Massive Number of GoDaddy WordPress Blogs Hacked

A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.

I like their commercials

[BadAnalogyGuy]

Their hosting services are pretty spotty, from what I've heard. On the other hand, they have commercials that really appeal to me.

The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/

Goddamned Perl strikes again.

Re:I like their commercials

[Locke2005]

Unless you've got a Danica Patrick fetish, there is a lot better porn than GoDaddy commercials available for free on the 'net. But then, I think anybody that selects GoDaddy for hosting without googling for the many complaints about their service probably deserves anything they get.

Re:I like their commercials

[WrongSizeGlass]

The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/

I was redirected to a few 'malwarename'.xorg.pl sites on Saturday when clicking links pointing to wbir.com from CNN. I notified WBIR with several e-mails but they hadn't addressed it as of 11pm last night. CNN pulled the link after 16 hours so I don't know if they just moved on to other stories or acted on the warings I sent.

I wonder if infected sites should be held accountable for PC's that get infected. Luckily I wasn't running Widows so the Setup_422.exe that downladed was harmless.

Re:I like their commercials

[BadAnalogyGuy]

I don't have the internet, you insensitive clod.

Re:I like their commercials

I bet they're really glad they switched to Windows server a few years ago after Microsoft paid them to do so.

Re:I like their commercials

[ircmaxell]

I wonder if infected sites should be held accountable for PC's that get infected.

I wonder if Godaddy should be held accountable for PC's that get infected. After all, it was on their servers, and they have the power to either pull the plug on the affected server(s) or to roll back backups (assuming they take backups). Considering this is a mass attack, does it imply that a weakness in their servers allowed the attack (As in one site was compromised, and the attacker gained access to the entire server through that one site)? If so, Godaddy is absolutely responsible. In fact, I would think they'd be liable to both the end users (people who got infected) and their customers for not adequately protecting them and affecting their reputation (Just take down the server already)...

Re:I like their commercials

[WrongSizeGlass]

It looks like the 'WP Admins' (if that's what we're calling them) used weak passwords for their hosting account, FTP and/or DB, used 'Admin' username and possibly even used the same password for all of them. Rocket surgery, indeed!

Re:I like their commercials

[Yvan256]

How is that supposed to be a bad analogy, guy?

Re:I like their commercials

[Bearhouse]

Looks like they did not take their own advice, then.

http://help.godaddy.com/article/2653

It's amazing how often 'Admin' etc. works...the other day I was invited by a CIO to take a look at their security, (which he thought was great; (they'd actually done a pretty good job).
Since they were in the middle of rolling out their new 'secure' portal, I tried 'demo' and 'demo'...worked fine, and with full access rights too...Oops

Re:I like their commercials

[elysiana]

You know, a while back a friend of mine told me he had bought hosting at GoDaddy and was wondering if I'd help set up a site for him. I told him I wouldn't touch it until he got a better host, and he was shocked. His reaction was roughly, "What do you mean they're not reputable? They had Super Bowl commercials and everything!" Apparently people think that if a company spends millions on advertising, they must be upstanding.

I worry.

Re:I like their commercials

[Lumpy]

No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?

This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.

Re:I like their commercials

umm... that's .pl as in Poland, not perl. I couldn't tell if that was sarcasm though.

Re:I like their commercials

[hierophanta]

welcome your capitalistic lords. these are the tools of their trade

Re:I like their commercials

No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?

This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.

thats funny you post that link. maybe you should visit it yourself as it has a link to godaddy as approved wordpress hosting.

Re:I like their commercials

[MobyDisk]

You are assigning the responsibility to the wrong person.

No it's a weakness of Wordpress, AND weak passwords

Do we know that this was because of a weakness in wordpress, or a weak password?

If N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance.

If someone makes a one-click install, and it has security holes in it, then it is not the fault of the user for using the one-click install. It is the fault of the creator of that install.

This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

It probably would be Ford's fault if they had a one-click button that dispensed alcohol to the driver while the vehicle was moving. Why should an end-user have to be a security expert in order to have a blog?

Re:I like their commercials

Where is it stated that a WordPress vulnerability facilitated the attacks?

