Support » Fixing WordPress » Exploits and GoDaddy

  • Until yesterday I was running 2.3, and experienced several exploits over the past few weeks (the site is hosted at GoDaddy). Several PHP files were compromised in these attacks, and the pattern was that an iframe was appended to the files. I have good backups and was quickly able to replace the infected files in each case, only to find several days later that they were once again hit.

    After reading up on this, I upgraded to 2.7.1 yesterday.

    Today upon login to the admin pages, my on-access AV scanner picked up a references to gumblar.cn/rss and on subsequent logins I was warned of .js files associated with the plug-in embedded-link-with-video plug in having the JS:Redirector-H2 [Trojan].

    Since I was not able to observe any changes to WP files when I examined them with FTP, I suspect that the gumblar reference was somehow just cached in my browser, and I cleared the cache, and seem to be clear. I also deactivated the errant plug in.

    Am curious as to whether others are experiencing the same, and what steps are being take to harden sites (especially on GoDaddy). I’ve contacted their support, but with no response yet.

Viewing 12 replies - 16 through 27 (of 27 total)
  • CORRECTION:
    you will not be able to install and activate ONLY new installed plugins. You can deactivate and reactivate all of your existing installed plugins.

    Hmm ok maybe I’m not exactly correct in stating that the closing tag is absolutely necessary, but i have always seen it in all other hosts wp-confi.php files. You wouldn’t be a hacker by any chance would you? 😉 What i do know for sure is that i installed WordPress on GoDaddy and within hours it was hacked. I installed WordPress on another totally new godaddy account and within hours it was hacked. What i also know for sure is that my .htaccess file is a smack down for these amateurs. DENIED DENIED DENIED DENIED. 😉

    The other thing i wanted to mention is that the client also had an HTML site with a body onload that was not filtered and that site was also XSS hacked.

    a search of these forums will show godaddy sites – not just wp – are getting hacked at a bizarre rate. I’m more inclined to believe it is godaddy’s antiquated shared servers and security software.

    I agree with you 100% sambell. It has nothing to do with WordPress at all really. WordPress is very, very, very secure and I have rarely had to “fix” a hacked WordPress site on other hosts. Unless the client has made the mistake and opened the door(s) themselves. Was totally kidding of course about the asking you if your were a hacker – that was a joke – i didn’t make that absolutely clear that i was just joking with you. 😉 I am finding all sorts of other security vulnerabilites with default godaddy files and obviously hackers know this and are hovering like vultures waiting for their next meal. I also wanted to point out that i used the godaddy application installer to install WordPress – I did not do a clean install of WP. Yeah i know I am asking for it by using their prebundled WordPress package. 😉

    Instead of posting my final GoDaddy security vulnerabilites info here I’ll post it on my site since this is primarily a GoDaddy security issue not a WordPress security issue. thanks sambell for pointing out the wp-config.php correct info. I wasn’t 100% sure about that closing tag statement I made and I should have double checked before posting that info. 😉

    I definitely wasn’t getting on to you. WordPress has had vulnerabilities exposed in the past like all php apps. They do move extremely quickly to fix them, however, and recent version still holds secure.
    2 hosts seem to be lacking in security as a general pattern, though. godaddy and hostgator. a lot of hacked sites.
    I hope you get results.

    hackersSUCK….could you let me know what your website is? I am having some major issues with godaddy hosted WordPress sites as as well. I was recently hacked and it is affecting all my .js files I keep clearing the malware code but it keeps reappearing. It does get some of my PHP files but not many. I have done all the changing of passwords, checked databases, etc. I am now using you .htaccess code but it completely blocks my site like you said it might.

    i added the .htaccess to the wp-admin area and my site works now, is that where it should be or should it be or should it be where I had it in the html folder on godaddy.

    i’ve just been hacked on Godaddy’s servers in a ZenCart install with a WordPress install. it’s this iframe injection:

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    can someone tell me where to look to find the exploit, please?

    Go Daddy

    (@gdhosting)

    Go Daddy Support

    We security very seriously and have a 24/7 Dedicated Security Team that investigates security issues daily. Our team also works with industry security organizations to work to provide the safest hosting environment for our customers.

    We’ve verified that the missing ?> tag on the php scripts, and as mentioned, is *not* required. More information can be found at http://php.net/manual/en/language.basic-syntax.instruction-separation.php

    If your site has been compromised, we recommend taking a look at this resource from the Go Daddy help center on identifying, removing and preventing malware – http://fwd4.me/Lf5

    Alicia

    Not trying make waves here GD. Whats the bottom line? We find out today the criminals breached the U.S. Treasury Department sites on NS. You guys are now being hammered.

    Have you guys considered the criminals have launched serious guerrilla cyber warfare on you and NS? I mean let’s get serious. Us little guys are getting hit left and right with flack. And band aids aren’t stopping the bleeding.

Viewing 12 replies - 16 through 27 (of 27 total)
  • The topic ‘Exploits and GoDaddy’ is closed to new replies.