someone makes a one-click install, and it has security holes in it, then it is not the fault of the user for using the one-click install. It is the fault of the creator of that install.

This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

It probably would be Ford's fault if they had a one-click button that dispensed alcohol to the driver while the vehicle was moving. Why should an end-user have to be a security expert i

Re:

[Khyber]

"No it's a weakness of Wordpress, AND weak passwords.. "

Proof and full code documentation required for your claim, please. Exact sections with comments.

That's what I thought.

Re:

[Khyber]

Troll mod away, guys! I want proof of this. If the guy can't back up his claim he really shouldn't be speaking about it. he can rationalize it all he wants but until he provides exact details, what is said is pure hyperbole and conjecture.

Have fun cracking my password. Going to have to figure out which three languages it's in first, then which words I'm using, and even version of the word in the case of one of the languages!

And then there's another 16 non-alphanumeric characters. Completely RFC3629 complian

Re:

[ircmaxell]

If the guy can't back up his claim he really shouldn't be speaking about it.

I agree 100%. My OP was pure speculation, and I noted it as such. Based on TFA, there was no details about how the attack took place, so we are only left to assume. And in my experience, most times when thousands of hosts on a single server are attacked (and no word of attack on other servers), it's typically the result of a flaw in that server. That's why I made my original statement. I have no proof other than my past experi

Re:

[Khyber]

I was asking for proof from Lumpy, not you.

Lumpy made the nonsense claim.

Re:

[Anonymous Coward]

I bet they're really glad they switched to Windows server a few years ago after Microsoft paid them to do so.

In Brazil

[Monkeedude1212]

Google is also responsible for the hacking because they made themselves available to be referred.

Inconceivable!

[eldavojohn]

But but when I registered for a hosting service on GoDaddy, their commercial lead me to believe that even stripping sexy models use GoDaddy so how could something like this happen to such a reputable and honest company?!

Re:

[Thanshin]

their commercial lead me to believe that even stripping sexy models use GoDaddy

I don't really follow your line of reasoning. You want to use the same things stripping sexy models do?

So before GoDaddy you went for coke and rich old guys?

Re:

[Daniel_Staal]

I'd figure they probably have to have pretty good web servers, just to handle the amount of traffic...

Re:

[jemtallon]

You keep using that word. I do not think it means what you think it means.

Re:Inconceivable!

[elrous0]

It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that. I'm not sure what they were trying to accomplish by running commercials more appropriate to Hooter's or a strip club chain. But if their goal was to drive away their serious customers, I'd say they picked the right strategy.

Re:

[Anonymous Coward]

But if their goal was to drive away their serious customers, I'd say they picked the right strategy.

The Internet is serious business!

Re:Inconceivable!

[Hatta]

That probably was their strategy. McDonalds doesn't get a lot of business from serious diners, but they're not doing too badly. There's a lot of money to be made catering to the general public who's too ignorant to know good service from bad.

Re:

[Anonymous Coward]

The point is that not everyone has the same needs as you do. Most people talk to their hosting companies more than once per decade. For anyone who is with GoDaddy and has to talk to them often, its rather painful.

Re:

[GPLHost-Thomas]

Are you talking about issues like these? http://nodaddy.com/ [nodaddy.com]

Re:

[lwsimon]

Did you renew for 10 years by chance because it took so long for their admin panel to load, you didn't want to have to do it again any time soon?

Re:

[Hatta]

You'd have to be ignorant to consider what McDs sells a burger. Even if you don't care about quality, the value (quality per price) at McDs is much worse than average. Go spend $6 at Hardees instead of $5 and you get a burger that's worth a lot more than 120% of that greaseball McDs sells. If all you care about is price, go to Taco Bell and spend $3 and get just as many calories. On all 3 counts, quality, price, and quality:price ratio, McDonald's fails.

Re:

[u38cg]

MacDonald's provide an unbelievably good service. They serve something like half a billion Big Macs a year and vanishingly few of them contain cockroaches or dead rats or severed employee fingers. I'd like to see you do better ;)

Re:

[elrous0]

As long as his shareholders are okay with him treating the company as a means of indulging his "Girls Gone Wild" fantasies, instead of treating it as a serious business, I suppose that's their prerogative. Personally, I would be embarrassed by the whole thing.

Re:

[hierophanta]

I believe their goal was to make their name well known (a.k.a. brand recognition). they did this by any means necessary and it worked. ask anyone (who does not work in the field) to name an website hosting / registration company and it is likely to be GoDaddy.
Ask for a second one and I would be very surprised if you can get a response.
Brand positioning on the other hand; well it leaves much to be desired (all sorts of puns intended)

http://en.wikipedia.org/wiki/Positioning_(marketing) [wikipedia.org]
http://en.wiki [wikipedia.org]

Re:

[FuckingNickName]

Was it because they were advertising in a direct, in-your-face, honest way that you were bothered? Would you have preferred dulcet tones to make it sound like the company cares for you? Or a pretentious douche mocking a fat guy on a white background? Or do you just feel religious guilt when you see a scantily clad woman?

