Hosting With GoDaddy? Might Want To Rethink That Decision.
Posted on May 13th, 2010 at 10:04 am by Michael VanDeMar under WTF, Wordpress, blogthropology, coding, customer service
One of the services I offer people is cleaning their Wordpress installations of hacks and infections, mostly for those who might not have the time or technical expertise to follow my hacked Wordpress cleaning guide. Therefore when something happens that increases the number of people getting hacked, such as when a new exploit is discovered, or a security hole in a large host starts getting exploited (like what happened with Network Solutions last month), I get an increase in the number of people requesting help cleaning things up. This month it started happening with a large number of GoDaddy customers.
When it first started to happen I did some searching around, and noticed that there was some discussion going on about the heightened GoDaddy hacking activity, but at that time everything I read that stated the problem was with GoDaddy customers all had roots pointing back to a single post on a company blog that didn’t offer enough details for me to really see why it was happening there and not other places. Not that Wordpress on other hosts weren’t still getting hacked, but there has definitely been a higher concentration of instances on GoDaddy. GoDaddy was definitely aware of the issue, and even replied in some threads on the Wordpress.org help forum:
GoDaddy.com did send out a notification to customers affected by this issue. Although I know you would prefer not to be linked, I want to avoid flooding the forum. For a step-by-step guide to update WordPress, please visit http://fwd4.me/NGN – Alicia from GoDaddy.com
The link to their “step-by-step guide” to updating Wordpress turns out to be nothing more than than a link back to Wordpress’ own guide to upgrading, and links on how to back up your stuff on GoDaddy. Decidedly not step-by-step imo, and in this case not all that helpful. If the reason your site gets hacked is due to you running an older, insecure version of Wordpress, once that happens simply upgrading will not fix the issue. This seems to me to be a bit of a lame response to a serious issue coming from a company that bills itself as the “World’s largest Hosting Provider”.
GoDaddy keeps insisting that the problem is due to outdated Wordpress installations, and that staying up to date and site security is the responsibility of the customer, not of GoDaddy. In one sense I completely agree with them. If you run an older version of Wordpress that has known security holes in it (ie. pretty much all versions aside from the most recent) then the odds are that you are going to get hacked. Most of the clients I cleaned from GoDaddy so far were up to date, running version 2.9.2, but this still didn’t mean that it was GoDaddy’s fault, since it is possible for a site to get hacked and no signs show up for months. This means that the sites I was cleaning could potentially have had the hack from an older version, and it only became apparent some time after they upgraded.
The problem is that after doing some very thorough clean up jobs (ie. wipe and reinstall), and making sure the clients were up to date, all passwords changed, all image files verified as actual images, clean Wordpress, clean theme, clean plugins, and hand cleaning the database, I had clients still getting re-hacked.
One client I had was having issues with funky characters in his posts. He would make the post, everything would be fine, and then the next day they would be converted in a way that would make them display as unicode. This was well after I had done my cleaning, and no one should have made any changes to the database since then. My assumption was that GoDaddy themselves was making changes, possibly security upgrades related to the recent hacking waves, and I figured that calling them to see what they had done would be the best bet. In preparation for this I went ahead and logged into the client’s account, and ftp’d into the server just to make sure everything looked like it was in place still. As soon as I did I saw that about 30 minutes before a brand new, non-Wordpress, oddly named php file had been dropped into my client’s site.
I downloaded the file and looked at it. I suddenly realized that this was the source file for all of the hacks that were happening. It was named “plan_erich.php”, and had similar eval(base64_decode( instruction at the top of the file. I modified the code to be able to decrypt it safely, and looked through the output (which you can view here). The script was designed to delete itself as soon as it ran:
$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);
Finding this script before it was triggered and deleted itself was raw luck. Catching this file gave a great opportunity to actually track down how these hacks are occurring, and possibly would leave clues that GoDaddy could use to keep it from happening again. Looking at the owner/creator of the file, and matching that timestamp up with the various logs (ftp, ssh, http, mysql, etc) could give GoDaddy the information needed to figure out how the file really got there, instead of just guessing that Wordpress was the issue. I have never seen a file like this before, and searching Google for the name yielded no results, so there really was no other information out there available on this. Finding it there was a little like hitting the lottery in that respect, random and very, very good luck.
The problem, however, is that GoDaddy didn’t seem to care. I called and explained to the woman I spoke with exactly what it was that I found and how it could be useful. I told her that matching up that file to the logs could yield some potentially valuable information. She did listen carefully, and I am pretty sure she understood what I was saying, because she asked if she could put me on hold to go talk with someone who might know more. She came back and informed me that she didn’t have permission to look at those logs.
I explained again, in a little more detail, why looking at the section of those logs was very important, and if she didn’t have permission could she please escalate the ticket to someone who did. Again, she put me on hold. This time she came back and told me that they were uninterested in escalating it.
At this point I was a teensy bit amazed at GoDaddy’s lack of concern with the issue. She very kindly informed me that the issue was that the client was running an older version of Wordpress, and that we needed to upgrade. Wtf? I went and looked, and made sure that he was indeed still running the 2.9.2 version that I had installed over a week ago (and remember, he was running that version before I ever did anything), and he was. I told her that. She told me that no, she was looking at what the hosting control panel said, and that he was running version 2.6.
That was when it struck me… GoDaddy was claiming that this wave of Wordpress hacks was due to clients not upgrading without even bothering to really look at the clients sites. The hosting control panel can only report what was installed via the hosting control panel itself. If a client pushes the button to upgrade Wordpress from within the Wordpress admin section then the hosting control panel will never know.
As amazing as it seems, apparently the entire GoDaddy technical support team is ignorant of this fact. That’s right… the “World’s largest Hosting Provider” doesn’t understand the very basics of how the world’s largest blogging platform works.
Something, probably a hosting configuration, is allowing GoDaddy customers to have their sites hacked, and it isn’t file permissions, insecure passwords, or out of date software. Not being willing to even look when a developer calls to tell you that they found something is completely unacceptable. My suggestion to all GoDaddy hosting customers: bail now, before something happens to your site. This is not a Wordpress issue only… although it seems to have targeted Wordpress customers first, all sites that use php are at risk. Personally for shared hosting I recommend HostGator, because I love their tech support (and their servers are very robust), but there are plenty of hosts out there to choose from (Disclosure: I changed the previous link to an affiliate link, although if you’d rather purchase hosting from them without giving me credit that’s fine too, here is a clean link for you: HostGator).
Bob Parsons, I am sorry. Hot chicks and a strong tits and ass marketing campaign do not make up for apathy in matters of client security and well being.
If you have enjoyed what you read here, please consider subscribing to my feed.
Follow me on Twitter!
May 13th, 2010 at 10:31 am
This is an eye-opening post, but as you say, the hack is not limited to GoDaddy. I’m a reseller for them and have always been impressed with the prompt responsive service. However, I too received the security warning that I was using an outdated version of WP. The email message only had links direct to WP.org so it was very useless. I checked all of my own and my clients’ blogs and all have been updated, so I was wondering what was going on. Now I see what you mean – if you used their auto install to install WP in the first place, they have no idea you updated it – several times over. Thanks for solving that mystery.
Personally, I’ve been involved with a number of hosting companies and have had issues with each and every one. I think it was a step in the right direction for GoDaddy to send out notices for those in need of upgrades, but they should have been sure of their information before doing so. It might have been more effective to send out a blast to all with WP installed to tell them to check to see which version they were running. If I’m not mistaken, Network Solutions (gag, gag) seemed to be the first target and I’m not aware they did anything, so something seems to be better than nothing, at least.
May 13th, 2010 at 10:38 am
“Bob Parsons, I am sorry. Hot chicks and a strong…”
Best (and most true) line I have read in quite some time.
This makes me very glad I host elsewhere!
May 13th, 2010 at 10:57 am
I looked at the code; what do the references to the domains mean? I found: holasionweb.com and burhot33-td.net – Could this be the culprit’s website?
Commend you for helping to keep WordPress users safe.
Sad that GoDaddy is blowing this off.
May 13th, 2010 at 11:56 am
Wow. I am SO glad that I just moved a couple people off there. I’ve had clients hacked at other hosts, but the fact that they aren’t even interested in what you’ve found & are assuming that people are upgrading using GoDaddy rather than manual (my choice) or the incredibly easy internal upgrader (probably what most of their clients are using)–that’s just nuts.
Sure, not everyone upgrades. I’m planning to use this hack as a way to push a client up to 2.9.2 even though he’s been afraid to change stuff. But if it’s not just an old Wordpress issue, they need to work on it. (I’ve heard of people w/other CMSes getting the same hack on GoDaddy.)
May 13th, 2010 at 11:56 am
GoDaddy is the most incompetent hosting company I’ve ever dealt with. Years ago I signed up for a virtual instance with email and web server configured. Their default sendmail configuration allowed tens of thousands of spam emails to clog my storage and bring the machine to a standstill, and they goofed on my DNS configuration as well. After several frustrating days and no email service, I finally demanded a refund.
