One of the services I offer people is cleaning their WordPress installations of hacks and infections, mostly for those who might not have the time or technical expertise to follow my hacked WordPress cleaning guide. Therefore when something happens that increases the number of people getting hacked, such as when a new exploit is discovered, or a security hole in a large host starts getting exploited (like what happened with Network Solutions last month), I get an increase in the number of people requesting help cleaning things up. This month it started happening with a large number of GoDaddy customers.
When it first started to happen I did some searching around, and noticed that there was some discussion going on about the heightened GoDaddy hacking activity, but at that time everything I read that stated the problem was with GoDaddy customers all had roots pointing back to a single post on a company blog that didn’t offer enough details for me to really see why it was happening there and not other places. Not that WordPress on other hosts weren’t still getting hacked, but there has definitely been a higher concentration of instances on GoDaddy. GoDaddy was definitely aware of the issue, and even replied in some threads on the WordPress.org help forum:
GoDaddy.com did send out a notification to customers affected by this issue. Although I know you would prefer not to be linked, I want to avoid flooding the forum. For a step-by-step guide to update WordPress, please visit http://fwd4.me/NGN – Alicia from GoDaddy.com
The link to their “step-by-step guide” to updating WordPress turns out to be nothing more than than a link back to WordPress’ own guide to upgrading, and links on how to back up your stuff on GoDaddy. Decidedly not step-by-step imo, and in this case not all that helpful. If the reason your site gets hacked is due to you running an older, insecure version of WordPress, once that happens simply upgrading will not fix the issue. This seems to me to be a bit of a lame response to a serious issue coming from a company that bills itself as the “World’s largest Hosting Provider”.
GoDaddy keeps insisting that the problem is due to outdated WordPress installations, and that staying up to date and site security is the responsibility of the customer, not of GoDaddy. In one sense I completely agree with them. If you run an older version of WordPress that has known security holes in it (ie. pretty much all versions aside from the most recent) then the odds are that you are going to get hacked. Most of the clients I cleaned from GoDaddy so far were up to date, running version 2.9.2, but this still didn’t mean that it was GoDaddy’s fault, since it is possible for a site to get hacked and no signs show up for months. This means that the sites I was cleaning could potentially have had the hack from an older version, and it only became apparent some time after they upgraded.
The problem is that after doing some very thorough clean up jobs (ie. wipe and reinstall), and making sure the clients were up to date, all passwords changed, all image files verified as actual images, clean WordPress, clean theme, clean plugins, and hand cleaning the database, I had clients still getting re-hacked.
One client I had was having issues with funky characters in his posts. He would make the post, everything would be fine, and then the next day they would be converted in a way that would make them display as unicode. This was well after I had done my cleaning, and no one should have made any changes to the database since then. My assumption was that GoDaddy themselves was making changes, possibly security upgrades related to the recent hacking waves, and I figured that calling them to see what they had done would be the best bet. In preparation for this I went ahead and logged into the client’s account, and ftp’d into the server just to make sure everything looked like it was in place still. As soon as I did I saw that about 30 minutes before a brand new, non-Wordpress, oddly named php file had been dropped into my client’s site.
I downloaded the file and looked at it. I suddenly realized that this was the source file for all of the hacks that were happening. It was named “plan_erich.php”, and had similar eval(base64_decode( instruction at the top of the file. I modified the code to be able to decrypt it safely, and looked through the output (which you can view here). The script was designed to delete itself as soon as it ran:
$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);
Finding this script before it was triggered and deleted itself was raw luck. Catching this file gave a great opportunity to actually track down how these hacks are occurring, and possibly would leave clues that GoDaddy could use to keep it from happening again. Looking at the owner/creator of the file, and matching that timestamp up with the various logs (ftp, ssh, http, mysql, etc) could give GoDaddy the information needed to figure out how the file really got there, instead of just guessing that WordPress was the issue. I have never seen a file like this before, and searching Google for the name yielded no results, so there really was no other information out there available on this. Finding it there was a little like hitting the lottery in that respect, random and very, very good luck.
The problem, however, is that GoDaddy didn’t seem to care. I called and explained to the woman I spoke with exactly what it was that I found and how it could be useful. I told her that matching up that file to the logs could yield some potentially valuable information. She did listen carefully, and I am pretty sure she understood what I was saying, because she asked if she could put me on hold to go talk with someone who might know more. She came back and informed me that she didn’t have permission to look at those logs.