I mean, a serious customer cares for service that's good enough at a price that's affordable, no? Why would he care what adults voluntarily do in a marketing production?

Re:

[tsm_sf]

It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that.

It was their decapitation of seclists that did it for me. The only things that differentiates DNRs and hosts from each other are reliability and customer service, and Godaddy proved to be awful at both. They are simply off the table for a lot of admins, it seems.

I'd really like to see some kind of registrar co-op, where the person registering the name is able to take complete liabilit

Re:Inconceivable!

[thijsh]

What makes you believe the stripping sexy models weren't already infected to begin with? ...

Re:Inconceivable!

[igaborf]

Wait, those commercials were selling something? I never noticed.

Don't put any details in the post or anything...

[gimmebeer]

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. Apache/1.3.33 Server at blogcastfm.com Port 80

Re:

[TheDarAve]

Posting a story on Slashdot is almost as bad as having a botnet DoS a site anyway. No exploit needed, just exploits of the common geek.

Re:

[phantomcircuit]

Wordpress the opensource Blogging software, not wordpress.com the hosted blogging provider.

This attack did not target Google at all. Whoever modded you interesting failed.

Re:

[Anonymous Bullard]

China is still punishing Google huh?

If by China you're referring to the ruling Communist Party dictatorship, then sure they are [google.com].

Incidentally "GoDaddy also withdrew from China" [washingtonpost.com] around the same time, mainly due to the new (now more and better) draconian registration rules for individuals wishing to operate their own domains.

My hat's off for both of them for not collaborating with that regime's repressive policies.

Possible mirror;

[Mouldy]

Click [themelab.com]

I couldn't get on the article linked in the summary, but I found this in google which is probably the same thing. It's nearly 2 months old, but that's not reason enough for it not to be on ./

Revenge of the Nerds V: Shameless

[MoldySpore]

Well, I suppose it was only a matter of time before those nerds [youtube.com] got their revenge.

This weekend, or two weeks ago?

[devjoe]

I found this story [thetechherald.com] mentioning a similar incident regarding WordPress blogs, but it happened two weeks ago, rather than this weekend. The original site is slashdotted, so I can't tell if this is really the same incident or not.

Re:

[mzs]

That one was likely different. In that earlier one the interesting bit was the use of a cookie. So you would only be redirected one time (if the cookie was not there).

Re:

[kalirion]

The permissions issue vulnerability allowing the attackers to hack the sites could very well be the same, even if what they do after gaining access to the accounts is different.

Re:

[Intron]

There is also this article from March 2 [mediatemple.net] about a Wordpress vulnerability.

Slashdotted to death.

[gimmebeer]

Who needs viruses and chinese hackers to take down blog sites when you can just use slashdot?

Re:

[Yvan256]

Are you saying that the Chinese own Slashdot or that we're all viruses?

Wait, don't answer that...

Only php4 users affected

[Anonymous Coward]

Well you're asking for trouble running php4.
It baffles me why people still do it but it also baffles me why people still use Windows. Go figure?
http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/

Network Solutions had a similar thing

[Anonymous Coward]

happen about a week ago, though I believe they indicated their FTP accounts had been hacked.

http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/

It was annoying, but I just restored from the prior days backup and went on. I only had one FTP account and a strong password and mine got hit.

Re:Network Solutions had a similar thing

[Lumpy]

there is no such thing as a strong password on a FTP account.

If you did not upgrade to SSH and SFTP from your control panel then you should not be managing a hosting site.

We reported this to them on 3/11

[isThisNameAvailable]

One of our departments decided to do their own thing and host a site on GoDaddy. Not sure if it was Wordpress or not, but the same thing happened to them. We reported it back on 3/11 and moved the site. Way to get in front of this thing GoDaddy! Oh, and it wasn't just Google. Referrers from Bing and Yahoo would redirect to the same link spam page.

Google?

[indre1]

I'm not coming from Google but the given link [blogcastfm.com] gives me 403 (Forbidden)!

umm..

[PPNSteve]

Now you know why we all call it "NO DADDY" lame hosting by lamer people.

no mention of google

[mzs]

This may be referring to the same attack:

http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/ [wpsecuritylock.com]

Re:

[mzs]

Using google I was able to get the original post (it's pretty worthless, I think it linked to a podcast):

When arriving from Google, a hacked website will redirect to http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]. The good news is this attack appears to be based only on your actual files not your database. That's relatively easy to clean up. In GoDaddy you should be able to revert to an old version of your files (Go to April 23rd or before and you should be fine)

Re:

[arth1]

Considering that this is linked to from TFA, well, no shit, Sherlock!

Re:

[mzs]

When I posted that the site would 403.

Don't you mean the worst part?

[DigitalReverend]

The best part is that the exploit only executes when the traffic is referred by Google

I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?

Re:

[H0p313ss]

Who's side are you on?

The most exciting side.

