Get on the newsletter and pick up your free copy of our ebook, Blogging Building Blocks!
Follow @blogcastfm on Twitter


Subscribe with other podcasting software

Warning! Massive Number of Godaddy Wordpress Blogs Hacked This Weekend


Hi guys,

Sid here.  I want to warn you guys about a massive exploit that has hit a large number of Godaddy Hosted Wordpress Blogs this weekend

This hack appears to redirect visitors upon arrival from Google and attempts to install malware on their computers.  When I was visiting the site directly, whether logged in or as an Admin, even if I could see the malicious script in my view-source window I did not have any issues and it did not redirect me. This means your site could be hacked and infected and you may be unaware.

I noticed a couple key giveaways:

  • In view source, you will see <script src=”http://cechirecom.com/js.php”> located just above the </body> tag on all .php files.  If you view source and see this, that’s cause for alarm
  • When logged in, you’ll have a screwed up Wordpress dashboard. Basically it looks like it is messing up the loading of some CSS in the Wordpress Admin area, causing everything to look like the image below:

(Click for larger view)

When arriving from Google, a hacked website will redirect to http://www2.burnvirusnow34.xorg.pl/

The good news is this attack appears to be based only on your actual files – not your database. That’s relatively easy to clean up.  In GoDaddy you should be able to revert to an old version of your files (Go to April 23rd or before and you should be fine)

The bad news is we don’t know at this point how the hackers are gaining access.

So far, here’s what I’ve found out about Godaddy’s stance, from another blog that’s also covering this issue:

“Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.”

Please forward this post to your friends, and help us get the word out.  It looks like this has compromised a large number of blogs, and especially since it happened over the weekend, there’s a good chance many bloggers haven’t noticed it.

For more information on fixing the issue, please see this post : Cechriecom.com.js.php – WordPress Hacked on Godaddy

This is not your normal BlogcastFM blog post, but since we were hacked this weekend and unaware of the issue for a couple days, I felt we had to say something since our audience is bloggers – and help educate you guys in case you have the same problem. We’ll resume with our normal interviews tomorrow.

Related Posts with Thumbnails
Please review the Comment Policy.
  • Chef Denis
    I just started a WordPress site with GoDaddy last week. I first noticed soemthign odd 2 days ago when the footer of my site all of a sudden had a "teen porn" link. I deleted the footer and recreateda new one but the link reappeared. I thne downloaded and installed a new template and that issue was resolved. PROBLEM TODAY is that the site CAN NOT be accessed at all and many other Wordpress users are posting the same problem. My site is www.diningbydenis.com. The error page that comes us is not GoDaddy's usual "call us" page.
  • there's no date on this article. when did this happen?
  • looks like you've got the virus again too - I'm on my third run!
  • Everyone, you should check out our free and simple plugin to lockdown Wordpress.. takes just a few mins, and boom you're done!

    www.sitesecuritymonitor.com or direct: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/
  • I've been preaching for years about WordPress Security and it always seems to take a backseat, I suppose because learning how to secure WordPress isn't fun and doesn't seem necessary until you actually need it.

    These attacks are quite sneaky and have a way around many security upgrades and what we need in place is a way to monitor the changes when they come.

    I hope you don't mind the link dropping, but you might want to check out WordPress Defender: 30 Ways to Secure Your Blog From Attack Anyone Can Do... it's well worth the small investment and is loaded with a ton of WordPress and blog security info.

    A nice well-rounded WordPress security system will include:

    - monitoring for intrusions and changes
    - firewalls to block against sql injection
    - being ready for the day your blog does get hacked

    Though it's not nearly enough, here's a great place to start:

    Install these plugins:
    - Login Lockdown
    - WordPress Firewall
    - Block Bad Queries
    - WordPress File Monitor

  • I'm a social media utilizer - and my sites were hacked as well - second time in a week - we're trying to get some motion behind godaddy and make them hire some people or do something to make their service more secure. As such I'm starting a Twitter grassroots campaign. I'm no way affiliated w/ the link - but we all need to tweet this message and retweet it as often as possible today - we're trying to get #ihategodaddy as a trending topic.

    The tweet: RT @patrickcurl Customers transferring OUT of GoDaddy QUADRUPLE! http://bit.ly/dvwtoT #ihategodaddy pls RT
  • I'm a social media utilizer - and my sites were hacked as well - second time in a week - we're trying to get some motion behind godaddy and make them hire some people or do something to make their service more secure. As such I'm starting a Twitter grassroots campaign. I'm no way affiliated w/ the link - but we all need to tweet this message and retweet it as often as possible today - we're trying to get #ihategodaddy as a trending topic.

    The tweet: RT @patrickcurl Customers transferring OUT of GoDaddy QUADRUPLE! http://bit.ly/dvwtoT #ihategodaddy pls RT
  • jsi
    Just got directed here, from google, and guess what? Unfortunetly, your site appears to be hacked as it tried to redirect me!!! GoDaddy, get your act together!!!
  • A few of our customers were affected. Here's what our CISO had to say about it:

    "WordPress is a-ok. Go Daddy is rock solid. Neither were 'hacked,' as some have speculated.

    After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way.

    This underscores the importance of installing the latest Web applications, no matter where you are on the Internet. If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

    And, while we're on the topic of Web security and Best Practices - be sure all your online passwords are unique, secure, and in a safe place."