I explained again, in a little more detail, why looking at the section of those logs was very important, and if she didn’t have permission could she please escalate the ticket to someone who did. Again, she put me on hold. This time she came back and told me that they were uninterested in escalating it.
At this point I was a teensy bit amazed at GoDaddy’s lack of concern with the issue. She very kindly informed me that the issue was that the client was running an older version of WordPress, and that we needed to upgrade. Wtf? I went and looked, and made sure that he was indeed still running the 2.9.2 version that I had installed over a week ago (and remember, he was running that version before I ever did anything), and he was. I told her that. She told me that no, she was looking at what the hosting control panel said, and that he was running version 2.6.
That was when it struck me… GoDaddy was claiming that this wave of WordPress hacks was due to clients not upgrading without even bothering to really look at the clients sites. The hosting control panel can only report what was installed via the hosting control panel itself. If a client pushes the button to upgrade WordPress from within the WordPress admin section then the hosting control panel will never know.
As amazing as it seems, apparently the entire GoDaddy technical support team is ignorant of this fact. That’s right… the “World’s largest Hosting Provider” doesn’t understand the very basics of how the world’s largest blogging platform works.
Something, probably a hosting configuration, is allowing GoDaddy customers to have their sites hacked, and it isn’t file permissions, insecure passwords, or out of date software. Not being willing to even look when a developer calls to tell you that they found something is completely unacceptable. My suggestion to all GoDaddy hosting customers: bail now, before something happens to your site. This is not a WordPress issue only… although it seems to have targeted WordPress customers first, all sites that use php are at risk. Personally for shared hosting I recommend Hostgator, because I love their tech support (and their servers are very robust), but there are plenty of hosts out there to choose from (Disclosure: I changed the previous link to an affiliate link, although if you’d rather purchase hosting from them without giving me credit that’s fine too, here is a clean link for you: HostGator).
Bob Parsons, I am sorry. Hot chicks and a strong tits and ass marketing campaign do not make up for apathy in matters of client security and well being.
This is not a GoDaddy or WordPress problem. I have never used PHP on the web site I’ve built, and currently have only 1 site using WordPress (I recently took over this site for a makeover). The other 55 web sites I have created for my clients are either in HTML, ASP or ASP.net and spread over 11 different web hosting companies. Most of these sites have been hit in the last 2 weeks, with some being hit 3 times. Lighten up on GoDaddy. They’re not the best, but there are much worse hosting firms out there.
I had 12 affected websites, all at GoDaddy. All of my sites at other hosting providers (such as HostGator) were fine. I did network/Linux security at IBM for 8 years and decided to research this exploit a little on my own since I was getting no help….
I contacted 1st tier support to let them know my findings (including the fact that a fresh install of WP2.9.2 was compromised without a single plugin activated, with strong passwords, and proper file permissions) and I was treated just as any other idiot user without a clue. I was told to simply remove all files and re-install WordPress (again). The problem obviously was originating server-side or from the control-panel.
I helped clean up IBM back during CodeRed, CodeBlue, and SQL Slammer back in the days, so I know how hard it is for a big entity to respond to something like this. However, there seemed to be more than a fair share of “ostrich-ing” going on at GoDaddy when this first hit. I don’t want to see them go down in flames or be endlessly slandered – I just want some damn help so that I don’t loose my livelihood! My hands are tied.
Enough corporate doublespeak, let’s just get this thing fixed.
Hi Micheal,
Stopped by to answer your questions. Network Solutions tech folks are in touch with other hosting companies and the hope is that we can all cooperate and exchange info during times like this. We also sought the help of stopbadware.org. To help Network Solutions customers we partnered with Sucuri.net to provide a scanner to check for malware and for any search engine malware status.
@Maria Allen Please feel free to contact me shashib at network solutions if you still need help. We have a dedicated team for customers affected by this issue and would like to know more if the issue is unresolved.
Thanks,
Shashi
Brings to mind when I had one, then two clients whose sites were not being crawled all of a sudden. It was clear the GoDaddy server was disallowing the Google crawler. GoDaddy told me to “call Google.” It got much, much worse. … Long story short, both sites were back to a robust crawl within a day of leaving GD and being hosted on Gator.