Re:

[rdnetto]

The best part is that the exploit only executes when the traffic is referred by Google

I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?

Depends on your definition of hacking. At the very least you'd have to give them points for creativity.

Alt Link

[MrTripps]

Not sure if this is the same thing, but "Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hoster specific." http://www.ghacks.net/2010/04/12/wordpress-hack-terrifies-webmasters/ [ghacks.net]

Attacks against hosting providers

[Animats]

We noticed another attack against a hosting provider recently, but it wasn't GoDaddy; it was ThePlanet, or at least someone who uses their IP block. A number of phishing sites suddenly appeared on our list [sitetruth.com], and we noticed they all mapped to the same server. Multiple domains on the same server were all hosting the same phishing attack.

Annoyingly, the domain registration for the server's main domain ("websitewelcome.com") was "private". That's actually part of HostGator's system; there's no reason it sho

cPanel Sites?

[lymond01]

Have a friend who had the same situation but on a different ISP. I believe both GoDaddy and this other ISP use cPanel for access and content control. And the issue only occurred when referred from Google. I perused his site's code but couldn't find anything that stood out. I'm not even sure how the virus is activated (people would visit his site from a Google redirect and their antivirus would cry foul).

Uh, Ok...

[greymond]

After reading the article it said that some of the Wordpress Blogs hosted by GoDaddy were hacked, but that the issue/vulnerability wasn't on GoDaddy's side.

I took a look at the source of my files after logging into the admin area, as well as did a find on the directory of the files for the malicious code from the article and I can't seem to find the script anywhere nor am I experiencing any issues of any kind.

The article didn't mention what type of WP accounts were hacked either...which brings up a question

Sadly nothing new with Wordpress

[SnapperHead]

I have been dealing with a large number of Wordpress installs in the past 2 years and I am hear to tell you this is NOTHING new. This is a very common attack that is being used and its hard as shit to find. Sometimes they embed it in Javascript, sometimes its in PHP. Sometimes they encode the PHP or Javascript in base64. Sometimes they have it binary encoded inside image files. They go to great lengths to hide the code.

There is also a large number of free themes out there that come with this crap included. You can typically find it by looking at the footer include file. Look for a large base64 string. Most people ignore those because there are a number of developers who find it amusing to put that crap in their footers that if removed it will prevent the theme from working. Sure, I understand they want to prevent people from removing their credit but come on. Its leading to security issues across the board.

The only thing that I have found that helps limit these attacks is to only make the wp-content/uploads directory writable by the webserver. Everything else is owned by the user or root. To take things further, each install is placed inside a unique directory name that is chmod'd to 701 (its parent is also 701). If an attack manages to crack one install, they can't just attack another by going through the file system.

Not trying to trash Wordpress here, its just too popular and they have had a number of security mistakes in the past. Wordpress installs require a lot of maintenance to keep up to date. Wordpress makes it easy on attackers by listing the version number right in the damn HTML. Sure, they say that it doesn't matter because people can figure it out anyway. But hey, why not just leave your house unlocked at night. Attackers are just going to get in anyway.

Re:

[sholdowa]

Your understanding of permissions is a bit off. What's the point of 701? 511/444 for files/dirs will perform just as well, and be logical too! If you want it really safe, then chattr +i, and ensure the partitions are mounted noatime. Obviously it'll be a pain to maintain the site, but the chances of it being hacked will diminish dramatically. Who said security was easy (:

Re:

[SnapperHead]

Nope, it works perfectly. 1 is the execute bit, which when applied to a directory allows you to read a file from inside that directory ONLY if you know the absolute path to the file. However, since the parent is 701 you can't find out what that unique directory name is without already knowing it.

Apache can read this because its looking for index.php inside that vhost's DocumentRoot. Now, you might be asking ... well, just look at the vhost and grab the DocumentRoot from there. You can't, the directory t

Re:

[at.drinian]

You are absolutely correct -- I was a victim of this attack despite using stock Wordpress, with all the latest updates applied. I would have never discovered it, either, if it weren't for Duke University's IT department (the blog was on their subdomain) being incredibly on-the-ball with security checks. Wordpress has unfixed security holes that are being exploited; people need to know!

Has nothing to do with Godaddy

[Bryansix]

The assumption that GoDaddy is horrible and has horrible service is false. People make this assumption because they use sex to sell and they have low prices. People assume these two combination also mean poor service and complete incompetence. This could not be further from the truth. Ask ANY technically minded person who has given GoDaddy a chance and they will tell you about the value of their inexpensive services and domain names. I have personally used them for 3 years running to host my website http:// [shezphoto.com]

Re:

[metaforest]

You are seriously bucking the group-think around here.... hence getting modded to hell.

Too bad.

FWIW: I agree with your assessment. I have been very happy with GoDaddy's service as well.

Re:

[Bryansix]

Yep. I love faith in Slashdot's ability to promote independent thought every time I read an article like this and the comments it gets.

Re:

[Bryansix]

I mean "lose". Bad form, I know.