Re:I like their commercials

you do realize that your link gives godaddy as a recommended host, right? all those are one-click installs.

if you want to not worry, go to http://www.wordpress.com
you lose out on a lot of customizing, but don't have to worry about updates.

Re:I like their commercials

[Locke2005]

Apparently people think that if a company spends millions on advertising, they must be upstanding.

Explain to them that Enzyte and ExtenZe also spend millions on advertising... upstanding indeed!

Re:I like their commercials

[conspirator57]

social darwinism is not limited to capitalist economies. i herd u liek bread lines. troll.

Re:I like their commercials

GoDaddy is listed on that linked site as one of the "don't worry about it" hosting providers...

Re:I like their commercials

What are your top 3 hosting sites for comparable prices? ($10-15 per month). I'm not a web developer, but have set up a few simple sites for friends in the past. My searches for web hosting always seem to turn up things targeted to professionals (read: expensive) or shady looking sites.

Re:I like their commercials

[rjstanford]

Its hard to go wrong with Dreamhost. Not perfect, of course, but very good value for very little money, and they've been around forever.

Re:I like their commercials

[Bryansix]

I worry more. Apparently people think companies are NOT upstanding when they have no evidence whatsoever to support that. I for one have used GoDaddy for domains and hosting for three years and had no problems and found their customer service to be excellent in the one time I had to call them to upgrade MySQL versions.

Re:I like their commercials

[Khyber]

"No it's a weakness of Wordpress, AND weak passwords.. "

Proof and full code documentation required for your claim, please. Exact sections with comments.

That's what I thought.

Re:I like their commercials

[Narcocide]

Try out pair.com for basic stuff. If you're trying to do anything resembling real work, however (such as hosting commercial websites) you're going to want the physical hardware all to yourself and $10-15 simply isn't a reasonable price anymore. At that range ($75 and up) I'd recommend serverbeach.com but only if you know what you're doing.

Re:I like their commercials

it's like he had internet

Re:I like their commercials

[Kvasio]

in Europe a very competitive hosting is provided by OVH.
Depending on the language version you may get quotes in GBP or EUR, but despite that you should be able to purchase it from USA.

Re:I like their commercials

[Khyber]

Troll mod away, guys! I want proof of this. If the guy can't back up his claim he really shouldn't be speaking about it. he can rationalize it all he wants but until he provides exact details, what is said is pure hyperbole and conjecture.

Have fun cracking my password. Going to have to figure out which three languages it's in first, then which words I'm using, and even version of the word in the case of one of the languages!

And then there's another 16 non-alphanumeric characters. Completely RFC3629 compliant, so it doesn't get rejected.

Re:I like their commercials

[ircmaxell]

If the guy can't back up his claim he really shouldn't be speaking about it.

I agree 100%. My OP was pure speculation, and I noted it as such. Based on TFA, there was no details about how the attack took place, so we are only left to assume. And in my experience, most times when thousands of hosts on a single server are attacked (and no word of attack on other servers), it's typically the result of a flaw in that server. That's why I made my original statement. I have no proof other than my past experience investigating attacks for an open source project... At least I labeled my thoughts as conjecture...

Re:I like their commercials

[Khyber]

I was asking for proof from Lumpy, not you.

Lumpy made the nonsense claim.

Re:I like their commercials

Not true. My simple PHP site hosted on Godaddy was also hacked. It's not just WordPress sites. And I seriously doubt that the problem was weak passwords.

What?

I find all of my own sites via Google you insensitive clod!

In Brazil

[Monkeedude1212]

Google is also responsible for the hacking because they made themselves available to be referred.

Inconceivable!

[eldavojohn]

But but when I registered for a hosting service on GoDaddy, their commercial lead me to believe that even stripping sexy models use GoDaddy so how could something like this happen to such a reputable and honest company?!

Re:Inconceivable!

[Thanshin]

their commercial lead me to believe that even stripping sexy models use GoDaddy

I don't really follow your line of reasoning. You want to use the same things stripping sexy models do?

So before GoDaddy you went for coke and rich old guys?

Re:Inconceivable!