Well done Michael VanDeMar, and great comments….An analysis of this story will be featured on The CyberJungle radio program. The CyberJungle is the only live newstalk program on data security, privacy, and the law. Listen live Sat 10a-noon PT / 1p-3p ET on http://www.KKOH.com . Podcasts anytime on http://www.TheCyberJungle.com . Podcast edition of the program will post on Sunday.
Smug, ignorant web host tech support is evil. In a fair world, they’d react as if they’re personally liable.
I’ve been involved with the community @ iThemes that have experienced the same mishaps with GoDaddy…. They’ve got a great tool anyone can use to evaluate hosting and servers, and would highly recommend the plugin. It’s called ServerBuddy, and can be found @ pluginbuddy.com. Also need to give them a shout of praise for the BackUp Buddy program….one click backup & migration plugin for WordPress… It’s AWESOME, and easy fix if you need to change hosting.
You. Briliant. Them. Ignorant. What a f*&^ up well outed.
Michael, you are perfectly right. I am a web developer and am working on a site for one of my clients. The site is in Joomla 1.5 and hosted with GoDaddy. The site was injected with Malicious code on 11th May 2010. On calling GoDaddy, they redirected us to following URL:
http://help.godaddy.com/article/5612?
and as mentioned there, I cleaned up all the code and changed all the passwords and site worked fine. But somehow the problem came again today. I did some debugging and found that at the bottom of my site a script was being added from following URL at the bottom of the page:
http://holasionweb.com/oo.php
Please no one try to visit this URL as this will inject virus to your system.
This is the same URL as you have mentioned in the plan_erich_php.php file. So it proves that your finding is perfectly right.
I will again upload the clean code and will do joomla upgrade. But I just wonder if this is enough.
I used to use godaddy. there hosting is slow … and so confusing just like there domain service. They should really consider renaming them self to gorandpa.
i changed my self to http://fathive.com. everything is great since then.
I checked my server logs and can see a large number of attacks looking for the web links as listed below. The user agent (forged) is Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html)
So my best guess it that if you have PHP on your server and have any one of the following, your at risk.
/administrator/index.php
/joomla/administrator/index.php
/site/administrator/index.php
/cms/administrator/index.php
/content/administrator/index.php
/home/administrator/index.php
/main/administrator/index.php
/portal/administrator/index.php
/web/administrator/index.php
/v1/administrator/index.php
/v2/administrator/index.php
/j/administrator/index.php
/en/administrator/index.php
/joom/administrator/index.php
/Joomla/administrator/index.php
/joomla1.5/administrator/index.php
/joomla15/administrator/index.php
/joomla2/administrator/index.php
/joomla1/administrator/index.php
/Site/administrator/index.php
/site_old/administrator/index.php
/Site_old/administrator/index.php
/cms_old/administrator/index.php
/joomla_old/administrator/index.php
/CMS/administrator/index.php
/test/administrator/index.php
/backup/administrator/index.php
My blog was hacked several times as well. I wiped it clean and tried a fresh install, and was hacked several days later. I had been running the latest version of WP, and had some security measures in place. After spending countless hours I finally emailed GoDaddy tech support to see if they could offer me any direction in fixing the virus. I got a response stating they looked at my site and found several php files that were infected, and deleted them as a courtesy. I logged into my dashboard, and everything was back to normal, but when I clicked on a previous post, it was gone. In fact, all my posts are gone. I emailed them back and told them my posts were deleted. Their response to this??? Sorry, we don’t offer support on WordPress, and they literally typed out http://www.wordpress.org and told me to look there. I can’t believe that I have to think about moving all my sites as well as all my clients sites away from GoDaddy. I just asked for help to do it myself, never pointed my finger or anything. I have recommended them so many, many times in the past…and just did again. Thank God the company hasn’t switched yet. It was a toss about between Network Solutions, and HostGator…I’ll be investigating both.
It’s a shame GoDaddy got big and started to treat their customers like this. I really liked working with them in the past.
I got WordPress hacked, but I was using Dreamhost. It was an unpleasant experience to say the least — almost made me long for the says when I updated my blog and rss feed by hand, using a text editor (a long time ago).
