HostPapa Hosting Still Sucks: Now Extorts Customers

A few years back I blogged about HostPapa getting hit with a widespread hack that they lied to their customers about, and instead tried to blame on a non-existent WordPress security issue. More than just WordPress sites were affected, so obviously it was not that. It was most likely a cpanel bug that other hosting companies actually let their customers know about, and while they never did admit wrong eventually the sites stopped getting hit, so odds are they just quietly fixed it behind the scenes. However, since lying to your customers is bad form even if you eventually fix the problem, ever since then I have done my best to warn people against hosting with them. There are a ton of decent hosts out there at reasonable prices (my recommendation as always is Hostgator), so in this day and age there is no reason for anyone to go with (or stay with) one that gives crappy service.

A couple of days ago a woman named Kristina Birkhof (@sexypartyanimal) contacted me about helping her dehack her website, highclassbadass.com, since I clean hacked WordPress installations professionally. She said that HostPapa told her

Read moreHostPapa Hosting Still Sucks: Now Extorts Customers

New WordPress Backdoor Style Discovered – Hackers Think They Are Sneaky

I was cleaning a client’s site today that had been hacked, when I discovered a new backdoor implementation that I had never seen before. This one is a perfect example of why automated scans are often not sufficient when cleaning up a hacked WordPress installation. You can see the full file here: 99bde887d.php.

The file was dropped into the theme that the client is using, and is coded to mimic a core WordPress file, using some of the same function names and coding conventions that WordPress itself uses. It is designed so that most people opening it and actually looking at the code would still not notice that it was anything malicious. I have seen enough back doors though that even creative ones will often stand out to me. It is definitely not something that would be picked up with any of the existing scripted scans out there. While of course someone can update their plugins or scripts to include specific strings to look for that this file contains,

Read moreNew WordPress Backdoor Style Discovered – Hackers Think They Are Sneaky

Warning: WordPress.org Does Not Tell You If You Download An Infected Plugin From Them

Have you ever logged in to your WordPress dashboard, noticed that there were some updates pending, but simply couldn’t be bothered pushing the button to run them? Sure you have. Who hasn’t? A good majority of my work comes from dehacking websites that have been compromised, and even I slack on that from time to time. I mean, if there are no security bulletins about the updates, and I am only using plugins I have downloaded directly from WordPress.org I should be fine, right?

Wrong.

The day before yesterday I rebuilt a client’s site that had ben hacked, grabbing fresh versions of all of the plugins he was using. I noticed that one of the plugins, Social Media Widget, didn’t download though, and when I went to investigate why

Read moreWarning: WordPress.org Does Not Tell You If You Download An Infected Plugin From Them

Hosting with HostPapa or Netregistry and Hacked? Switch Hosts Now. (hacked by hacker)

It looks like another pair of hosts have joined GoDaddy in the “Not our fault” game when their servers get breached. Yesterday I had a few people contact me whose sites had been hacked, all with the identical symptoms: the only thing showing on their sites are the words hacked by hacker in plain text, on a white background. The one thing they all had in common is that they were hosting with either HostPapa or Netregistry, and the one thing that both hosts had in common is that they refused to own up to the problem:

 

 

and in HostPapa’s case they are even trying to blame it on WordPress:

 

 

Isn’t it nice the way they are able to determine that it is a WordPress issue, without even knowing which site it is? These styles of hacks, which usually have a specific hacker’s tag or signature rather than just “hacker”, often indicate to me that something other than a standard scripting exploit is at play. Whenever I see a site hit with a similar defacing hack, the first thing I do is check to see if there are other sites affected on the same host.

Warning: I am on Linux, which is unaffected by viruses that can affect Windows users. Unless you are on Linux or a Mac you should exercise extreme caution when looking for hacked sites, even if you have up to date antivirus software installed.

The way I check is I ping the infected domain in order to get the IP address, which in this case was srv03.netregistry.net (180.235.128.204), which I then plug into Bing using their “ip:” advanced search option (search by IP), plus the phrase “powered by WordPress”:

http://www.bing.com/search?q=ip%3A180.235.128.204+%2B%22powered+by+Wordpress%22

Clicking through those results I could easily see that this was far from isolated, and by using Bing’s cache I was able to determine that many of these sites were in fact up to date running the latest WordPress version before getting hit. I then tried several other of their servers (srv01.netregistry.net, srv02.netregistry.net, and srv04.netregistry.net), all with the same result. I sent them a tweet letting them know that they appeared to have an issue, and they replied, as shown in the screenshot above, that they were able to “confirm there’s been no server security breaches”. I then gave them examples of 15 identical hacks across 4 different servers of theirs here, here, here, and here. As of yet they have not bothered to reply to those tweets.

