HostPapa Hosting Still Sucks: Now Extorts Customers

A few years back I blogged about HostPapa getting hit with a widespread hack that they lied to their customers about, and instead tried to blame on a non-existent WordPress security issue. More than just WordPress sites were affected, so obviously it was not that. It was most likely a cpanel bug that other hosting companies actually let their customers know about, and while they never did admit wrong eventually the sites stopped getting hit, so odds are they just quietly fixed it behind the scenes. However, since lying to your customers is bad form even if you eventually fix the problem, ever since then I have done my best to warn people against hosting with them. There are a ton of decent hosts out there at reasonable prices (my recommendation as always is Hostgator), so in this day and age there is no reason for anyone to go with (or stay with) one that gives crappy service.

A couple of days ago a woman named Kristina Birkhof (@sexypartyanimal) contacted me about helping her dehack her website, highclassbadass.com, since I clean hacked WordPress installations professionally. She said that HostPapa told her

Read more

Hosting with HostPapa or Netregistry and Hacked? Switch Hosts Now. (hacked by hacker)

It looks like another pair of hosts have joined GoDaddy in the “Not our fault” game when their servers get breached. Yesterday I had a few people contact me whose sites had been hacked, all with the identical symptoms: the only thing showing on their sites are the words hacked by hacker in plain text, on a white background. The one thing they all had in common is that they were hosting with either HostPapa or Netregistry, and the one thing that both hosts had in common is that they refused to own up to the problem:

 

 

and in HostPapa’s case they are even trying to blame it on WordPress:

 

 

Isn’t it nice the way they are able to determine that it is a WordPress issue, without even knowing which site it is? These styles of hacks, which usually have a specific hacker’s tag or signature rather than just “hacker”, often indicate to me that something other than a standard scripting exploit is at play. Whenever I see a site hit with a similar defacing hack, the first thing I do is check to see if there are other sites affected on the same host.

Warning: I am on Linux, which is unaffected by viruses that can affect Windows users. Unless you are on Linux or a Mac you should exercise extreme caution when looking for hacked sites, even if you have up to date antivirus software installed.

The way I check is I ping the infected domain in order to get the IP address, which in this case was srv03.netregistry.net (180.235.128.204), which I then plug into Bing using their “ip:” advanced search option (search by IP), plus the phrase “powered by WordPress”:

http://www.bing.com/search?q=ip%3A180.235.128.204+%2B%22powered+by+Wordpress%22

Clicking through those results I could easily see that this was far from isolated, and by using Bing’s cache I was able to determine that many of these sites were in fact up to date running the latest WordPress version before getting hit. I then tried several other of their servers (srv01.netregistry.net, srv02.netregistry.net, and srv04.netregistry.net), all with the same result. I sent them a tweet letting them know that they appeared to have an issue, and they replied, as shown in the screenshot above, that they were able to “confirm there’s been no server security breaches”. I then gave them examples of 15 identical hacks across 4 different servers of theirs here, here, here, and here. As of yet they have not bothered to reply to those tweets.

While I was in the midst of investigating Netregistry, someone else contacted me with the exact same hack, only their site was hosted with HostPapa. Going through the same process (as well as checking with recent forum posts from people with these symptoms) I checked hp82.hostpapa.com (76.74.128.200), hp78.hostpapa.com (76.74.128.160), and hp86.hostpapa.com (76.74.242.140), and found the same issues with all of them. Regardless of the evidence, however, HostPapa is still insisting that this is a WordPress issue:

 

 

There are a few issues with them trying to blame this on WordPress. First off, if this were an issue affecting WordPress installations that were up to date with the latest (which is 3.4.2, which quite a few of these sites were running), then it would be much, much more widespread, and it would not be isolated to just these two hosts. Secondly, if this were a WordPress issue then why was I able to find at least 1 Joomla site on HostPapa with the exact same hack?