I can attest to the fact that GoDaddy is getting hit fiercely and nothing on the user-end can fix it.
Most of my 18 GoDaddy-hosted WordPress installations were up to date. I’d even updated my .htaccess file to be EXCEEDINGLY restrictive about external points of entry.
I had 18 domains running WordPress on the same account (I’m a prolific blogger). Each one hit. All of my clients… also hit with a bit of injected PHP – leaving a bit of encrypted javascript iframes or something at the top of each .PHP file. This is the third time in two months that it’s happened (one site even got hit RIGHT AFTER I cleaned it off).
I contacted support with the issue, they seemed to have no idea what I was talking about. I told them (having received their “Make sure you upgrade WordPress today!” warning and had several clients forward theirs) that the installations WERE up to date.
GoDaddy Rep: “Oh, well, you can go ahead and ignore that warning.”
Me: “Sure, but I’ve still been hit and have no more options on my end. WTF, man?”
The best thing I can think of right now is to:
1) have a clean, offline backup of all your plugins, your theme files, and your config file.
2) when you get hit, just download a clean copy of WordPress and upload it, replacing files only where the size is different (a massive chunk of encrypted php accounts for about 2-5kb, btw.)
3) upload your clean version of your plugins, your theme, and your config file, and you should be good to go.
If you’re still noticing your site acting wonky, it’s likely there’s an infected file sitting somewhere with that block of junk at the top.
What a bunch of jokers GoDaddy… Help us to fix the problem, don’t pretend like it’s our fault. Not all of your customers are so easily distracted by the GoDaddy Girls.
-Nick Armstrong
@Kris: Network Solutions was the first one to get hacked, even before Godaddy :-((
BTW: Godaddy got hacked again this morning May 17 :-(((
Luckily I know how to clean it fast… The only problem remaining is “HOW THE &&^^%% TO AVOID THE HACK”
I just really don’t care to use GoDaddy for much. I purchase my domains there but I run them through another server. Never had that great of experience hosing on GoDaddy.
I adapted a short and simple script that lists all infected files, prompts to clean them and lists all cleaned files. See this post http://bit.ly/c2yGCP
Hope it helps cleaning…
But how do we prevent the hack, is still a mystery…
p.
I host a wordpress site on Godaddy, I was hit last week and *today* with the malware attack. I’m so glad I’ve been reading up on blogs that mention this is actually a security risk on Godaddy’s side. Called them, no help whatsoever, they actually sent me a link where it gave me two short paragraphs that did absolutely nothing.
How easy is it to move hosting providers? I don’t have the time to deal with Godaddy’s “issues”.
I’ve had this issue with them for over a year now, and I use gobbledy-gook for usernames and passwords for exactly this reason. Even so, we have had the eval() attack hit non-wordpress sites, a clear signal that it’s a problem with the GD hosting environment, and one that they are patently unwilling to look into.
When your single page, adsense “website” is getting this attack pushed onto it, it’s not a wordpress flaw. It’s a hosting security issue.
This has been GoDaddy’s standard operating practice. Corporate culture, ethics, and standards flow from the top. I’ve been surprised that GoDaddy’s hasn’t been sold, Bob Parsons has been a brilliant leader in creating business’s and selling them at huge profits. But his leadership regarding ethical practices speaks for itself – corporate culture flows from the top down. Todd Redford’s example above is prime – deflect but avoid actually addressing or correcting ethical problems. Having personally spoken with their media department, their standard practice is consistently to “posture” as engaging but with no apparent intent of actually correcting lapses, ethical, or questionable practices. Todd certainly appears to be “posturing” … deflect and appear engaging. But is there any sincere “intent” to address underlying issues? The author Michael VanDeMar above offered to provide technical assistance but did Todd Redford in his post follow up on this offer? Or did he simply attempt to “appear” engaging but with no intent of actually following up?
It appears obvious to me … hopefully your readers can weigh words versus actions and judge for themselves …
I’ve been a GoDaddy client since 2002. To date, I’ve only had one wordpress account that I own hacked, and that was the 2.8.4 problem.