[jemtallon]

You keep using that word. I do not think it means what you think it means.

Re:Inconceivable!

[elrous0]

It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that. I'm not sure what they were trying to accomplish by running commercials more appropriate to Hooter's or a strip club chain. But if their goal was to drive away their serious customers, I'd say they picked the right strategy.

Re:Inconceivable!

[thijsh]

What makes you believe the stripping sexy models weren't already infected to begin with? ...

Re:Inconceivable!

But if their goal was to drive away their serious customers, I'd say they picked the right strategy.

The Internet is serious business!

Re:Inconceivable!

[igaborf]

Wait, those commercials were selling something? I never noticed.

Re:Inconceivable!

[Hatta]

That probably was their strategy. McDonalds doesn't get a lot of business from serious diners, but they're not doing too badly. There's a lot of money to be made catering to the general public who's too ignorant to know good service from bad.

Re:Inconceivable!

It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that. I'm not sure what they were trying to accomplish by running commercials more appropriate to Hooter's or a strip club chain. But if their goal was to drive away their serious customers, I'd say they picked the right strategy.

Its a reflection of the owner, that dude scores mad booty

Re:Inconceivable!

[vlm]

There's a lot of money to be made catering to the general public who's too ignorant to know good service from bad.

Their service is great, it just works 100%. Renewed my domain for ten years back in '05, expires in 2015. Never a problem. The service they provide to me, is pointing my domain name to my dns servers, thats all. I have no idea how much or little their other services may or may not suck, but its kind of pointless, like comparing the quality of the bottled apple juice at walmart to the quality of the hunting rifle ammo at walmart...

Now their marketing website currently looks like a very bad parody of an early tween-ager myspace page. And I've heard bad things about their customer service, but I'll only interact with them via website once per decade, so that puts them lightyears ahead of most major companies.

McDonalds would never survive if the average customer only visited once a decade, I'm missing the point of the endless stripper ads on TV.

Re:Inconceivable!

The point is that not everyone has the same needs as you do. Most people talk to their hosting companies more than once per decade. For anyone who is with GoDaddy and has to talk to them often, its rather painful.

Re:Inconceivable!

[EMG+at+MU]

Whats with the dig at McDonald's customers?
Wanting a burger and fries in less than 5 min for less than 5$ != ignorant.
Wanting a website for less than 9$/month != ignorant.
Characterizing people that go to McDonald's as ignorant == ignorant.
Everyone knows fast food isn't fine dining, and that godaddy isn't business-grade web hosting. That doesn't mean there is no reason besides ignorance for using McDonalds and godaddy.

BTW, I have seen some very serious eaters at McDonalds.

Re:Inconceivable!

[lwsimon]

Did you renew for 10 years by chance because it took so long for their admin panel to load, you didn't want to have to do it again any time soon?

Re:Inconceivable!

[Hatta]

You'd have to be ignorant to consider what McDs sells a burger. Even if you don't care about quality, the value (quality per price) at McDs is much worse than average. Go spend $6 at Hardees instead of $5 and you get a burger that's worth a lot more than 120% of that greaseball McDs sells. If all you care about is price, go to Taco Bell and spend $3 and get just as many calories. On all 3 counts, quality, price, and quality:price ratio, McDonald's fails.

Re:Inconceivable!

[Daniel_Staal]

I'd figure they probably have to have pretty good web servers, just to handle the amount of traffic...

Re:Inconceivable!

[hierophanta]

I believe their goal was to make their name well known (a.k.a. brand recognition). they did this by any means necessary and it worked. ask anyone (who does not work in the field) to name an website hosting / registration company and it is likely to be GoDaddy.
Ask for a second one and I would be very surprised if you can get a response.
Brand positioning on the other hand; well it leaves much to be desired (all sorts of puns intended)

http://en.wikipedia.org/wiki/Positioning_(marketing)
http://en.wikipedia.org/wiki/Brand_recognition

Re:Inconceivable!

[elrous0]

As long as his shareholders are okay with him treating the company as a means of indulging his "Girls Gone Wild" fantasies, instead of treating it as a serious business, I suppose that's their prerogative. Personally, I would be embarrassed by the whole thing.