I’ve had a much better experience with HostingRails.com (they support PHP, Perl, and Python too), and they provide excellent customer service. And for domain registration, Moniker.com offers excellent service at competitive prices. Don’t waste your time or money with GoDaddy!
May 13th, 2010 at 12:00 pm
I have to say I generally love GoDaddy’s support, but their proprietary system is what stops us from hosting most clients w/ them.
May 13th, 2010 at 12:09 pm
Great post Michael, really pointing out the way GoDaddy operates – with apathy toward anything that is not profit-inducing, I have found another thing they do, which I ranted about a while ago here: http://www.articulayers.com/20.....t-godaddy/
Basically, if you don’t force a canonical redirect, they will take one of the domains and put a targeted PPC campaign on it. Not parked domains mind you – live sites. Shameless charlatans, IMHO.
Your post here amazed me though – their voiced response of being “uninterested” in pursuing it just boggles the mind.
May 13th, 2010 at 12:54 pm
For two years I’ve been insisting that clients do NOT host their Wordpress sites with GoDaddy. They had issues beyond security – around databases being configured improperly with their “auto” setup.
Truthfully, though, this week has seen issues in a lot of hosts – including my favorite, BlueHost. So, at the moment I hate them all. But, gotta host somewhere, right!?
May 13th, 2010 at 1:04 pm
Thank you so much for writing this. I have none of my own site son GoDaddy, although I am guilty of using them just for domains. I’m gonna put my money where my mouth is and move them.
This is just completely irresponsible of them. I deal with *many* clients wondering what’s going on, and them saying “it’s wordpress” not only passes the buck but ultimately doesn’t fix anything. Clearly, there’s a preponderance of evidence at this point – not just this post, but dozens now – highlighting that it’s definitely not WordPress and it’s very likely the setup at GD.
You’re the second person I’ve heard of today that has tracked it down, has the proof and they’ve flat-out ignored them.
May 13th, 2010 at 1:04 pm
@Tia – you are right, you do have to host somewhere. And to be fair it is very possible that the same issue affecting GoDaddy is affecting other hosts as well, and the reason we don’t see more complaints from other hosts is because they simply aren’t as large. However, with the number of sites hosted with them, and the incredibly huge amount of money and resources GoDaddy could throw at this problem if they so desired, the fact that they are uninterested in trying to fix it makes them far worse than other hosts out there. They should be the leader, not a firm that simply sits by and points fingers.
May 13th, 2010 at 1:43 pm
My site is currently hosted with Godaddy and it took my 5 days to fix the hack. The Godaddy tech support person sounded like he was high when I was one the phone with him and he had no clue what was going on. He kept asking if I had upgraded to WP 2.9.2 (I kept saying, yes and I am diligent about upgrading immediately).
Brutal. I need to switch web hosts.
May 13th, 2010 at 1:45 pm
oh, and In the Thesis Theme Forum, the wonderful Shannon pointed me to This Article to help fix the godaddy hack issue and it worked like a charm
http://blog.sucuri.net/2010/05.....atest.html
May 13th, 2010 at 1:46 pm
Hi Michael,
I work for Network Solutions. I wanted to respond to Randy Duermyer’s post in which he mentions Network Solutions and claims that we did not do anything to respond to the recent attempts to hack our system. On the contrary, we have devoted numerous resources of our own and obtained assistance from the community and other organizations to help our customers. Among many of the extraordinary steps that we have taken, Network Solutions’ customers were provided a scanner to check their websites for hidden malware. We have also been open in our communications on our blog that you linked to in your post so that people and, importantly, our customers can gather information about this issue.
Our goal is to help the customers get on with focusing on the success of their businesses and we continue to concentrate our efforts on making it right for them.
Thanks,
Shashi
May 13th, 2010 at 2:00 pm
Nice post. We just went through this very ordeal, which hit 4 WordPress and 2 MediaWiki installations. GoDaddy wasn’t particularly helpful.
May 13th, 2010 at 2:04 pm
GoDaddy is essentially a marketing company, not a technical company. I don’t think they care about providing good service or really care about technical issues until it impacts their bottom-line. This is the perception of them I’ve gained from years of having to work with them to help support various clients. Personally I think they need to do a better job with security, especially right now with http://www.dirtyphonebook.com and others posting so many personal details about people. If GoDaddy doesn’t do more of a good job to protect their customers’ sites and especially privileged client data, I doubt it’ll be long before we see some kind of massive privacy leak that will damage their business and NO AMOUNT of scantily clad cheerleader Super Bowl ads will cure this perception if they don’t move to fix this.
May 13th, 2010 at 2:04 pm
Sashi, you are correct, you eventually did start digging deeper and even went so far as asking for help from the Wordpress community, which is something that many companies would not be willing to do publicly, and that is definitely points in your favor. However, you guys did initially try and blame the hacks on the way Wordpress itself was written, which did spark a bit of controversy and negative attention to the issue.
Have you guys gotten anywhere on finding the root of the issue? This really doesn’t seem to be host specific, although there are certain hosts that it does not seem to be affecting yet. Have you tried sharing information with any of them?
May 13th, 2010 at 2:58 pm
[...] some web hosts, such as GoDaddy, are proving that they simply don’t care. Even when enterprising developers find physical evidence of the previously unseen malware, and [...]
May 13th, 2010 at 6:08 pm
Does anyone know if GoDaddy and/or any of these other hosts are running PHP with either an suExec solution, or if not, with open_basedir restrictions? If neither of those are being used by your host, it would be in your best interest to leave immediately and find one that does. Any files writable by the webserver on a shared hosting account not using these techniques is vulnerable from any other account on the same machine. I’d bet anything that is what is going on…
May 13th, 2010 at 6:21 pm
I’m with GoDaddy, with multiple sites, and two of my sites and two of my blogs were hit. Both blogs were WordPress. See, GoDaddy says to have the most recent upgrade, but they are weeks, sometimes months late putting that on their auto-installer. I never use it, because I update the minute WordPress tells me there’s a new release. I KNOW both my blogs were current.
But the other two sites that were hit were Drupal backbones. I tried to follow their instructions to roll the site back in the history to a date prior to the infection and the first time, it worked like a charm. Then, I did all the upgrades, made sure it was the most current version, and everything was fine. The next morning, I was reinfected with the scareware script/redirect links. This time, I couldn’t roll it back, because for some reason, the database wouldn’t connect when I did. I got frustrated and wiped the whole damned thing out, and put a brand new, fresh install of Drupal and manually copied and pasted all my content (quite a chore for a seven year old site, let me tell you) and I knew I was current and clean – and then I went in and changed all my passwords to really difficult ones, including the FTP remote access, the hosting access, and the database passwords.
I got reinfected. Third time. My site is now down, and this is what GoDaddy’s tech support sent me:
“Thank you for contacting Online Support.
Unfortunately at this time, I do not have specific details on you current infection of how to completely resolve it. Please understand that we have limited support on virus attacks. You may want to make sure ALL files that were modified are changed, .php, .php.ini, and anything else regardless of file extension. It seems as if something still remained in the site even after the restore.
Please let us know if we can assist you in any other way.”
…..
Limited support… sigh.
I am on grid hosting with them, and they claim it affected less than 5% of their entire network – but FOUR of my sites were hit (well, two and two blog subdomains), and all four were hosting on the same grid.
I don’t mind that it happened – it sucks, but that’s part of the game, but this obvious lack of concern or interest in it, and them telling me this is MY fault when I know it’s not and the two days of downtime, lost revenue, and lost time for me and my tech guys having to fix this ourselves…. well, I’m not a happy customer, yanno?
Thanks for letting me vent. GoDaddy’s own site about this issue hasn’t approved my comments that are held in moderation and they limit to 100 words. Thanks for letting me share my experience.
Michy
May 13th, 2010 at 6:33 pm
I have been a Network Solutions shared hosting customer since February. This is my first venture in developing a Wordpress media platform. We were hacked on the 18th and 23rd and stopped dead in our tracks.
As frustrating and exhausting as this has been I will go on record now and say that Network Solutions went ALL OUT to help customers and still are going all out to help customers. Not once did any NS representative suggest I would have to pay for anything or accuse me of being negligent. They we’re helpful, cool, polite, and fast under ultra intense pressure and GOT IT DONE. There are still a few minor inconveniences occasionally as NS continues to tighten things up. No problem. Whatever it takes.
Do I regret my decision to go with NS? The answer is no I do not regret it.
May 13th, 2010 at 9:20 pm
Nice catch on plan_erich.php mine was tiphany_enemy.php – more info here.
May 13th, 2010 at 10:37 pm
I had this happen on multiple personal accounts with Dreamhost. The hackers left a slough of those encrypted files – but each had a different name.