From your description, I’m understanding that this problem occurred on shared hosting. I’m still with GoDaddy for my business website and primary blog but I have a dedicated IP … which may eliminate the risk of intrusion because my websites are on another and perhaps more secure server. The expense for this is a whopping $36 more a year. If it provides peace of mind, why not?
Using the “one click install” at any host may be easier but it is not necessarily the wisest choice for wordpress security. Conventional wisdom is that managing a wordpress site is easy … perhaps because the software is free. The truth is, folks need to roll up their sleeves and learn something about the software, including how to keep it secure. One may need to get a little “mud under their fingernails” and be forced to dig into MySQL to shore up a few things too.
The same things goes for free templates. There are millions of sites that offer them, and some are beautiful too, but the first thing everyone should do when they download a free theme is to investigate the scripts for encrypted code. I’ve done this since 2004, when I first began fooling around with WordPress.
I rescued client blogs from the Network Solutions debacle a couple months ago. Matt Mullenweg would not dignify complaints about his software when the proverbial crap hit the fan but, the truth is, WordPress is popular and hackers go after popular things that are well documented, such as WordPress is. Maybe the only way to be certain that your wordpress websites are secured is to run the software on your own servers. But then there is all that freeware out there so you are still at the mercy of the plugin creator. How about Linux itself?
We can live in fear of hackers, and choose to blame one hosting service or another, but that only keeps us stuck. Hard to get anything done that way.
I’m considering leaving GoDaddy, but not because I feel their service or support is bad. GoDaddy’s shared hosting service does not support WPMU in the way that I want to implement it. I’ve had a good run with GoDaddy and would recommend their services to anyone.
I had to file a complaint with the BBB against GoDaddy to get my issue resolved. Enough said.
@Marj – Not getting hacked yet does not mean that you are safe, and having a dedicated ip does not mean that you are on a safer hosting environment. It may not even be all shared servers that are at risk at GoDaddy… but it sure is a hell of a lot of them. Gratz at not getting hacked so far, but that doesn’t make GoDaddy ok, not by a long shot.
And just fyi this is not “one click” installs that are getting hacked, it’s not even just WordPress. It has nothing whatsoever to do with downloading themes with code in them, and even though it may comfort you to blame this on webmasters being lazy it is not the webmasters fault that they are getting hacked.
@Marj – ditto re the above. When my clients tell me that their ‘secure’ ( all good security and update practises in place) WordPress blogs have been hacked – and these are sites are using ‘serious’ Premium themes and not some silly free theme + minimal plugins then can’t we all just agree that it’s a hosting vulnerability ( GoDaddy or Whoever.com).
Constantly referring to the poorly informed clowns who download every free plugin and free theme is not addressing the fundamental issue which is that the hosting company has been hacked – not the individual user ( no matter how good, or poor, their WordPress security is).
Let’s face the facts: Godaddy and the other providers that have been hacked need to get off their complacent backsides and address the issue, inform their clients of how they are doing so and to re-train their Support Staff to come up with answers and not ‘silly, get off the line, excuses’.
Pretty straightforward really! I know if I was running one of these hacked companies what I’d be doing. “Heads can roll later – let’s fix the problem!” would be my credo.
It doesn’t help with this ‘hands in the air’ and ‘passing the buck’ BS that seems to be going around at the moment.
Any company that’s been hacked, keeps me informed and hopefully, eventually, tells me what they’ve done to fix the issue will have my full endorsement and future business.
@Michael VanDeMar …
To be clear, the intention of my reply was to NOT lay blame on anyone or anything and I don’t consider choice of hosting services to be a religious war. I sure would not choose Network Solutions, however. I also think that “the most popular” service isn’t necessarily the best service when features and functions are compared objectively.
I also don’t feel “safe” anywhere online so please don’t read into what I wrote by putting those words in my mouth. 🙂 I was merely presenting ideas for shoring things up, no matter where you are hosting your sites.
There are a lot of “moving parts” to any website. Hackers are malicious and they’ll find their way in, if that is their goal.
“The expense for this is a whopping $36 more a year. If it provides peace of mind, why not?” – here you are suggesting that the problem can be soved by webmasters not being cheap.
“Using the “one click install” at any host may be easier but it is not necessarily the wisest choice for wordpress security.” – here you are suggesting that the problem is that the webmasters are not doing enough manually themselves.