 

 

I let HostPapa know this via a tweet, but they were uninterested in addressing that. Instead they seem more intent on blaming it on WordPress, telling their clients that they don’t help with hacking issues, and pretending that everything is fine. Just because a slew of sites that get hacked on a server are all running WordPress does not make it a WordPress issue. WordPress is a database driven platform, and is the most popular one out there. If a hacker locates a MySQL based exploit on a given host then the fastest ways to find a large number of sites to target would be to do searches similar to the ones I did above and aim for the WordPress ones. I am guessing this is actually what happened here, and it is obvious that this isn’t some 0-Day WordPress exploit (like both HostPapa and this idiot here are trying to claim).

Regardless of whether or not they eventually own up to it, if you are one of the unfortunates who happens to be hosting with either of these companies I would highly recommend you switch hosting, even if you are not one of the ones that got hacked. Again, I always recommend Hostgator, both for their security and for the fact that they happen to have better performing servers than many of the other hosts out there.

If you did get hit and you just want to get back up and running as fast as possible, luckily with the instances I saw this isn’t actually too difficult. While the next wave of hackers who come through might do more damage, at this point it seems to simply be a matter of replacing your root index.php with a fresh one from a clean WordPress install, and replacing either your index.php or header.php (or both) inside your theme using backups or clean downloads (assuming you have a readily downloadable copy of the theme you are using). I also saw some instances of people being unable to log in to the WordPress admin interface. The solution to that, as I described here, is to go in to your database through the phpmyadmin in cpanel and look at the wp_users table. If they switched the admin username and email, edit the record to switch it back and then go through the Lost Password function on the WP login page.

One thing to be careful of is that often times in cases like these the hackers will drop back doors on the sites, so that even once the host fixes the initial issue the hackers can just get right back in again later. If anyone has any issues where they keep getting hacked, even after moving to a new host, I am available to do professional cleanings. Feel free to contact me for more information. Also, Hostgator does offer free migrations in some instances, but if you have multiple or complex sites that you would like migrated to them I can assist with that as well (or to another host if you prefer, of course).

More resources:

How To Clean Hacked WordPress
WordPress FAQ: My site was hacked
How to find a backdoor in a hacked WordPress

Brandlink Communications, TheBloggess, PR Fails, and Fallout

Before reading the rest of this post, if you are not already an avid fan of TheBloggess, and have not read about the PR company vice president who called her a “fucking bitch” due to him being clueless who it was his company was pitching, then you should start here first: Brandlink Communications. Go ahead and read it now, I will wait.

[cue elevator music]

Read more

Hacked on GoDaddy? I’ll Migrate You To Hostgator For Free

Yet again, I am seeing a rising number of sites that are reporting getting hacked at GoDaddy. It is also no surprise to me that people are getting limited responses from them when they try and find out what is going on. The GoDaddy blog mentions nothing recently aside from when they were hacked 2 weeks ago on Halloween (an attack that looks like it stemmed from GoDaddy not acting on a security advisory for 11 days). The thing is, I know from personal experience that they are aware of it, because I have seen cases where they are cleaning clients sites now automatically as a form of damage control, before the clients even know they were hacked, in an attempt to keep the buzz down about it. So they obviously know it is happening yet they are still keeping tight lipped about it, and being reactive instead of proactive, which is of course par for the course when it comes to getting hacked on GoDaddy.

Since this is an established pattern with them as a web host, and even though I still highly recommend them as registrars for domain names,

Read more

GoDaddy’s Suggestion For The Cause Of Their Hacks And Their Community Blog – Can You Smell The Irony?

Yesterday I blogged about the hacking situation with GoDaddy hosting and a customer service call I had with them concerning some evidence I had found. While it is true that as this has progressed GoDaddy has widened their scope in investigating what the underlying cause of these hacks are, initially they claimed that the issue was with their customers running outdated versions of WordPress. While being wrong about something like that is usually not that big of a deal, in this particular instance it proved to be beyond irksome, since a large portion of their customer base were told that it was their own fault that their sites got hacked (even in cases where the customer was up to date), and that GoDaddy was in no way to blame:

WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way. – Alicia from GoDaddy

From what I have read around the web customers were being told that it was not GoDaddy’s responsibility to fix the sites, that they only offered “limited support” in situations like this, leaving people with only the option of restoring from a backup (which would often not help even in outdated WordPress hack situations, since hacks can go undetected for months) or hiring outside help to clean things up.