Dreamhost was super nice about helping me though – quick turnaround – and they scanned and found 3 files I had missed.
May 13th, 2010 at 10:40 pm
All I have to say is I’m not surprised. GoDaddy support is horrible at best. I agree that HostGator is the way to go.
May 13th, 2010 at 11:12 pm
I host my WordPress blog on GoDaddy and have suffered two PHP injection attacks in the past six months. I am religious about keeping my WordPress installation up to date, and I use only a bare minimum of plug-ins (Akismet, Subscribe Remind, Subscribe To Comments).
Fortunately, I cleaned each of them up quickly (by getting rid of the obfuscated eval block inserted into each of my PHP files), and, to the best of my knowledge, there was no harm caused to my readers.
Still, I’m curious if anyone knows whether the vulnerability is because of GoDaddy or WordPress itself. I like the flexibility of running my own installation, but another incident like this and I’ll be tempted to move off of self-hosting.
May 13th, 2010 at 11:31 pm
My sites once got hacked and turned into phishing sites of some finance institutions. I didn’t know all this until I received an E-mail from my hosting provider. They claimed that all my Wordpress installations on the shared server are out of date. I updated them all after they helped me deleting all the phishing-related files and never again I got the same kind of E-mail notification.
The hosting provider was HostGator and I’m still using their service.
May 14th, 2010 at 12:20 am
We engaged Firehost.com to manage all our infrastructure on page.ly for this reason right here. They have the skill and the hardware to prevent these sorts of things before they even start.
We pay 5x what we would somewhere else.. but I can sleep at night, and our WordPress hosting customers gain the added security benefit we are paying for.
The race to the bottom on pricing that the econo-hosts have been running is biting them and their clients in the ass.
May 14th, 2010 at 12:22 am
Yeah my site was hacked like this twice, just before I was planning to leave Godaddy hosting anyway. (I just changed to a different host today!) I never installed WordPress or any other CMS system, just a few small php files I wrote myself, they didn’t even allow file uploads or anything like that. I checked the Apache log and in the second attack the file was called couple_peria.php. But it was already deleted by the time I checked FTP to look at it. I scanned every line of the apache log for that day and it looks like there’s no way the file was uploaded thru the web server (I would be very surprised if WordPress has anything to do with this AT ALL). Someone must be doing it thru FTP or SSH or something else.
May 14th, 2010 at 12:23 am
I didn’t know about the problems at Go Daddy and Network Solutions until yesterday when I started getting malware complaints from my customers. My hosting company, Network Solutions, ran some sort of test on my site when I called them this morning, and while acknowledging problems with hackers, pronounced my site “clean”. However, this afternoon, customers were still getting malware warnings.
I don’t know code but by comparing the local and remote sites even I was able to find the malicious code on the index page and a script file that redirects users to a malicious site, so I can’t say that I’m impressed with the help I received from the folks at Network Solutions, especially since it turns out that the malicious code on my site was just like the code found on the U.S. Treasury and hundreds of other sites a few weeks ago. I am also not comforted by this Russian Youtube video http://www.youtube.com/watch?v=nabz7t65eUM which claims to show someone in the process of hacking Network Solution websites.
May 14th, 2010 at 12:54 am
Give Hover a try
https://www.hover.com/
May 14th, 2010 at 1:02 am
Great piece, Michael, and a nice piece of sleuthing, too!
That GoDaddy refused to accept responsibility as hoster for even basic troubleshooting comes as no surprise. As Jane Stenson said, they are a marketing company, not a technical company. The fact of the matter is(IMHO), the vast majority of the people that would even consider hosting with them, probably don’t know enough about how things work, to be able to recognize GoDaddy’s fail. I have registered domains with them, but I’d rather go back to smoke signals than use them as a host… I’ve heard far too many horror stories.
May 14th, 2010 at 1:55 am
I am not sure if it can help in this case precisely, but I believe it does, they are small scripts to test the presence of intruders on a site: http://www.scriptol.com/scripts/script-checker.php compares the code of Wordpress online and the true version that you put on a local directory and http://www.scriptol.com/scripts/botlane.php check the change on the files on the site.
May 14th, 2010 at 2:30 am
I’ve been using Hostgator for over a year now and I have to say they are excellent. When a friend first uttered the name “gator” I was a little worried but I have to say I haven’t had a bit of problem with their servers or the support.
May 14th, 2010 at 2:54 am
I have 2 site hosted on Godaddy. Malware injected to both the sites on May 1 and May 12. Yes, if it is a custom built site, Godaddy customer support just says, someone might have got your password. and This is customer’s problem, they can’t help in this matter. Unfortunately they don’t have enough help information how to prevent this. Planning to leave Godaddy.
May 14th, 2010 at 5:57 am
My site on Godaddy was hacked too. I’m not using WP. It’s only pure PHP coding. In fact few years ago, I turned my HTML pages into PHP only to use few PHP function, mostly the ‘include’ one.
The hack happened also last January. At that time, I thought it was my fault: I turned on “magic_quotes_gpc”. I read also it wasn’t a good idea to include file via http (allow_url_include = On) so I changed that too.
But the hack happened again on may 12th.
Lucky for me: yesterday, I was able to change my ftp pwd and upload an .htaccess file to put offline my site.
But today, I wanted to re-upload my site. Unfortunately, I forget my new ftp pwd, so I changed it again. Then, no more ftp access via filezilla or even with their ‘file manager’. Oh, it says the pwd change can take up to 30 minutes… Why? Anyway, I waited 1 hour before calling their tech support. They told me they were aware there was a problem with the ‘file manager’. Regarding my ftp pwd, they told my to wait until noon PST… in 10 hours for me…
I’m glad my hosting plan is expiring in July.
May 14th, 2010 at 8:26 am
[...] you’re on GoDaddy, LEAVE. GoDaddy Doesn’t Give A Damn, or at least they’re acting like they don’t. A user found the code used to inject [...]
May 14th, 2010 at 8:32 am
Thanks for the great analysis. I always recommended my customers to stay away from GoDaddy, although for different reason, now it only solidifies my recommendation.
Scary how easily large installs like this penetrated and then ignored by those who supposed oto help end users protect it.
May 14th, 2010 at 8:35 am
Fortunately I only use Godaddy as a registrar service but my 2 cents is this anyway: When using a shared server with a 1000 + other web site owners there’s bound to be at least one that has an outdated no security WP installation.
My info (conjecture) is that using that vulnerable site the script was able to get FTP access from the server for all the other domains, then it could startspecifically targeting php based installs ( of which WP is obviously the largest).
To me that would explain the re-infections even after the sites had been thoroughly cleaned by owners clued up enough to do that.
Doesn’t matter how up to date your WP install, or built in security is if a hacker or his script has gained FTP access to your site.
My host (Heart UK) features a FTP lockdown feature that disallows any FTP access unless the site is ‘unlocked’ for a set period of time or IP address and that sounds like it might be an idea other hosts should apply if they don’t already.
So that, and my recently following the 30 security measures for Wordpress as espoused in Wordpress Defender http://www.blogbriefing.com/wordpress-security/ will, I hope, keep my sites secure. Or pay out for a dedicated server – a bit out of my reach.
May 14th, 2010 at 8:45 am
@Clive – I am pretty sure that if a server is running some sort of properly configured suexec solution, where each user is prevented from accessing the home directory of another user, then being on a shared host is fine since each virtual host can only access files on their specific directory. I know that HostGator switched to that solution a couple years back, and as far as I can tell, so far they are not one of the ones being affected by this.
May 14th, 2010 at 8:59 am
[...] Hosting With GoDaddy? Might Want To Rethink That Decision Comments (0) [...]
May 14th, 2010 at 9:22 am
Latest post on my site have soft fixes for this, but it’s not all encompassing, just quick for PHP files.
New posting coming soon with more updates and thoughts. Just found this exploit happening on a BlueHost.com hosting account. Reading deeper into what it’s actually doing.
I agree, you need to make sure all image files ARE image files and the only files on the server are YOUR files. This is kind of a nightmare, but the hopefully the power of community (WordPress, PHP, geeks) can overcome.
More to come, great post @Michael) – and though I’m widening the provider that’s fallen prey to this, GoDaddy is still the Walmart of Web Hosting and I avoid them like… well, Walmart.
May 14th, 2010 at 9:46 am
[...] all the hacks going around infecting WordPress sites with malware on certain hosts, it is very important you choose a host that takes security seriously. With Page.ly signing a deal [...]
May 14th, 2010 at 9:57 am
Same thing happened in Italy to a lot of wordpress site hosted by Aruba (an Italian provider).
They answered the hacking was due to an old version of wordpress.
Same story…
May 14th, 2010 at 10:03 am
I used to work in hosting at Godaddy. While it is true that the average first tier support knows nothing and is generally useless, I believe that if you get escalated to the correct people or sadly rant enough on twitter, you will find that the engineers and people working directly on the products do care. Unfortunately the company is so large that getting the the correct level of support and filtering the noise is difficult. It was definitely hard to work for a company and see posts like this when you know that the engineers are working hard long hours trying to fix issues and deliver the best product they can. Of course management and corporate aren’t always as supportive.