“One may need to get a little “mud under their fingernails” and be forced to dig into MySQL to shore up a few things too. ” – here you are suggesting that by by doing these manual tasks the webmasters could have had some control over whether or not they got hacked on GoDaddy. This bit in straight misinformation, and indicates you don’t really have a grasp of the situation, or perhaps that you commented after only skimming the details.
In any other context, on a post on it’s own, your comments have merit. However, this is a post discussing the situation on GoDaddy’s servers, which I assure you is very real and not anyone’s imagination, GoDaddy’s refusal to do what is necessary, and their mistreatment of customers by inappropriately putting the blame back on them. “The truth is”, Marj, regardless of what your intentions were or were not with that comment, that is how they came across. And although I do recommend HostGator in the post, this had nothing to do with any kind of “my host is better than your host” argument going on anywhere else on the internet. This is strictly about one situation going on now at one company (and again if you read the post you would know that I acknowledge they are not the only host getting hacked… just the largest and apparently the most arrogant).
@Michael VanDeMar
I don’t remember saying anything about webmasters in my initial post so I still think you are reading too much into what I wrote. I was addressing DIY-ers.
I might argue that Network Solutions is far more arrogant and that their support is pitiful.
Thanks for your agreement with what I wrote, @Clive at BlogBriefing.com.
@Marj – “webmasters” are people who own websites. I have no idea what distinction you are trying to make.
If you Google [network solutions thieves] you will see this blog come up first. Generally speaking? Not so much a fan. However, in this instance they were far faster at admitting they had a problem (and actually asking for help from developers, from what I understand) than GoDaddy has been. Coming from me, to say that NetSol had a better response than GoDaddy is pretty damn big deal.
Lastly (lastly from me, anyways), I think the fact that you are thanking Clive for agreeing with you speaks volumes towards whether or not you are actually reading what is being said. As far as I can tell he wasn’t agreeing with you.
Ok. I can’t read and my counterpoint was unwelcome.
Good Luck.
So, I started this morning finding out that my blog had been hacked for the second time in a week–both times a PHP injection attack. But GoDaddy customer support was very responsive, and I’m back at full steam now. They seem to be taking this wave of incidents pretty seriously.
So GoDaddy has ramped up the paid advertising to offset the loss of customers, as evidenced by the recent deluge of TV ads during sporting events and the numerous discounts on domain names. This is costing the company big-time marketing dollars.
My prediction is that the company will revive their IPO to raise oodles of cash for operating cash and so that the 4-5 bigwigs can “cashout”.
However, imagine this: The President, CFO and IPO underwriters do “road shows” for financial analysts and others that they expect to push the IPO stock sale. At the road shows, they get hit with a bunch of *tough* questions about their security issues, class action lawsuits, examples of employee dissatisfaction and discrimination lawsuit (lost the appeal) with huge payouts, and, many other issues. Armed with questions we will provide, these financial analysts will drill the executives and understand first-hand why this company fails at the basic tenents of Sarbanes-Oxley requirements, demonstrating why the GoDaddy IPO is a huge risk to investors.
Look for hot-to-handle questioning periods during these road shows. Guaranteed.
I’m hosted with a GoDaddy reseller, which has a different brand name, but is hosted on the same servers. If I have a technical issue with code level or developer level scope, I don’t call in to general tech support because I understand that they are generalists, not trained programmers, and not trained as hosting server admins. I don’t expect the people that answer the phone to have my level of expertise, otherwise, they’d be too expensive to hire to answer the phones.
What I do instead, is to submit a ticket through my hosting control center. This is generally escalated directly to the hosting support team, the same team that would get my ticket if I asked the phone support rep to escalate it. I save myself the headache by going directly to the people that are going to fix the issue.
I think you are on to something, and you can do everybody a great service by logging in to your GoDaddy account, opening your hosting control center, and submitting a support ticket directly to the hosting team. Include your analysis, the name of the file, the decoded script text, and your recommendations for solving the issue. The ticketing system may reject the script text if you paste it directly into your online support request, so I recommend you wait for a response to your initial ticket, and reply to their response with your txt file included as an attachment.
After my website which is hosted by Network Solutions was attacked a week ago, I signed up with a Sucuri service to notify me if malicious code appeared on my site. Well, I just got a notification an hour ago. I couldn’t really understand the notification, but when I went to my site, a 404 error page came up instead of my homepage.