You can see on the support page they have set up, What’s Up with Go Daddy, WordPress, PHP Exploits and Malware? that they still claim that outdated scripts are part of the problem. Going to that page and viewing the source reveals something almost unbelievable:

GoDaddy outdated software...?
(click to enlarge)

That’s right, in a classic “do as I say, not as I do” twist it seems that GoDaddy is in fact running an older version of WordPress (WordPress MU, based on the version number, which has the same security holes as regular WordPress) for their community blog that they are using to tell people to upgrade their WordPress versions.

To be fair, simply having an older version of WordPress does not mean that it is automatically insecure… the security fixes in the more recent versions may be minor and the known vulnerabilities might have been manually patched. I can’t know without actually digging deeper and looking if in fact the installation was vulnerable.

Then again… neither can GoDaddy in the case of their customers.

Hosting With GoDaddy? Might Want To Rethink That Decision.

One of the services I offer people is cleaning their WordPress installations of hacks and infections, mostly for those who might not have the time or technical expertise to follow my hacked WordPress cleaning guide. Therefore when something happens that increases the number of people getting hacked, such as when a new exploit is discovered, or a security hole in a large host starts getting exploited (like what happened with Network Solutions last month), I get an increase in the number of people requesting help cleaning things up. This month it started happening with a large number of GoDaddy customers.

When it first started to happen I did some searching around, and noticed that there was some discussion going on about the heightened GoDaddy hacking activity, but at that time everything I read that stated the problem was with GoDaddy customers all had roots pointing back to a single post on a company blog that didn’t offer enough details for me to really see why it was happening there and not other places. Not that WordPress on other hosts weren’t still getting hacked, but there has definitely been a higher concentration of instances on GoDaddy. GoDaddy was definitely aware of the issue, and even replied in some threads on the WordPress.org help forum:

GoDaddy.com did send out a notification to customers affected by this issue. Although I know you would prefer not to be linked, I want to avoid flooding the forum. For a step-by-step guide to update WordPress, please visit http://fwd4.me/NGNAlicia from GoDaddy.com

The link to their “step-by-step guide” to updating WordPress turns out to be nothing more than than a link back to WordPress’ own guide to upgrading, and links on how to back up your stuff on GoDaddy. Decidedly not step-by-step imo, and in this case not all that helpful. If the reason your site gets hacked is due to you running an older, insecure version of WordPress, once that happens simply upgrading will not fix the issue. This seems to me to be a bit of a lame response to a serious issue coming from a company that bills itself as the “World’s largest Hosting Provider”.

GoDaddy keeps insisting that the problem is due to outdated WordPress installations, and that staying up to date and site security is the responsibility of the customer, not of GoDaddy. In one sense I completely agree with them. If you run an older version of WordPress that has known security holes in it (ie. pretty much all versions aside from the most recent) then the odds are that you are going to get hacked. Most of the clients I cleaned from GoDaddy so far were up to date, running version 2.9.2, but this still didn’t mean that it was GoDaddy’s fault, since it is possible for a site to get hacked and no signs show up for months. This means that the sites I was cleaning could potentially have had the hack from an older version, and it only became apparent some time after they upgraded.

The problem is that after doing some very thorough clean up jobs (ie. wipe and reinstall), and making sure the clients were up to date, all passwords changed, all image files verified as actual images, clean WordPress, clean theme, clean plugins, and hand cleaning the database, I had clients still getting re-hacked.

One client I had was having issues with funky characters in his posts. He would make the post, everything would be fine, and then the next day they would be converted in a way that would make them display as unicode. This was well after I had done my cleaning, and no one should have made any changes to the database since then. My assumption was that GoDaddy themselves was making changes, possibly security upgrades related to the recent hacking waves, and I figured that calling them to see what they had done would be the best bet. In preparation for this I went ahead and logged into the client’s account, and ftp’d into the server just to make sure everything looked like it was in place still. As soon as I did I saw that about 30 minutes before a brand new, non-Wordpress, oddly named php file had been dropped into my client’s site.