May 14th, 2010 at 10:27 am
@sean – I am sure that there are at least some tech staff who are at least somewhat knowledgeable, but here’s the thing… 99.9% of customers would not even think to ask for a ticket to be escalated, period. I was very specific in my wording, and very careful in describing why. To ask a 1st tier tech to please escalate the ticket, be put on hold, and have them go put in the request, and have them come back and tell me that they were not interested in escalating it…?
I am sorry. There is no damn excuse for that.
May 14th, 2010 at 10:30 am
I hosted with network solutions for many years and, yes, they were very good. But I’m not a rich man. I’ll second your vote for hostgator. They’re on top of things. (Watch out for asmallorange, too: I have acquaintances who’ve had bad experience with both them and godaddy. Grrr. Know thy host. See webhostingtalk dot com for reviews of hosts.)
May 14th, 2010 at 11:06 am
I completely agree Michael. There is a reason I’m an ex-employee after years of hard work and seemingly little no movement from management for change despite promises, I moved on when a move to management was the only choice for career advancement. There simply isn’t a strong technical development path at Godaddy where good enough is the spoken far too often. I heard Parsons put it best at one of our developer events, Godaddy is the walmart of hosting.
May 14th, 2010 at 12:00 pm
Early into our investigation, Go Daddy noticed a majority of exploited websites were all running WordPress. After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress.
Go Daddy has taken a number of steps to gather information from our customers and the industry in order to help with this issue. We have 24×7 Security Operations, Network Operations and Abuse, ready to investigate any complaint which sent at any time.
Transparency is a core value at Go Daddy. We intend to continue our commitment to communications. There are times, however, when revealing too much, such as specific code from the attack, helps the criminals causing the problem.
We are aggressively collecting data to see how the attack is maturing and to discover ways we can help prevent our customers from being impacted and shut down ‘the bad guys’ altogether. Go Daddy is the world’s largest hosting provider in the world. As the leader, we are working with industry security experts and other top hosting providers.
As part of our investigation, Go Daddy is encouraging customer input about their related website issues, which is why we set up a special questionnaire http://www.GoDaddy.com/securityissue.
Look for further updates from Go Daddy on this topic, at http://Community.GoDaddy.com/Support.
- Todd Redfoot, Go Daddy Chief Information Security Officer
May 14th, 2010 at 12:28 pm
Hallelujah! Do you realize @Todd Redfoot that this is the first pro-active response that anybody, certainly me!, has seen from GoDaddy on this? And I’m partcipating on a number of threads on this throughout the web.
Without wanting to apportion blame ( let’s sort out the issues first) have you alerted your first tier Support people to take a tad more seriously any support queries coming in to your Support Center raising these issues?
Let’s be frank. The comments here are not a great endorsement of your company’s Support ethos. Sure I understand that you have been wrong-footed on this, support wise, so are you ‘on the ball’ now?
Bearing in mind that the folks here are pretty clued up and your average customer, I suspect,is not how about an ongoing update page somewhere?
I take the point about alerting the hackers to the sanctions that you are putting in place – but that said the, up until now, deafening silence from GD needs to be addressed.
May 14th, 2010 at 3:53 pm
[...] I blogged about the hacking situation with GoDaddy hosting and a customer service call I had with them concerning some evidence I had found. While it is true [...]
May 14th, 2010 at 4:10 pm
I’ve a idea. Everyone hosting with GoDaddy, get up and leave. Now.
This could be the great month of exodus. A month where everyone collectively leaves Facebook and GoDaddy. It’s a month of healing.
May 14th, 2010 at 4:31 pm
This is not a GoDaddy or Wordpress problem. I have never used PHP on the web site I’ve built, and currently have only 1 site using Wordpress (I recently took over this site for a makeover). The other 55 web sites I have created for my clients are either in HTML, ASP or ASP.net and spread over 11 different web hosting companies. Most of these sites have been hit in the last 2 weeks, with some being hit 3 times. Lighten up on GoDaddy. They’re not the best, but there are much worse hosting firms out there.
May 14th, 2010 at 4:55 pm
I had 12 affected websites, all at GoDaddy. All of my sites at other hosting providers (such as HostGator) were fine. I did network/Linux security at IBM for 8 years and decided to research this exploit a little on my own since I was getting no help….
I contacted 1st tier support to let them know my findings (including the fact that a fresh install of WP2.9.2 was compromised without a single plugin activated, with strong passwords, and proper file permissions) and I was treated just as any other idiot user without a clue. I was told to simply remove all files and re-install Wordpress (again). The problem obviously was originating server-side or from the control-panel.
I helped clean up IBM back during CodeRed, CodeBlue, and SQL Slammer back in the days, so I know how hard it is for a big entity to respond to something like this. However, there seemed to be more than a fair share of “ostrich-ing” going on at GoDaddy when this first hit. I don’t want to see them go down in flames or be endlessly slandered – I just want some damn help so that I don’t loose my livelihood! My hands are tied.
Enough corporate doublespeak, let’s just get this thing fixed.
May 14th, 2010 at 5:30 pm
Hi Micheal,
Stopped by to answer your questions. Network Solutions tech folks are in touch with other hosting companies and the hope is that we can all cooperate and exchange info during times like this. We also sought the help of stopbadware.org. To help Network Solutions customers we partnered with Sucuri.net to provide a scanner to check for malware and for any search engine malware status.
@Maria Allen Please feel free to contact me shashib at network solutions if you still need help. We have a dedicated team for customers affected by this issue and would like to know more if the issue is unresolved.
Thanks,
Shashi
May 14th, 2010 at 5:57 pm
[...] GoDaddy Misdiagnoses Platform-wide Exploits – Under Vox Pop Design I manage a number of “experiments”. These are websites that require a degree of time investment but are invaluable from a learning perspective. Because of their limited scope I usually just host these with GoDaddy for the low price. No more. About a month ago I noticed that a Pligg-based site had been compromised and was serving malware to unsuspecting visitors. Some frantic password changing, site scrubbing, and contact with GoDaddy later things were restored but with a stern accusation that I had not kept my software up to date. That was a bullcrap excuse but I kept quiet; I was just glad to have things back up. Another two weeks and the site was compromised again. After some research I learned it wasn’t just me – apparently a good portion of all GoDaddy’s hosted sites using PHP (including Wordpress, Joomla, Pligg, etc) were repeatedly being infected despite otherwise diligent maintenance and security. The base64 stile infections, including hacks named holasionweb, Cechirecom, and Ninoplas, continue and suggest a misconfiguration on GoDaddy’s servers. GoDaddy’s response? GoDaddy maintains users simply need to “update their Wordpress software”. Meanwhile, Bob Parsons (GoDaddy’s founder) is scheming up his next multi-million dollar softcore Superbowl commercial. [...]
May 14th, 2010 at 6:12 pm
[...] Hosting With GoDaddy? Might Want To Rethink That Decision., Smackdown! [...]
May 14th, 2010 at 7:01 pm
Brings to mind when I had one, then two clients whose sites were not being crawled all of a sudden. It was clear the GoDaddy server was disallowing the Google crawler. GoDaddy told me to “call Google.” It got much, much worse. … Long story short, both sites were back to a robust crawl within a day of leaving GD and being hosted on Gator.
May 15th, 2010 at 9:28 am
Well done Michael VanDeMar, and great comments….An analysis of this story will be featured on The CyberJungle radio program. The CyberJungle is the only live newstalk program on data security, privacy, and the law. Listen live Sat 10a-noon PT / 1p-3p ET on http://www.KKOH.com . Podcasts anytime on http://www.TheCyberJungle.com . Podcast edition of the program will post on Sunday.
May 15th, 2010 at 12:59 pm
Smug, ignorant web host tech support is evil. In a fair world, they’d react as if they’re personally liable.
May 15th, 2010 at 2:47 pm
I’ve been involved with the community @ iThemes that have experienced the same mishaps with GoDaddy…. They’ve got a great tool anyone can use to evaluate hosting and servers, and would highly recommend the plugin. It’s called ServerBuddy, and can be found @ pluginbuddy.com. Also need to give them a shout of praise for the BackUp Buddy program….one click backup & migration plugin for WordPress… It’s AWESOME, and easy fix if you need to change hosting.
May 15th, 2010 at 11:04 pm
[...] him on the head and tells him to go away. This happens with surprising regularity. In this case, Smackdown blogger Michael VanDeMer writes about a spate of hacks to blogs hosted by [...]
May 16th, 2010 at 1:11 am
You. Briliant. Them. Ignorant. What a f*&^ up well outed.