While I was in the midst of investigating Netregistry, someone else contacted me with the exact same hack, only their site was hosted with HostPapa. Going through the same process (as well as checking with recent forum posts from people with these symptoms) I checked hp82.hostpapa.com (76.74.128.200), hp78.hostpapa.com (76.74.128.160), and hp86.hostpapa.com (76.74.242.140), and found the same issues with all of them. Regardless of the evidence, however, HostPapa is still insisting that this is a WordPress issue:

 

 

There are a few issues with them trying to blame this on WordPress. First off, if this were an issue affecting WordPress installations that were up to date with the latest (which is 3.4.2, which quite a few of these sites were running), then it would be much, much more widespread, and it would not be isolated to just these two hosts. Secondly, if this were a WordPress issue then why was I able to find at least 1 Joomla site on HostPapa with the exact same hack?

 

 

I let HostPapa know this via a tweet, but they were uninterested in addressing that. Instead they seem more intent on blaming it on WordPress, telling their clients that they don’t help with hacking issues, and pretending that everything is fine. Just because a slew of sites that get hacked on a server are all running WordPress does not make it a WordPress issue. WordPress is a database driven platform, and is the most popular one out there. If a hacker locates a MySQL based exploit on a given host then the fastest ways to find a large number of sites to target would be to do searches similar to the ones I did above and aim for the WordPress ones. I am guessing this is actually what happened here, and it is obvious that this isn’t some 0-Day WordPress exploit (like both HostPapa and this idiot here are trying to claim).

Regardless of whether or not they eventually own up to it, if you are one of the unfortunates who happens to be hosting with either of these companies I would highly recommend you switch hosting, even if you are not one of the ones that got hacked. Again, I always recommend Hostgator, both for their security and for the fact that they happen to have better performing servers than many of the other hosts out there.

If you did get hit and you just want to get back up and running as fast as possible, luckily with the instances I saw this isn’t actually too difficult. While the next wave of hackers who come through might do more damage, at this point it seems to simply be a matter of replacing your root index.php with a fresh one from a clean WordPress install, and replacing either your index.php or header.php (or both) inside your theme using backups or clean downloads (assuming you have a readily downloadable copy of the theme you are using). I also saw some instances of people being unable to log in to the WordPress admin interface. The solution to that, as I described here, is to go in to your database through the phpmyadmin in cpanel and look at the wp_users table. If they switched the admin username and email, edit the record to switch it back and then go through the Lost Password function on the WP login page.

One thing to be careful of is that often times in cases like these the hackers will drop back doors on the sites, so that even once the host fixes the initial issue the hackers can just get right back in again later. If anyone has any issues where they keep getting hacked, even after moving to a new host, I am available to do professional cleanings. Feel free to contact me for more information. Also, Hostgator does offer free migrations in some instances, but if you have multiple or complex sites that you would like migrated to them I can assist with that as well (or to another host if you prefer, of course).

More resources:

How To Clean Hacked WordPress
WordPress FAQ: My site was hacked
How to find a backdoor in a hacked WordPress

Email To The FSF About WordPress’s GPL License Violations

So, after it became obvious that the WordPress developers responding to having the GPL violations pointed out to them were unwilling to admit that they needed to abide to the license, I decided that it was best to email the FSF themselves and ask about the violation issues. The email I sent is below:

Read moreEmail To The FSF About WordPress’s GPL License Violations

As It Turns Out, WordPress Itself Is Not 100% GPL Compliant After All (And They Violate The MIT License As Well)

Yesterday I stumbled upon a rather interesting tidbit of information. I opened Twitter in the middle of a conversation between between Chip Bennett and Ben Cook, and I saw this tweet:

 

@chip_bennett @mattonomics that thread is everything wrong with the WordPress project wrapped up nicely in one ignorant package. - @Skitzzo

 

Curiosity piqued, I dug back through the tweets until I found a link to the thread Ben was referring to. It turns out that it is

Read moreAs It Turns Out, WordPress Itself Is Not 100% GPL Compliant After All (And They Violate The MIT License As Well)