Re:Inconceivable!

[FuckingNickName]

Was it because they were advertising in a direct, in-your-face, honest way that you were bothered? Would you have preferred dulcet tones to make it sound like the company cares for you? Or a pretentious douche mocking a fat guy on a white background? Or do you just feel religious guilt when you see a scantily clad woman?

I mean, a serious customer cares for service that's good enough at a price that's affordable, no? Why would he care what adults voluntarily do in a marketing production?

Re:Inconceivable!

[tsm_sf]

It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that.

It was their decapitation of seclists that did it for me. The only things that differentiates DNRs and hosts from each other are reliability and customer service, and Godaddy proved to be awful at both. They are simply off the table for a lot of admins, it seems.

I'd really like to see some kind of registrar co-op, where the person registering the name is able to take complete liability for and ownership of their domain. Does such a thing exist?

Re:Inconceivable!

[u38cg]

MacDonald's provide an unbelievably good service. They serve something like half a billion Big Macs a year and vanishingly few of them contain cockroaches or dead rats or severed employee fingers. I'd like to see you do better ;)

Re:Inconceivable!

[GPLHost-Thomas]

Are you talking about issues like these? http://nodaddy.com/

No, Dad! No!

http://plif.courageunfettered.com/archive/wc134.gif

Don't put any details in the post or anything...

[gimmebeer]

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. Apache/1.3.33 Server at blogcastfm.com Port 80

Wow

[koan]

China is still punishing Google huh?

Re:Wow

[phantomcircuit]

Wordpress the opensource Blogging software, not wordpress.com the hosted blogging provider.

This attack did not target Google at all. Whoever modded you interesting failed.

Re:Wow

Don't be bitter...

Re:Wow

[Anonymous+Bullard]

China is still punishing Google huh?

If by China you're referring to the ruling Communist Party dictatorship, then sure they are.

Incidentally "GoDaddy also withdrew from China" around the same time, mainly due to the new (now more and better) draconian registration rules for individuals wishing to operate their own domains.

My hat's off for both of them for not collaborating with that regime's repressive policies.

403 error

better than my 403 "You don't have permission to access" error.

Possible mirror;

[Mouldy]

Click

I couldn't get on the article linked in the summary, but I found this in google which is probably the same thing. It's nearly 2 months old, but that's not reason enough for it not to be on ./

Revenge of the Nerds V: Shameless

[MoldySpore]

Well, I suppose it was only a matter of time before those nerds got their revenge.

This weekend, or two weeks ago?

[devjoe]

I found this story mentioning a similar incident regarding WordPress blogs, but it happened two weeks ago, rather than this weekend. The original site is slashdotted, so I can't tell if this is really the same incident or not.

Re:This weekend, or two weeks ago?

[mzs]

That one was likely different. In that earlier one the interesting bit was the use of a cookie. So you would only be redirected one time (if the cookie was not there).

Re:This weekend, or two weeks ago?

[Intron]

There is also this article from March 2 about a Wordpress vulnerability.

Re:This weekend, or two weeks ago?

[kalirion]

The permissions issue vulnerability allowing the attackers to hack the sites could very well be the same, even if what they do after gaining access to the accounts is different.

Re:Don't put any details in the post or anything..

It's now 403'd.

Slashdotted to death.

[gimmebeer]

Who needs viruses and chinese hackers to take down blog sites when you can just use slashdot?

Re:Slashdotted to death.

[Yvan256]

Are you saying that the Chinese own Slashdot or that we're all viruses?

Wait, don't answer that...

Only php4 users affected

Well you're asking for trouble running php4.
It baffles me why people still do it but it also baffles me why people still use Windows. Go figure?
http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/

were just thinking of the chilren

....

Network Solutions had a similar thing

happen about a week ago, though I believe they indicated their FTP accounts had been hacked.

http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/

It was annoying, but I just restored from the prior days backup and went on. I only had one FTP account and a strong password and mine got hit.

Re:Network Solutions had a similar thing

[Lumpy]

there is no such thing as a strong password on a FTP account.

If you did not upgrade to SSH and SFTP from your control panel then you should not be managing a hosting site.