May 16th, 2010 at 2:35 am
Michael, you are perfectly right. I am a web developer and am working on a site for one of my clients. The site is in Joomla 1.5 and hosted with GoDaddy. The site was injected with Malicious code on 11th May 2010. On calling GoDaddy, they redirected us to following URL:
http://help.godaddy.com/article/5612?
and as mentioned there, I cleaned up all the code and changed all the passwords and site worked fine. But somehow the problem came again today. I did some debugging and found that at the bottom of my site a script was being added from following URL at the bottom of the page:
http://holasionweb.com/oo.php
Please no one try to visit this URL as this will inject virus to your system.
This is the same URL as you have mentioned in the plan_erich_php.php file. So it proves that your finding is perfectly right.
I will again upload the clean code and will do joomla upgrade. But I just wonder if this is enough.
May 16th, 2010 at 11:58 am
I used to use godaddy. there hosting is slow … and so confusing just like there domain service. They should really consider renaming them self to gorandpa.
i changed my self to http://fathive.com. everything is great since then.
May 16th, 2010 at 1:59 pm
I checked my server logs and can see a large number of attacks looking for the web links as listed below. The user agent (forged) is Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html)
So my best guess it that if you have PHP on your server and have any one of the following, your at risk.
/administrator/index.php
/joomla/administrator/index.php
/site/administrator/index.php
/cms/administrator/index.php
/content/administrator/index.php
/home/administrator/index.php
/main/administrator/index.php
/portal/administrator/index.php
/web/administrator/index.php
/v1/administrator/index.php
/v2/administrator/index.php
/j/administrator/index.php
/en/administrator/index.php
/joom/administrator/index.php
/Joomla/administrator/index.php
/joomla1.5/administrator/index.php
/joomla15/administrator/index.php
/joomla2/administrator/index.php
/joomla1/administrator/index.php
/Site/administrator/index.php
/site_old/administrator/index.php
/Site_old/administrator/index.php
/cms_old/administrator/index.php
/joomla_old/administrator/index.php
/CMS/administrator/index.php
/test/administrator/index.php
/backup/administrator/index.php
May 16th, 2010 at 3:29 pm
My blog was hacked several times as well. I wiped it clean and tried a fresh install, and was hacked several days later. I had been running the latest version of WP, and had some security measures in place. After spending countless hours I finally emailed GoDaddy tech support to see if they could offer me any direction in fixing the virus. I got a response stating they looked at my site and found several php files that were infected, and deleted them as a courtesy. I logged into my dashboard, and everything was back to normal, but when I clicked on a previous post, it was gone. In fact, all my posts are gone. I emailed them back and told them my posts were deleted. Their response to this??? Sorry, we don’t offer support on WordPress, and they literally typed out http://www.wordpress.org and told me to look there. I can’t believe that I have to think about moving all my sites as well as all my clients sites away from GoDaddy. I just asked for help to do it myself, never pointed my finger or anything. I have recommended them so many, many times in the past…and just did again. Thank God the company hasn’t switched yet. It was a toss about between Network Solutions, and HostGator…I’ll be investigating both.
It’s a shame GoDaddy got big and started to treat their customers like this. I really liked working with them in the past.
May 17th, 2010 at 9:02 am
I got WordPress hacked, but I was using Dreamhost. It was an unpleasant experience to say the least — almost made me long for the says when I updated my blog and rss feed by hand, using a text editor (a long time ago).
May 17th, 2010 at 10:22 am
I can attest to the fact that GoDaddy is getting hit fiercely and nothing on the user-end can fix it.
Most of my 18 GoDaddy-hosted WordPress installations were up to date. I’d even updated my .htaccess file to be EXCEEDINGLY restrictive about external points of entry.
I had 18 domains running WordPress on the same account (I’m a prolific blogger). Each one hit. All of my clients… also hit with a bit of injected PHP – leaving a bit of encrypted javascript iframes or something at the top of each .PHP file. This is the third time in two months that it’s happened (one site even got hit RIGHT AFTER I cleaned it off).
I contacted support with the issue, they seemed to have no idea what I was talking about. I told them (having received their “Make sure you upgrade WordPress today!” warning and had several clients forward theirs) that the installations WERE up to date.
GoDaddy Rep: “Oh, well, you can go ahead and ignore that warning.”
Me: “Sure, but I’ve still been hit and have no more options on my end. WTF, man?”
The best thing I can think of right now is to:
1) have a clean, offline backup of all your plugins, your theme files, and your config file.
2) when you get hit, just download a clean copy of WordPress and upload it, replacing files only where the size is different (a massive chunk of encrypted php accounts for about 2-5kb, btw.)
3) upload your clean version of your plugins, your theme, and your config file, and you should be good to go.
If you’re still noticing your site acting wonky, it’s likely there’s an infected file sitting somewhere with that block of junk at the top.
What a bunch of jokers GoDaddy… Help us to fix the problem, don’t pretend like it’s our fault. Not all of your customers are so easily distracted by the GoDaddy Girls.
-Nick Armstrong
May 17th, 2010 at 10:52 am
@Kris: Network Solutions was the first one to get hacked, even before Godaddy
(
BTW: Godaddy got hacked again this morning May 17
((
Luckily I know how to clean it fast… The only problem remaining is “HOW THE &&^^%% TO AVOID THE HACK”
May 17th, 2010 at 10:56 am
I just really don’t care to use GoDaddy for much. I purchase my domains there but I run them through another server. Never had that great of experience hosing on GoDaddy.
May 17th, 2010 at 11:11 am
[...] of hacking attacks on Wordpress blogs at godaddy. I was not surprised to read Smackdown blog post Hosting With GoDaddy? Might Want To Rethink That Decision where he said: That was when it struck me… GoDaddy was claiming that this wave of Wordpress [...]
May 17th, 2010 at 1:11 pm
I adapted a short and simple script that lists all infected files, prompts to clean them and lists all cleaned files. See this post http://bit.ly/c2yGCP
Hope it helps cleaning…
But how do we prevent the hack, is still a mystery…
p.
May 17th, 2010 at 2:43 pm
[...] Hosting With GoDaddy? Might Want To Rethink That Decision Do you use Godaddy for any of your web hosting? A lot of people do, including me. I run a few smaller blogs on the platform while I use a much larger private server that runs on the Amazon cloud for any commercial projects. Apparently blogs using wordpress on the Godaddy servers are vulnerable to being hacked. This in-depth article has all you need to know about fixing the issue. [...]
May 17th, 2010 at 5:34 pm
[...] WordPress is incredibly secure, and we also take security very seriously. E-mail security@wordpress.org if you believe you have discovered a vulnerability. All indications are that these are server and hosting configuration issues. Network Solutions admitted the hacks infecting their users were their fault, while GoDaddy is demonstrating arrogant cluelessness. [...]
May 17th, 2010 at 10:39 pm
I host a wordpress site on Godaddy, I was hit last week and *today* with the malware attack. I’m so glad I’ve been reading up on blogs that mention this is actually a security risk on Godaddy’s side. Called them, no help whatsoever, they actually sent me a link where it gave me two short paragraphs that did absolutely nothing.
How easy is it to move hosting providers? I don’t have the time to deal with Godaddy’s “issues”.
May 18th, 2010 at 11:39 am
[...] Hosting With GoDaddy? Might Want To Rethink That Decision. – oh and speaking of losing it, Micheal was also on the war path (wow, lively bunch this week). I had been hearing a lot about this over the week, great job of laying it out [...]
May 18th, 2010 at 12:44 pm
I’ve had this issue with them for over a year now, and I use gobbledy-gook for usernames and passwords for exactly this reason. Even so, we have had the eval() attack hit non-wordpress sites, a clear signal that it’s a problem with the GD hosting environment, and one that they are patently unwilling to look into.
When your single page, adsense “website” is getting this attack pushed onto it, it’s not a wordpress flaw. It’s a hosting security issue.
May 18th, 2010 at 12:52 pm
This has been GoDaddy’s standard operating practice. Corporate culture, ethics, and standards flow from the top. I’ve been surprised that GoDaddy’s hasn’t been sold, Bob Parsons has been a brilliant leader in creating business’s and selling them at huge profits. But his leadership regarding ethical practices speaks for itself – corporate culture flows from the top down. Todd Redford’s example above is prime – deflect but avoid actually addressing or correcting ethical problems. Having personally spoken with their media department, their standard practice is consistently to “posture” as engaging but with no apparent intent of actually correcting lapses, ethical, or questionable practices. Todd certainly appears to be “posturing” … deflect and appear engaging. But is there any sincere “intent” to address underlying issues? The author Michael VanDeMar above offered to provide technical assistance but did Todd Redford in his post follow up on this offer? Or did he simply attempt to “appear” engaging but with no intent of actually following up?
It appears obvious to me … hopefully your readers can weigh words versus actions and judge for themselves …
May 18th, 2010 at 2:29 pm
I’ve been a GoDaddy client since 2002. To date, I’ve only had one wordpress account that I own hacked, and that was the 2.8.4 problem.