    If you have questions or you'd like someone to take a look at your WordPress site, please get in touch with our 24/7 support team at http://fwd4.me/MBI

    Alicia
  • Godaddy Is Silly
    LOL. Nice try. I had JUST set up WordPress at Godaddy's WordPress hosting and got hacked.
  • #1 - I was notified of the malware problem first by loyal readers, not by GoDaddy - I have a big issue with that. Courtesy email?

    #2 - I WAS running Wordpress 2.9.2 with updated plugins and unique passwords, yet I now have 19 infected websites.

    #3 - I HAVE followed the GoDaddy procedures at that URL and the infection persists. Looking through scores of include directories for funny file names (*.jpg.php)? Are you serious?

    Honestly - after so many years with GoDaddy I expected better support during a crisis...its obvious that no one has my back.
  • Dean
    Sorry, godaddy. But you're wrong. I was fully updated to the latest version of Wordpress and still got hacked. Twice. And every support person I talked to gave me the same line about how it wasn't godaddy's fault, but mine.

    That's why I'm moving my blogs elsewhere. If people can't get support from their host, they're totally on their own.
  • Upgrading alone doesn't fix it. We have complete instructions for correcting the issue at http://fwd4.me/MFJ

    Alicia
  • Thank you for the heads up
  • Thanks for the heads-up guys!
  • Papas
    Take a look at this http://bit.ly/9Uj7uh there you will find some explanations
  • On Friday, all my permissions were set correctly, as recommended by the WordPress codex. I still got hacked. It's not as easy as saying "everybody had their permissions set wrong"; there's a lot more to it than that, and I hope GoDaddy tell us what the problem was once they figure it out instead of just saying "we've fixed it".
  • interesting, why only godaddy?
  • netguy
    It affected media temple and network solutions too.
  • We had the same problems in our site. They use a flaw on the file upload of wordpress which allows them to upload new files working as a trojan horse. If you need more info contact me at rei@yahoo.com.
  • Have you informed GoDaddy of this?
  • I got hacked Wednesday afternoon (April 21st), then spent 6-7 hours cleaning stuff up and getting the blog back up. My site was redirecting everyone, whether they arrived via a search engine or directly. I installed a bunch of security plugins, but no firewall as I couldn't get it to install properly.

    Then on Friday night I was hacked again; found out when I woke up Saturday morning. I've spent the whole weekend reading hacking techniques to try finding traces in my files and database. I found nothing suspicious in my database, and in my WP files all that happened was that every single PHP file was infected with a base64_decode entry at the top. This is why not only the blog itself is affected, but also the admin panel.

    I now have a WP firewall properly configured, so I hope between that and GoDaddy getting their act together, I won't be hacked again. My website isn't my job--it's meant to be fun, and dealing with F#&*ing hackers is NOT fun.

    cssgareth, it's more like $12/month for hosting with the lowest bandwidth allowance, which is what I use. Should that not entitle me to some protection from hackers? Where would you suggest I host it? I'm all for viable alternatives.
  • ..
    read it here..
    http://wordpress.org/development/2010/04/file-permissions/
  • gideon1222
    If you can setup a Linux server via SSH (read, no Cpanel), install an HTTPD daemon and MySQL and install Wordpress yourself, there's always a $10/mo VPS from http://swvps.com/linux-vps.html

    I'm helping run a server with a friend for a smallish forum, we've got a decent amount of room on the server and are able to manage everything ourselves.

    Takes a bit of experience with Linux though.
  • Spend a bit more on a provider like utropicmedia.net that doesn't oversell their servers and or have many of these problems.
  • Thanks for sharing this info! I took a look at the source of my files after logging into the admin area, I can't seem to find the script anywhere or any issues of any kind. I'm guessing it missed me, not sure why or how. I'm using WordPress 2.9.2. I have MySQL 5.x and PHP 5 on as well. Do we know if this is something that just hit PHP 4 users?
  • gideon1222
    It's doubtful that the PHP version would do anything, PHP 5 wouldn't be doing much additionally to protect against the vulns; it's more an issue of server setup and also how poorly Worm^Hdpress is coded.
  • Michael
    There was a very similar exploit that made the godaddy wordpress round that redirected to ninoplas.com
    First google link for wordpress ninoplas has good information and a strategy for cleaning up.
  • Sorry to hear that your site was compromised, but glad you got it fixed.

    Great information! Thanks so much for spreading awareness about this issue.

    Godaddy contacted us and they're trying to find the common method of this attack, so I'll be sure to share this information with them.

    P.S. Thanks for linkback.
  • I wanted to send you a quick update. Godaddy's Security Department just called me and they're working to track the source of this malware. They have located a small php file (3k) that sends a shell command to inject malicious code and quickly leaves. We are asking for the public's help. If you're hosting on Godaddy and have been infected with this virus, please visit our website and submit your domain name and date/time you were attacked - http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/
  • That seems like a really cheap fob-off from goDaddy. But how else do you imagine you would pay $5 for hosting. You really do get what you pay for.
  • Time to start using .htaccess and .htpassword on your wp-admin folder. It may not be bulletproof against everything, but it'll at least put in a speed bump. Downside is that you willl need two passwords to log in to your blog.