Hacked on GoDaddy? I’ll Migrate You To Hostgator For Free

Yet again, I am seeing a rising number of sites that are reporting getting hacked at GoDaddy. It is also no surprise to me that people are getting limited responses from them when they try and find out what is going on. The GoDaddy blog mentions nothing recently aside from when they were hacked 2 weeks ago on Halloween (an attack that looks like it stemmed from GoDaddy not acting on a security advisory for 11 days). The thing is, I know from personal experience that they are aware of it, because I have seen cases where they are cleaning clients sites now automatically as a form of damage control, before the clients even know they were hacked, in an attempt to keep the buzz down about it. So they obviously know it is happening yet they are still keeping tight lipped about it, and being reactive instead of proactive, which is of course par for the course when it comes to getting hacked on GoDaddy.

Since this is an established pattern with them as a web host, and even though I still highly recommend them as registrars for domain names,

Read moreHacked on GoDaddy? I’ll Migrate You To Hostgator For Free

Rackspace Hacked Clients, Check Your Databases: WordPress “wp_optimize” Backdoor In wp_options Table

Just finished cleaning up a hacked client whose website is hosted on Rackspace Cloud hosting. It is the second one within the past few weeks, although the first one was actually hosting on Laughing Squid, which happens to use Rackspace Cloud. I had discovered that there were a large number of people all on the same IP as my client a couple of weeks ago who all got hacked, but I was having trouble determining if it was an issue with Laughing Squid or an issue with Rackspace Cloud itself, so I didn’t blog about it until I could research it more. I wish now that I had, because maybe then it would not have spread so widely. As it is, it is the same WordPress attack that Unmask Parasites blogged about earlier today.

It looks like the culprit might have been a security hole in phpmyadmin. Hopefully this will turn out to be what was wrong,

Read moreRackspace Hacked Clients, Check Your Databases: WordPress “wp_optimize” Backdoor In wp_options Table

WordPress Hacking, Matt Mullenweg, And Some Screwed Up Priorities

I clean WordPress installations for people who have been hacked. I can help fix non-Wordpress sites as well, but since often times the way people find me is through the guide I wrote on how to fix WordPress after you’ve been hacked it turns out that’s what they need me to do for them a fair bit of the time. I have a process that I go through, and a specific set of things that I look for on every WordPress installation that I work on to make sure that it is indeed hacked, and to determine how bad the damage is. Different intrusions can leave various symptoms and clues as to how the hacker got in, and knowing this can be helpful in diagnosing the situation.

One of the hacks that has been around for a few years

Read moreWordPress Hacking, Matt Mullenweg, And Some Screwed Up Priorities

GoDaddy’s Suggestion For The Cause Of Their Hacks And Their Community Blog – Can You Smell The Irony?

Yesterday I blogged about the hacking situation with GoDaddy hosting and a customer service call I had with them concerning some evidence I had found. While it is true that as this has progressed GoDaddy has widened their scope in investigating what the underlying cause of these hacks are, initially they claimed that the issue was with their customers running outdated versions of WordPress. While being wrong about something like that is usually not that big of a deal, in this particular instance it proved to be beyond irksome, since a large portion of their customer base were told that it was their own fault that their sites got hacked (even in cases where the customer was up to date), and that GoDaddy was in no way to blame:

WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way. – Alicia from GoDaddy

From what I have read around the web customers were being told that it was not GoDaddy’s responsibility to fix the sites, that they only offered “limited support” in situations like this, leaving people with only the option of restoring from a backup (which would often not help even in outdated WordPress hack situations, since hacks can go undetected for months) or hiring outside help to clean things up.

You can see on the support page they have set up, What’s Up with Go Daddy, WordPress, PHP Exploits and Malware? that they still claim that outdated scripts are part of the problem. Going to that page and viewing the source reveals something almost unbelievable:

GoDaddy outdated software...?
(click to enlarge)

That’s right, in a classic “do as I say, not as I do” twist it seems that GoDaddy is in fact running an older version of WordPress (WordPress MU, based on the version number, which has the same security holes as regular WordPress) for their community blog that they are using to tell people to upgrade their WordPress versions.

To be fair, simply having an older version of WordPress does not mean that it is automatically insecure… the security fixes in the more recent versions may be minor and the known vulnerabilities might have been manually patched. I can’t know without actually digging deeper and looking if in fact the installation was vulnerable.

Then again… neither can GoDaddy in the case of their customers.