From your description, I’m understanding that this problem occurred on shared hosting. I’m still with GoDaddy for my business website and primary blog but I have a dedicated IP … which may eliminate the risk of intrusion because my websites are on another and perhaps more secure server. The expense for this is a whopping $36 more a year. If it provides peace of mind, why not?
Using the “one click install” at any host may be easier but it is not necessarily the wisest choice for wordpress security. Conventional wisdom is that managing a wordpress site is easy … perhaps because the software is free. The truth is, folks need to roll up their sleeves and learn something about the software, including how to keep it secure. One may need to get a little “mud under their fingernails” and be forced to dig into MySQL to shore up a few things too.
The same things goes for free templates. There are millions of sites that offer them, and some are beautiful too, but the first thing everyone should do when they download a free theme is to investigate the scripts for encrypted code. I’ve done this since 2004, when I first began fooling around with Wordpress.
I rescued client blogs from the Network Solutions debacle a couple months ago. Matt Mullenweg would not dignify complaints about his software when the proverbial crap hit the fan but, the truth is, Wordpress is popular and hackers go after popular things that are well documented, such as Wordpress is. Maybe the only way to be certain that your wordpress websites are secured is to run the software on your own servers. But then there is all that freeware out there so you are still at the mercy of the plugin creator. How about Linux itself?
We can live in fear of hackers, and choose to blame one hosting service or another, but that only keeps us stuck. Hard to get anything done that way.
I’m considering leaving GoDaddy, but not because I feel their service or support is bad. GoDaddy’s shared hosting service does not support WPMU in the way that I want to implement it. I’ve had a good run with GoDaddy and would recommend their services to anyone.
May 18th, 2010 at 2:32 pm
I had to file a complaint with the BBB against GoDaddy to get my issue resolved. Enough said.
May 18th, 2010 at 2:40 pm
@Marj – Not getting hacked yet does not mean that you are safe, and having a dedicated ip does not mean that you are on a safer hosting environment. It may not even be all shared servers that are at risk at GoDaddy… but it sure is a hell of a lot of them. Gratz at not getting hacked so far, but that doesn’t make GoDaddy ok, not by a long shot.
And just fyi this is not “one click” installs that are getting hacked, it’s not even just Wordpress. It has nothing whatsoever to do with downloading themes with code in them, and even though it may comfort you to blame this on webmasters being lazy it is not the webmasters fault that they are getting hacked.
May 18th, 2010 at 3:15 pm
@Marj – ditto re the above. When my clients tell me that their ’secure’ ( all good security and update practises in place) Wordpress blogs have been hacked – and these are sites are using ’serious’ Premium themes and not some silly free theme + minimal plugins then can’t we all just agree that it’s a hosting vulnerability ( GoDaddy or Whoever.com).
Constantly referring to the poorly informed clowns who download every free plugin and free theme is not addressing the fundamental issue which is that the hosting company has been hacked – not the individual user ( no matter how good, or poor, their Wordpress security is).
Let’s face the facts: Godaddy and the other providers that have been hacked need to get off their complacent backsides and address the issue, inform their clients of how they are doing so and to re-train their Support Staff to come up with answers and not ’silly, get off the line, excuses’.
Pretty straightforward really! I know if I was running one of these hacked companies what I’d be doing. “Heads can roll later – let’s fix the problem!” would be my credo.
It doesn’t help with this ‘hands in the air’ and ‘passing the buck’ BS that seems to be going around at the moment.
Any company that’s been hacked, keeps me informed and hopefully, eventually, tells me what they’ve done to fix the issue will have my full endorsement and future business.
May 18th, 2010 at 3:21 pm
@Michael VanDeMar …
To be clear, the intention of my reply was to NOT lay blame on anyone or anything and I don’t consider choice of hosting services to be a religious war. I sure would not choose Network Solutions, however. I also think that “the most popular” service isn’t necessarily the best service when features and functions are compared objectively.
I also don’t feel “safe” anywhere online so please don’t read into what I wrote by putting those words in my mouth.
I was merely presenting ideas for shoring things up, no matter where you are hosting your sites.
There are a lot of “moving parts” to any website. Hackers are malicious and they’ll find their way in, if that is their goal.
May 18th, 2010 at 3:37 pm
“The expense for this is a whopping $36 more a year. If it provides peace of mind, why not?” – here you are suggesting that the problem can be soved by webmasters not being cheap.
“Using the “one click install” at any host may be easier but it is not necessarily the wisest choice for wordpress security.” – here you are suggesting that the problem is that the webmasters are not doing enough manually themselves.
“One may need to get a little “mud under their fingernails” and be forced to dig into MySQL to shore up a few things too. ” – here you are suggesting that by by doing these manual tasks the webmasters could have had some control over whether or not they got hacked on GoDaddy. This bit in straight misinformation, and indicates you don’t really have a grasp of the situation, or perhaps that you commented after only skimming the details.
In any other context, on a post on it’s own, your comments have merit. However, this is a post discussing the situation on GoDaddy’s servers, which I assure you is very real and not anyone’s imagination, GoDaddy’s refusal to do what is necessary, and their mistreatment of customers by inappropriately putting the blame back on them. “The truth is”, Marj, regardless of what your intentions were or were not with that comment, that is how they came across. And although I do recommend HostGator in the post, this had nothing to do with any kind of “my host is better than your host” argument going on anywhere else on the internet. This is strictly about one situation going on now at one company (and again if you read the post you would know that I acknowledge they are not the only host getting hacked… just the largest and apparently the most arrogant).
May 18th, 2010 at 3:48 pm
@Michael VanDeMar
I don’t remember saying anything about webmasters in my initial post so I still think you are reading too much into what I wrote. I was addressing DIY-ers.
I might argue that Network Solutions is far more arrogant and that their support is pitiful.
Thanks for your agreement with what I wrote, @Clive at BlogBriefing.com.
May 18th, 2010 at 3:59 pm
@Marj – “webmasters” are people who own websites. I have no idea what distinction you are trying to make.
If you Google [network solutions thieves] you will see this blog come up first. Generally speaking? Not so much a fan. However, in this instance they were far faster at admitting they had a problem (and actually asking for help from developers, from what I understand) than GoDaddy has been. Coming from me, to say that NetSol had a better response than GoDaddy is pretty damn big deal.
Lastly (lastly from me, anyways), I think the fact that you are thanking Clive for agreeing with you speaks volumes towards whether or not you are actually reading what is being said. As far as I can tell he wasn’t agreeing with you.
May 18th, 2010 at 4:08 pm
Ok. I can’t read and my counterpoint was unwelcome.
Good Luck.
May 18th, 2010 at 7:52 pm
So, I started this morning finding out that my blog had been hacked for the second time in a week–both times a PHP injection attack. But GoDaddy customer support was very responsive, and I’m back at full steam now. They seem to be taking this wave of incidents pretty seriously.
May 18th, 2010 at 9:57 pm
So GoDaddy has ramped up the paid advertising to offset the loss of customers, as evidenced by the recent deluge of TV ads during sporting events and the numerous discounts on domain names. This is costing the company big-time marketing dollars.
My prediction is that the company will revive their IPO to raise oodles of cash for operating cash and so that the 4-5 bigwigs can “cashout”.
However, imagine this: The President, CFO and IPO underwriters do “road shows” for financial analysts and others that they expect to push the IPO stock sale. At the road shows, they get hit with a bunch of *tough* questions about their security issues, class action lawsuits, examples of employee dissatisfaction and discrimination lawsuit (lost the appeal) with huge payouts, and, many other issues. Armed with questions we will provide, these financial analysts will drill the executives and understand first-hand why this company fails at the basic tenents of Sarbanes-Oxley requirements, demonstrating why the GoDaddy IPO is a huge risk to investors.
Look for hot-to-handle questioning periods during these road shows. Guaranteed.
May 19th, 2010 at 11:04 pm
I’m hosted with a GoDaddy reseller, which has a different brand name, but is hosted on the same servers. If I have a technical issue with code level or developer level scope, I don’t call in to general tech support because I understand that they are generalists, not trained programmers, and not trained as hosting server admins. I don’t expect the people that answer the phone to have my level of expertise, otherwise, they’d be too expensive to hire to answer the phones.
What I do instead, is to submit a ticket through my hosting control center. This is generally escalated directly to the hosting support team, the same team that would get my ticket if I asked the phone support rep to escalate it. I save myself the headache by going directly to the people that are going to fix the issue.
I think you are on to something, and you can do everybody a great service by logging in to your GoDaddy account, opening your hosting control center, and submitting a support ticket directly to the hosting team. Include your analysis, the name of the file, the decoded script text, and your recommendations for solving the issue. The ticketing system may reject the script text if you paste it directly into your online support request, so I recommend you wait for a response to your initial ticket, and reply to their response with your txt file included as an attachment.