Re:Network Solutions had a similar thing

what it more likely? getting your password sniffed by a major ISP who backhauls your packets
or having a rouge program running on your workstation that scarfs up the password as you type
it into your ftp cli program or monitors your gui version of a ftp client?

i know which is more common. ssh/sftp will not make a lick of a difference
and if you think there is such a think as a strong password with ssh/sftp you should probably
not be managing a hosting site.

We reported this to them on 3/11

[isThisNameAvailable]

One of our departments decided to do their own thing and host a site on GoDaddy. Not sure if it was Wordpress or not, but the same thing happened to them. We reported it back on 3/11 and moved the site. Way to get in front of this thing GoDaddy! Oh, and it wasn't just Google. Referrers from Bing and Yahoo would redirect to the same link spam page.

Re:Don't put any details in the post or anything..

They put in a new exploit that only executes when the traffic is referred by Slashdot.

Google?

[indre1]

I'm not coming from Google but the given link gives me 403 (Forbidden)!

umm..

[PPNSteve]

Now you know why we all call it "NO DADDY" lame hosting by lamer people.

no mention of google

[mzs]

This may be referring to the same attack:

http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

Re:no mention of google

[mzs]

Using google I was able to get the original post (it's pretty worthless, I think it linked to a podcast):

When arriving from Google, a hacked website will redirect to http://www2.burnvirusnow34.xorg.pl/. The good news is this attack appears to be based only on your actual files not your database. That's relatively easy to clean up. In GoDaddy you should be able to revert to an old version of your files (Go to April 23rd or before and you should be fine)

Re:no mention of google

[arth1]

Considering that this is linked to from TFA, well, no shit, Sherlock!

Re:no mention of google

[mzs]

When I posted that the site would 403.

Well, well, well

Clever and devious

Often no difference between these, is there.

Anonymous Coward

What's ironic is the link is to a wordpress blog hosted on godaddy's shared hosting servers. I guarantee you that the slashdot effect drove the CPU through the roof and one of the linux admins over there turned the site off, therefore 403 forbidden.

Don't you mean the worst part?

[DigitalReverend]

The best part is that the exploit only executes when the traffic is referred by Google

I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?

Re:Don't you mean the worst part?

[H0p313ss]

Who's side are you on?

The most exciting side.

Re:Don't you mean the worst part?

[rdnetto]

The best part is that the exploit only executes when the traffic is referred by Google

I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?

Depends on your definition of hacking. At the very least you'd have to give them points for creativity.

Alt Link

[MrTripps]

Not sure if this is the same thing, but "Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hoster specific." http://www.ghacks.net/2010/04/12/wordpress-hack-terrifies-webmasters/

Re:Don't put any details in the post or anything..

[TheDarAve]

Posting a story on Slashdot is almost as bad as having a botnet DoS a site anyway. No exploit needed, just exploits of the common geek.

Exploit

Another version I removed from a friend's account last week was pointing to ninoplas.com. Strikingly similar result.
First google link for wordpress ninoplas has a reasonable cleanup process if you have ssh access.

Attacks against hosting providers

[Animats]

We noticed another attack against a hosting provider recently, but it wasn't GoDaddy; it was ThePlanet, or at least someone who uses their IP block. A number of phishing sites suddenly appeared on our list, and we noticed they all mapped to the same server. Multiple domains on the same server were all hosting the same phishing attack.

Annoyingly, the domain registration for the server's main domain ("websitewelcome.com") was "private". That's actually part of HostGator's system; there's no reason it should have "private registration". It just makes it harder to find the responsible party.

cPanel Sites?

[lymond01]

Have a friend who had the same situation but on a different ISP. I believe both GoDaddy and this other ISP use cPanel for access and content control. And the issue only occurred when referred from Google. I perused his site's code but couldn't find anything that stood out. I'm not even sure how the virus is activated (people would visit his site from a Google redirect and their antivirus would cry foul).

regexp iframe

regexp iframe

done

Linux servers only?

Actually, this source says that is only the LINUX servers that have been compromised so far.

Re:Linux servers only?