I downloaded the file and looked at it. I suddenly realized that this was the source file for all of the hacks that were happening. It was named “plan_erich.php”, and had similar eval(base64_decode( instruction at the top of the file. I modified the code to be able to decrypt it safely, and looked through the output (which you can view here). The script was designed to delete itself as soon as it ran:


$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);

Finding this script before it was triggered and deleted itself was raw luck. Catching this file gave a great opportunity to actually track down how these hacks are occurring, and possibly would leave clues that GoDaddy could use to keep it from happening again. Looking at the owner/creator of the file, and matching that timestamp up with the various logs (ftp, ssh, http, mysql, etc) could give GoDaddy the information needed to figure out how the file really got there, instead of just guessing that WordPress was the issue. I have never seen a file like this before, and searching Google for the name yielded no results, so there really was no other information out there available on this. Finding it there was a little like hitting the lottery in that respect, random and very, very good luck.

The problem, however, is that GoDaddy didn’t seem to care. I called and explained to the woman I spoke with exactly what it was that I found and how it could be useful. I told her that matching up that file to the logs could yield some potentially valuable information. She did listen carefully, and I am pretty sure she understood what I was saying, because she asked if she could put me on hold to go talk with someone who might know more. She came back and informed me that she didn’t have permission to look at those logs.

I explained again, in a little more detail, why looking at the section of those logs was very important, and if she didn’t have permission could she please escalate the ticket to someone who did. Again, she put me on hold. This time she came back and told me that they were uninterested in escalating it.

At this point I was a teensy bit amazed at GoDaddy’s lack of concern with the issue. She very kindly informed me that the issue was that the client was running an older version of WordPress, and that we needed to upgrade. Wtf? I went and looked, and made sure that he was indeed still running the 2.9.2 version that I had installed over a week ago (and remember, he was running that version before I ever did anything), and he was. I told her that. She told me that no, she was looking at what the hosting control panel said, and that he was running version 2.6.

That was when it struck me… GoDaddy was claiming that this wave of WordPress hacks was due to clients not upgrading without even bothering to really look at the clients sites. The hosting control panel can only report what was installed via the hosting control panel itself. If a client pushes the button to upgrade WordPress from within the WordPress admin section then the hosting control panel will never know.

As amazing as it seems, apparently the entire GoDaddy technical support team is ignorant of this fact. That’s right… the “World’s largest Hosting Provider” doesn’t understand the very basics of how the world’s largest blogging platform works.

Something, probably a hosting configuration, is allowing GoDaddy customers to have their sites hacked, and it isn’t file permissions, insecure passwords, or out of date software. Not being willing to even look when a developer calls to tell you that they found something is completely unacceptable. My suggestion to all GoDaddy hosting customers: bail now, before something happens to your site. This is not a WordPress issue only… although it seems to have targeted WordPress customers first, all sites that use php are at risk. Personally for shared hosting I recommend Hostgator, because I love their tech support (and their servers are very robust), but there are plenty of hosts out there to choose from (Disclosure: I changed the previous link to an affiliate link, although if you’d rather purchase hosting from them without giving me credit that’s fine too, here is a clean link for you: HostGator).

Bob Parsons, I am sorry. Hot chicks and a strong tits and ass marketing campaign do not make up for apathy in matters of client security and well being.

Amazon Confirms: Shortened URL’s *Are* Allowed On Facebook and Twitter

Last week there was some commotion over the fact that it was being reported that Amazon.com was refusing to pay affiliates if they used url shortening services to post affiliate links on social media sites such as Facebook or Twitter. This actually makes no sense from a business perspective, since it would discourage people from sending traffic to Amazon using some of the most popular communication mediums that are out there today.

I decided to go through the affiliate operating agreement myself to see

Read more

Google Lowers The Bar On Customer Service Yet Again

Can Google customer service get with the times? For the second year running Fortune magazine has named Google (GOOG) as the #1 place to work for in America. Their article last year states that Google “sets the standard for Silicon Valley: free meals, swimming spa, and free doctors onsite. Engineers can spend 20% of time on independent projects. No wonder Google gets 1,300 résumés a day.” Now, I don’t know about you, but to me numbers like that mean Google doesn’t have to simply settle when hiring employees… they literally can pick and choose from the cream of the crop who does and who does not work for them.

In fact, according to Google themselves,

Read more