May 20th, 2010 at 10:13 pm
After my website which is hosted by Network Solutions was attacked a week ago, I signed up with a Sucuri service to notify me if malicious code appeared on my site. Well, I just got a notification an hour ago. I couldn’t really understand the notification, but when I went to my site, a 404 error page came up instead of my homepage.
The only difference between my remote and local pages that I could find was a page called .htaaccess on my remote site. I removed that page, and perhaps coincidentally, my site worked properly again. Can anyone tell me what .htaaccess is, and whether it might have been the source of the problem? I’ve been reading this blog to try to understand a little more about all of this, but it’s very complicated stuff. Thanks!
May 20th, 2010 at 10:31 pm
@Maria – the .htaccess file can indeed cause a 404 to appear, and technically it can be involved in a hacking attempt, but it is also very normal to have one and especially in a Wordpress blog. One of the things that a .htaccess does is it allows permalinks to your blog posts beyond the simple domain.com/p=999 format. It also works in conjunction with caching plugins to reduce load on your server.
Did you happen to save the file before deleting it?
May 20th, 2010 at 10:34 pm
This was the code in the .htaccess
It’s actually a website hosted at NS, not a Wordpress blog.
Options -Indexes
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)\.html$ ./htdocs/phplogin/includes.php [L]
RewriteRule ^(.*)\.htm$ ./htdocs/phplogin/includes.php [L]
May 20th, 2010 at 10:58 pm
@Maria – not being that familiar with the NetSol hosting setup I can’t tell you whether or not there would be legitimate reasons for that being there, but assuming that the includes.php file referenced did not exist it definitely would explain the 404 errors. It’s almost as if someone were trying to make your html files process that php script, although for what reason I could not tell you.
May 21st, 2010 at 9:30 am
[...] Seems the problems stem from my hosting site, GoDaddy (read more here.) [...]
May 22nd, 2010 at 5:52 pm
[...] I explained again, in a little more detail, why looking at the section of those logs was very important, and if she didn’t have permission could she please escalate the ticket to someone who did. Again, she put me on hold. This time she came back and told me that they were uninterested in escalating it. via smackdown.blogsblogsblogs.com [...]
May 25th, 2010 at 12:41 am
[...] but when contacted they couldn’t tell me what those vulnerabilities had been. Then, there was this article about why you should probably think about switching web hosts if using Godaddy that further opened [...]
June 8th, 2010 at 6:52 pm
Michael, this difficuly you encountered is endemic at GoDaddy; they have a culture of Narccism that really has destroyed their reputation among those of us who webmaster for a career. I too was lured into putting a few customer sites there (and still have one…for now…), but moved them off when I encountered:
* problems that were mysteriously “fixed” only when I called in…but with no explanation as to why/how…
* cheap hosting plans, but ridiculous email account constrictions
* pleasant, but sometimes not really helpful 1st-tier support that wouldn’t escalate the problem they couldn’t solve
* circuitous, very poorly organized menues to access domain and hosting controls. You almost need to call every time.
* Arrogance from the support staff any time you might suggest a better way to accomplish something. You see, the GoDaddy way is the best way…we just aren’t at a level to appreciate that…
They just do not listen. Like you said, too busy looking for the next pair of titties to flash on a commercial to focus on basic business improvement. Oh well, good thing that there is no shortage of hosts…
June 9th, 2010 at 9:49 am
One of my client’s sites was hacked for a third time yesterday and this is after a fresh install of everything and changed passwords. One thing I noticed is that FTP access is automatically enabled in the WP admin so that you can update plugins and the core from the back office. I’m looking for a way to disable this because I feel like maybe this has something to do with the hacks. Do you know how to turn this off?
In my own personal sites, which are not hosted on GoDaddy, there is a place for me to enter the info manually but that doesn’t seem to be available on their site.
June 10th, 2010 at 12:18 pm
You think that’s bad? Try hostingrails. When they got acquired and updated their database/cpanel, they destroyed all my user grants, causing all my functioning dynamic sites to be inaccessible in one fell swoop. And never apologized. I had to go in and recreate them. When i sent in a support ticket to restore grants from backup, they were all like ‘whuuuut?’ fools. when I recreated the users, i noticed the names are truncated because apparently they upgrated to a newer version of mysql in the mix, which has char limit restrictions so their scripts were temporarily broken. So, don’t host with them. They are foolish fools who dont’ know what they are doing. As a customer, I should not know more than they do about what they do.
June 11th, 2010 at 3:45 pm
A subdomain on a site I have hosted at GoDaddy has just been infected again (fourth time in 3 weeks).
Identical exploit, different domain name, same IP name.
Weird but a Modx site (php) on another subdomain is not effected (yet).
Last time Modx, Wordpress and any php outside the apps was infected.
This install of Wordpress was a clean install of a new site, new passwords etc.
The fact it has happened on the same server, same domain. Makes one assume GoDaddy is no closer to securing the whole server.
These guy’s have unrestricted access to any site on this server and any talk of it being the application or lack of maintenance by the site owner is not the whole picture despite GoDaddy claims to the contrary.
I am more fortunate than most, this site is my own home page (a bit experimental and not a client site) so apart from wasted time I can live with it.
These attacks have actually done me a favour and exposed how bad php shared hosting is as a business model, albeit a very cheap model.
I am moving towards cloud hosting asap, some providers even offer free hosting for development work.
June 15th, 2010 at 6:38 pm
Our site at Go Daddy has been down for over 10 hours. They had a problem with the server. With today’s technology, no web server should be down more than 15 minutes. After escalating it all the way to the president’s office, they answer was the same “We are working on it”. They could not give me an estimate when it was going to be fixed. How sad is this. They have no idea after 10 hours how long it will take to restore the data. I could have setup several servers and restored the data in this amount of time. Being unable to estimate the time to recover a server and the data just shows they have no clue what they are doing.
June 21st, 2010 at 1:11 pm
Godaddy is crap.
They should be chased away from hosting business and should be left alone with domain registration services.
About 10 wordpress sites of ours too got hacked..
Their support team just copy/paste answers from knowledge-base and they really don’t have any knowledge.
They were unable to fix simple php.ini thing on my account and keep on saying that our sites are hacked therefore its not working and then they don’t provide scripting support.
Later on I myself found its not working coz php.ini should be named as php5.ini
Perhaps Bob Parson has no time to look at the quality of support provided by his company and instead is all time just busy with his girls.
June 24th, 2010 at 2:09 pm
I’ve just found this thread after reading about these hacks and I’m now concerned. While I haven’t been hacked yet, I am new to WordPress and am currently building sites using it, all of them hosted at GoDaddy. All of the sites I’ve built previously have been with ASP.NET or simply .ASP, so I’m very new to PHP code. I have had very little problem with the .ASP sites being hacked (it happened once, but didn’t destroy anything), and I’m wondering if the hack is relevant to the type of hosting (Windows or Linux). I use Windows, only because I built sites in .ASP, and all my WordPress sites are on a Windows server environment with IIS7.
Are the hacks specific to Linux or can they happen on a Windows server as well?
June 25th, 2010 at 5:03 am
[...] taken steps to prevent such a hack from occurring, I couldn’t figure out what had happened. Then I saw this and realized that is exactly what had happened to my site. I felt a little bit better that this [...]
June 25th, 2010 at 6:42 am
I use http://www.Cheap-domains.IT and their auto Joomla Installation wizard. Never had an issue and used them for 6 years.
June 25th, 2010 at 1:51 pm
All the hacks on my site were infected PHP files (linux hosting) so I assumed the issue was PHP related, some Javascript calls were installed via PHP but no existing scripts altered and HTML was untouched, on the Wordpress site the CSS structure in the admin page just disappeared.
I have followed a lot of threads on this issue and don’t recall any comments on specific server types (ie Windows vs Linux).
As a devout Linux user (including personal operating systems) I would like to think Linux is not the issue but maybe it is a hole in Apache Server letting them in or more likely the way Goddady configures and maintains it.
I am sure it is not the apps that are at fault because the infection on my site went across three different applications, all PHP based, all were current versions and all differed slightly in the way they were secured.
Whatever the cause of the security breach the real issue for me has been the way Goddady managed it, or didn’t manage it, would be more accurate.
My only real feed back from them since the last attack has been a quantum leap in the number of promotional emails offering me ( and I guess everyone else) discounts on hosting and domain registration.
It feels like their solution has been to let those customers who are dissatisfied to just wear it or walk and replace them ASAP by mass advertising.
I am a realist about the limitations of shared hosting and this second round of attacks has made me look to virtual dedicated servers or cloud hosting for the future; where previously I would have looked to goddady to upgrade, I would no longer consider them for anything but domain registration, given their disgraceful management of this issue.
Rather than worry about whether Windows or Linux is more secure I would be more worried about who is maintaining the system whatever it is. Goddady have a lot of ground to cover to regain any credibility in server security and customer management.