Actually, this source says that is only the LINUX servers that have been compromised so far.

so not only does root have a password, the password is toor

Uh, Ok...

[greymond]

After reading the article it said that some of the Wordpress Blogs hosted by GoDaddy were hacked, but that the issue/vulnerability wasn't on GoDaddy's side.

I took a look at the source of my files after logging into the admin area, as well as did a find on the directory of the files for the malicious code from the article and I can't seem to find the script anywhere nor am I experiencing any issues of any kind.

The article didn't mention what type of WP accounts were hacked either...which brings up a question in my mind...

I'm using WordPress 2.9.2. I have MySQL 5.x and PHP 5 on as well. Do we know if this is something that just hit PHP 4 users of WP?

The thing is, I only recently upgraded to PHP 5 because I am playing around with Drupal for another site of mine that will be hosted on the same server and I needed PHP 5, WP still runs on both PHP 4 and 5.

Sadly nothing new with Wordpress

[SnapperHead]

I have been dealing with a large number of Wordpress installs in the past 2 years and I am hear to tell you this is NOTHING new. This is a very common attack that is being used and its hard as shit to find. Sometimes they embed it in Javascript, sometimes its in PHP. Sometimes they encode the PHP or Javascript in base64. Sometimes they have it binary encoded inside image files. They go to great lengths to hide the code.

There is also a large number of free themes out there that come with this crap included. You can typically find it by looking at the footer include file. Look for a large base64 string. Most people ignore those because there are a number of developers who find it amusing to put that crap in their footers that if removed it will prevent the theme from working. Sure, I understand they want to prevent people from removing their credit but come on. Its leading to security issues across the board.

The only thing that I have found that helps limit these attacks is to only make the wp-content/uploads directory writable by the webserver. Everything else is owned by the user or root. To take things further, each install is placed inside a unique directory name that is chmod'd to 701 (its parent is also 701). If an attack manages to crack one install, they can't just attack another by going through the file system.

Not trying to trash Wordpress here, its just too popular and they have had a number of security mistakes in the past. Wordpress installs require a lot of maintenance to keep up to date. Wordpress makes it easy on attackers by listing the version number right in the damn HTML. Sure, they say that it doesn't matter because people can figure it out anyway. But hey, why not just leave your house unlocked at night. Attackers are just going to get in anyway.

Re:Sadly nothing new with Wordpress

[sholdowa]

Your understanding of permissions is a bit off. What's the point of 701? 511/444 for files/dirs will perform just as well, and be logical too! If you want it really safe, then chattr +i, and ensure the partitions are mounted noatime. Obviously it'll be a pain to maintain the site, but the chances of it being hacked will diminish dramatically. Who said security was easy (:

Re:Sadly nothing new with Wordpress

[SnapperHead]

Nope, it works perfectly. 1 is the execute bit, which when applied to a directory allows you to read a file from inside that directory ONLY if you know the absolute path to the file. However, since the parent is 701 you can't find out what that unique directory name is without already knowing it.

Apache can read this because its looking for index.php inside that vhost's DocumentRoot. Now, you might be asking ... well, just look at the vhost and grab the DocumentRoot from there. You can't, the directory that contains the vhost files is also set to root.root 700. Apache can read this at start up before it switchs to a non-privileged user.

Here, try this out:

mkdir -p /web/blog1/abc/
mkdir -p /web/blog2/def/
mkdir -p /web/blog3/ghi/

chmod 701 /web/blog1
chmod 701 /web/blog2
chmod 701 /web/blog3

chmod 701 /web/blog1/abc
chmod 701 /web/blog2/def
chmod 701 /web/blog3/ghi

touch /web/blog1/abc/index.php
touch /web/blog2/def/index.php
touch /web/blog3/ghi/index.php

Now, try an ls of /web/blog1 you will get a Permission denied. You can't find out that unique directory name inside /web/blog1 without already knowing it, which Apache does. However, you can do a ls /web/blog1/abc/index.php

Wordpress doesn't need to look at files inside those directories so its ok. It also gets its current running (DocumentRoot) from PHP (which is being passed via environment variables) so everything works as normal.