The only difference between my remote and local pages that I could find was a page called .htaaccess on my remote site. I removed that page, and perhaps coincidentally, my site worked properly again. Can anyone tell me what .htaaccess is, and whether it might have been the source of the problem? I’ve been reading this blog to try to understand a little more about all of this, but it’s very complicated stuff. Thanks!
@Maria – the .htaccess file can indeed cause a 404 to appear, and technically it can be involved in a hacking attempt, but it is also very normal to have one and especially in a WordPress blog. One of the things that a .htaccess does is it allows permalinks to your blog posts beyond the simple domain.com/p=999 format. It also works in conjunction with caching plugins to reduce load on your server.
Did you happen to save the file before deleting it?
This was the code in the .htaccess
It’s actually a website hosted at NS, not a WordPress blog.
Options -Indexes
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)\.html$ ./htdocs/phplogin/includes.php [L]
RewriteRule ^(.*)\.htm$ ./htdocs/phplogin/includes.php [L]
@Maria – not being that familiar with the NetSol hosting setup I can’t tell you whether or not there would be legitimate reasons for that being there, but assuming that the includes.php file referenced did not exist it definitely would explain the 404 errors. It’s almost as if someone were trying to make your html files process that php script, although for what reason I could not tell you.
Michael, this difficuly you encountered is endemic at GoDaddy; they have a culture of Narccism that really has destroyed their reputation among those of us who webmaster for a career. I too was lured into putting a few customer sites there (and still have one…for now…), but moved them off when I encountered:
* problems that were mysteriously “fixed” only when I called in…but with no explanation as to why/how…
* cheap hosting plans, but ridiculous email account constrictions
* pleasant, but sometimes not really helpful 1st-tier support that wouldn’t escalate the problem they couldn’t solve
* circuitous, very poorly organized menues to access domain and hosting controls. You almost need to call every time.
* Arrogance from the support staff any time you might suggest a better way to accomplish something. You see, the GoDaddy way is the best way…we just aren’t at a level to appreciate that…
They just do not listen. Like you said, too busy looking for the next pair of titties to flash on a commercial to focus on basic business improvement. Oh well, good thing that there is no shortage of hosts…
One of my client’s sites was hacked for a third time yesterday and this is after a fresh install of everything and changed passwords. One thing I noticed is that FTP access is automatically enabled in the WP admin so that you can update plugins and the core from the back office. I’m looking for a way to disable this because I feel like maybe this has something to do with the hacks. Do you know how to turn this off?
In my own personal sites, which are not hosted on GoDaddy, there is a place for me to enter the info manually but that doesn’t seem to be available on their site.
You think that’s bad? Try hostingrails. When they got acquired and updated their database/cpanel, they destroyed all my user grants, causing all my functioning dynamic sites to be inaccessible in one fell swoop. And never apologized. I had to go in and recreate them. When i sent in a support ticket to restore grants from backup, they were all like ‘whuuuut?’ fools. when I recreated the users, i noticed the names are truncated because apparently they upgrated to a newer version of mysql in the mix, which has char limit restrictions so their scripts were temporarily broken. So, don’t host with them. They are foolish fools who dont’ know what they are doing. As a customer, I should not know more than they do about what they do.
A subdomain on a site I have hosted at GoDaddy has just been infected again (fourth time in 3 weeks).
Identical exploit, different domain name, same IP name.
Weird but a Modx site (php) on another subdomain is not effected (yet).
Last time Modx, WordPress and any php outside the apps was infected.
This install of WordPress was a clean install of a new site, new passwords etc.
The fact it has happened on the same server, same domain. Makes one assume GoDaddy is no closer to securing the whole server.
These guy’s have unrestricted access to any site on this server and any talk of it being the application or lack of maintenance by the site owner is not the whole picture despite GoDaddy claims to the contrary.
I am more fortunate than most, this site is my own home page (a bit experimental and not a client site) so apart from wasted time I can live with it.
These attacks have actually done me a favour and exposed how bad php shared hosting is as a business model, albeit a very cheap model.
I am moving towards cloud hosting asap, some providers even offer free hosting for development work.