July 1st, 2010 at 6:04 am
I love to hear positive contributions about hostgator. This guys are truely helpful. I have my dedictaed server with them and any time a trouble come calling, they are ever there to assist. What is even more amazing is their response to problems. I compare hostgator to non other. I am a host provider but I have always dreamed to reach their level.
July 12th, 2010 at 7:28 am
I have a Wordpress website on GoDaddy and my site has been slow recently and intermittently down a few times the past few days. I did not upgrade to Wordpress 3.0 until today. How do I know if I was hacked and how do I fix it?
July 13th, 2010 at 9:04 pm
I recently had a Godaddy hosted WordPress Posts populated with redirecting iFrames. The WordPress files themselves were unaffected, just the database was ‘corrupted’/hacked. After much research I discovered that I certainly wasn’t the only Godaddy hosted site to be affected.
The thing to takeaway here is that just because a Site runs WordPress doesn’t mean that every hack-attack is because it is a WordPress Site!
July 13th, 2010 at 10:06 pm
Good point, Gary. I think Mullenweg’s crew has done a pretty good job of making the platform safe, but anytime you start tacking a bunch of open-source stuff on, you may be opening up a Pandora’s box of new vulnerabilities. Aside from that, with Wordpress’ growth rate, I think it was inevitable that hackers would start to focus on it. The idiots see it as a challenge, I suppose. Any “new gun in town” becomes a target, once they get big enough to attract attention. Wordpress is definitely there!
July 21st, 2010 at 3:30 pm
So, what do you do when they are getting maleware on an html site? All of my sites seem to be systematically getting it and I just re-uploaded my waterbeads4plants.com site and it still says I have the maleware. Not sure how to get it off.
July 21st, 2010 at 4:00 pm
@Jenn – your site is in php and has a Wordpress blog attached to it, so I am not sure what you mean by “an html site”. You probably have a backdoor somewhere on your site somewhere that you are missing. Do you have more than one site hosted on the same account? I would check those as well if so. Also, please check out my hacked Wordpress cleaning guide, it might help you out.
July 27th, 2010 at 9:09 pm
In early July our GoDaddy site(s) were hacked. We are not even a Wordpress site. PHP files were added to the site and other files had lines of code added. It took days to get the site cleaned up…we are attacked over and over. GoDaddy insisted to my client that it was our problem and not theirs. I don’t know, but I found the PHP file on our site is well-known malware. I can’t help but wonder why Godaddy doesn’t do a sweep for malware files.
August 3rd, 2010 at 10:46 pm
Can anyone help?
I have been with GoDaddy for years and just had my first hacking. I purchased a new domain on 8/2/2010, and installed Wordpress 3.0.1 (can’t get any more updated than that).
I mmmediately went to work on my new blog. But when I tried to install a plug-in, that’s when I found it had already been hacked. When I click to install a plug-in, I get a window that says, “Are you sure you want to install this plugin?” And when I click yes, Avast gives a virus warning and the blog redirects to http://ns2.wheelerairservice.c.....mysite.com . . . .
I find it hard to believe this is Wordpress. It happened too fast. Go Daddy was useless. They sent me a silly email with an overview about how to detect and prevent malware. They said it appears someone hacked into my hosting account and there was nothing more they could do.
Please help me. Why is the attack only affecting plugins and what can I do to get rid of it? Any suggestions? I want to get moving with my new blog but I am stuck at square one. I have 15 other blogs hosted with Go Daddy & no problem.
Keep in mind I am not a techie at all. Please dumb down your reply. I beg of anybody. Not too proud at all.
Thanks.
August 5th, 2010 at 8:52 pm
If it helps anyone else, after finding I had 10 more blogs infected, I called Godaddy and calmly asked, “How much will I be refunded if I were to transfer my hosting?” He immediately asked me why I wanted to transfer after being with Godaddy for so long. I calmly explained why . . . e.g., I told him, “There’s malware on my blogs/server and I’m tired of messing around with it and would prefer to just drop Godaddy and start fresh somewhere else.”
He then spent 45 minutes on the phone with me and when I hung up, all the malware was removed. Godaddy “does” have the ability to quickly scan for malware AND remove it.
I don’t know if I will be reinfected. All passwords everywhere were changed and I am safe for the moment.
I don’t know if I got lucky and got a good guy on the phone or if it’s because of all the money I have paid Godaddy over the years, or both.
Whatever, I am grateful.
Good luck to everyone.
August 6th, 2010 at 2:42 pm
Unbelievable that this is still going on, look at the dates on the first comments.
In any other market sector Godaddy would have been sued within an inch of their life by now.
I hate to say it again but changing passwords, reinstalling, cleaning files et al, did not stop my domain being reinfected 4 times in as many weeks, basically these attackers can enter Goddady servers at will.
It just appears to be a matter of luck whether you are hit, while good site housekeeping practice is important, it will not protect you fully.
The only common denominator on my domain was files written in PHP (not just Wordpress).
I still have a few sites running on Godaddy but will move them as hosting expires and all new project’s are being done in Ruby on Rails (very steep learning curve) and deployed to “cloud” hosting (cheap and nothing is written to disk on the server, ie nowhere to leave a malicious script if they can get in).
August 6th, 2010 at 2:49 pm
@Greg – just so you know, I have seen hacked sites on a cloud setup before, and I have seen entire php scripts embedded into the database as well. You need to make sure you go through your database very carefully when doing a cleaning… it’s why many automated cleaning processes don’t cut it.
I am not saying that GoDaddy is in fact safe, because I do not know. I am just saying that I have seen some very cleverly hidden back doors in some of the sites I have cleaned. If you want me to take a look at one of your sites after you have cleaned it, see if I might be able to spot something you missed, let me know.
August 6th, 2010 at 3:40 pm
I guess nothing is bullet proof but these guy’s seem to be going for the low fruit and Godaddy seems to be very easy picking.
Why is PHP targeted so heavily? It gives the impression of being insecure compared to say Java or Ruby.
Pity because I love WordPress as a platform, if you just want to blog it’s the only way to fly.
I did not clean my sites, I just destroyed them and started again with new installs, new databases and new 10 character 6 digit passwords, it didn’t help.
On one install I was actually infected while online putting up the first post (very boring).
Will keep your offer in mind (thank’s) for the two WordPress sites I still have, which so far have not been touched (they are on Godaddy) but they are pretty low volume sites not in the root folder of the domains they are on, don’t know if that’s relevant but I have lost sites in the root folder while subdomains have escaped infection on other domains.
August 30th, 2010 at 10:45 pm
I am making a very educated guess here……GoDaddy’s e-mail servers are infected which is why for over 2 weeks now they keep getting blocked by Microsoft (MSN & Hotmail)and Yahoo.
I sent out an e-mail today and got bounce backs from addresses I did not send to and my system is totally clean.
I called GoDaddy this morning regarding bounce backs of legitimate e-mails sent by my clients to legitimate MSN, Hotmail &Yahoo accounts. They denied they were being blocked again. BS!
When I got home this evening I checked my e-mail. I had sent an e-mail to one of my contacts at Dell this morning and in my Inbox this evening was a bounce back from GoDaddy with a bunch of e-mail addresses that I obviously had not included in my e-mail. After scanning my computer (just to assure myself that it was not me, which I knew) I called GoDaddy and told them that I believed their mail servers were infected and that explains why they keep getting blocked. I was asked, infected with what?? Oh gee, here we go again….ummm, Malware, a virus, a rootkit, how the heck would I know what the infection is….I am sure they know!!!!!!!!
Bob Parsons needs to take this seriously. Your customers do not like being lied to nor treated like we have no clue as to what we are talking about.
After mulling todays events over in my head I called back. I explained to the rep that since I believe their mail servers are infected that I was worried that their hosting servers were infected also. I have clients with online storefronts, etc. The guy got a little nasty tone in his voice and said my e-mail issue had been escalated and blah blah blah I would hear in 1 to 3 days via e-mail as to what might have happened. Mail servers are seperate from hosting. Really, that’s all you have to say….they got your e-mail servers….how can I be sure that they haven’t gotten to your hosting servers????
I responded that I couldn’t believe that they aren’t taking this seriously….would GoDaddy be honest and say if they are/were infected. He said “They have to tell us”. I responded, Really???? that all I got when I called this morning were lies lies and more lies. He did not like that. Too bad! This is serious stuff boys and girls!
Oh and I saw a comment from a Network Solutions person in the thread………they lied lied lied about their issues in May also and they lied last week about AT&T blocking them, and they have always lied which is why I switched to godaddy in May and have been moving my clients to them……….damned if you do and damned if you don’t.
I do agree………..all the hosting providers at some point have issues but the thing is……..BE HONEST. Inform your customers and inform them fast! Apologize profusely especially regarding this issue………..your e-mails are being sent to people you don’t know and you don’t even know it.
Never, and I mean NEVER send anything via e-mail that has “sensitive” information. If you really need to e-mail “sensitive” information, use encryption!