Even lsof won't show what directories are currently open. /proc won't list it either, as those files won't allow you to read about those processes as a non-privileged user.

I am not quite sure what you are trying to accomplish security wise by mounting those with noatime. That's a performance benefit.

Re:Sadly nothing new with Wordpress

[at.drinian]

You are absolutely correct -- I was a victim of this attack despite using stock Wordpress, with all the latest updates applied. I would have never discovered it, either, if it weren't for Duke University's IT department (the blog was on their subdomain) being incredibly on-the-ball with security checks. Wordpress has unfixed security holes that are being exploited; people need to know!

Er,

WTF is 3/11? I'll guess you mean last November, but honestly I'm not sure. Is there a different secret handshake I'm supposed to read into that?

Anyway, how is this GoDaddy's fault? So far it looks like dumb WordPress use -- is a budget host supposed to stay on top of updating the apps that clients place on their servers, and test them for strong passwords?

Re:Er,

Why wouldn't it be March 11, 2010?

Has nothing to do with Godaddy

[Bryansix]

The assumption that GoDaddy is horrible and has horrible service is false. People make this assumption because they use sex to sell and they have low prices. People assume these two combination also mean poor service and complete incompetence. This could not be further from the truth. Ask ANY technically minded person who has given GoDaddy a chance and they will tell you about the value of their inexpensive services and domain names. I have personally used them for 3 years running to host my website http://www.shezphoto.com/ with wordpress. I use their shared hosting economy plan which is like $3 a month if you pay for a year and I have had to call technical support to fix a problem zero times. I did call them one time to figure out how to migrate my WP database to the new version of MySQL and they emailed me explicit directions and they worked perfectly. Yes I installed using the "One click install" but I also have since then kept my WP install up to date and I have strong passwords on my admin accounts and my ftp and databases as well. You will notice I was not hacked.

I also bought my domain name through them. I challenge all of you to find me a more reliable company who charges the same amount as GoDaddy for domain names. Plus GoDaddy isn't evil like Network Solutions is. NS will put a lock on a domain name you view through their website so you cannot then purchase it through another vendor for less. GoDaddy never does this. GoDaddy may try to up sell you but you can easily choose to ignore all of that and then you get a domain name for less then anywhere else that is purchased through a reputable and honest company.

Why people trash GoDaddy all the time without ever having used them is beyond me. It's just childish. It's like saying "Eww Girls" because you find out they don't have penises. It's ok Slashdot... you can get over your fear of the unknown.

Re:Has nothing to do with Godaddy

[metaforest]

You are seriously bucking the group-think around here.... hence getting modded to hell.

Too bad.

FWIW: I agree with your assessment. I have been very happy with GoDaddy's service as well.

Re:Has nothing to do with Godaddy

[Bryansix]

Yep. I love faith in Slashdot's ability to promote independent thought every time I read an article like this and the comments it gets.

Re:Has nothing to do with Godaddy

[Bryansix]

I mean "lose". Bad form, I know.

The question is if GoDaddy is trustworthy.

[Futurepower(R)]

The question is if GoDaddy is trustworthy.

Re:The question is if GoDaddy is trustworthy.

While your points about GoDaddy being trustworthy have merit, your assumption that being in favor of closing Gitmo means someone is pro-violence is intellectually dishonest and wrong, as there are many valid reasons for wanting it to stay open, such as not wanting the detainees out free to attack again. Even though it's likely some of them are innocent, it's basically certain that some or most of them are guilty, and someone's being in favor of keeping there is more anti-violence than anything else. Stop letting your emotions lead you to believe things that aren't true.

referrers from search engines

If it's only redirecting when referring from a search engine, then there's a .htaccess file up there that's doing it. Seen it loads of times, usually uploaded because someone either has a shit password, or they've been gumblar'd or something. Plus Wordpress's default permissions are absolute shit.

Not a pretty picture.

Worse then even an internal breach on a host is the tons of poorly secured and maintained and abandoned blogs out there. My guess is there has to be millions of WP "Bloggers" out there who don't have a single clue about security and maintenance. They just install a WP and a Theme and start yapping about the family dog or give out horrible tech advice.