Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Number of GoDaddy WordPress Blogs Hacked

Posted by CmdrTaco on from the sucks-to-be-them dept.

A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.

9 of 112 comments (clear)

  1. Re:I like their commercials by WrongSizeGlass · · Score: 2, Informative

    The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/

    I was redirected to a few 'malwarename'.xorg.pl sites on Saturday when clicking links pointing to wbir.com from CNN. I notified WBIR with several e-mails but they hadn't addressed it as of 11pm last night. CNN pulled the link after 16 hours so I don't know if they just moved on to other stories or acted on the warings I sent.

    I wonder if infected sites should be held accountable for PC's that get infected. Luckily I wasn't running Widows so the Setup_422.exe that downladed was harmless.

  2. This weekend, or two weeks ago? by devjoe · · Score: 4, Informative

    I found this story mentioning a similar incident regarding WordPress blogs, but it happened two weeks ago, rather than this weekend. The original site is slashdotted, so I can't tell if this is really the same incident or not.

  3. Only php4 users affected by Anonymous Coward · · Score: 2, Informative

    Well you're asking for trouble running php4.
    It baffles me why people still do it but it also baffles me why people still use Windows. Go figure?
    http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/

  4. Network Solutions had a similar thing by Anonymous Coward · · Score: 4, Informative

    happen about a week ago, though I believe they indicated their FTP accounts had been hacked.

    http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/

    It was annoying, but I just restored from the prior days backup and went on. I only had one FTP account and a strong password and mine got hit.

  5. We reported this to them on 3/11 by isThisNameAvailable · · Score: 4, Informative

    One of our departments decided to do their own thing and host a site on GoDaddy. Not sure if it was Wordpress or not, but the same thing happened to them. We reported it back on 3/11 and moved the site. Way to get in front of this thing GoDaddy! Oh, and it wasn't just Google. Referrers from Bing and Yahoo would redirect to the same link spam page.

  6. no mention of google by mzs · · Score: 2, Informative

    This may be referring to the same attack:

    http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

  7. Alt Link by MrTripps · · Score: 3, Informative

    Not sure if this is the same thing, but "Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hoster specific." http://www.ghacks.net/2010/04/12/wordpress-hack-terrifies-webmasters/

    --
    "I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
  8. Re:Don't put any details in the post or anything.. by TheDarAve · · Score: 2, Informative

    Posting a story on Slashdot is almost as bad as having a botnet DoS a site anyway. No exploit needed, just exploits of the common geek.

  9. Sadly nothing new with Wordpress by SnapperHead · · Score: 3, Informative

    I have been dealing with a large number of Wordpress installs in the past 2 years and I am hear to tell you this is NOTHING new. This is a very common attack that is being used and its hard as shit to find. Sometimes they embed it in Javascript, sometimes its in PHP. Sometimes they encode the PHP or Javascript in base64. Sometimes they have it binary encoded inside image files. They go to great lengths to hide the code.

    There is also a large number of free themes out there that come with this crap included. You can typically find it by looking at the footer include file. Look for a large base64 string. Most people ignore those because there are a number of developers who find it amusing to put that crap in their footers that if removed it will prevent the theme from working. Sure, I understand they want to prevent people from removing their credit but come on. Its leading to security issues across the board.

    The only thing that I have found that helps limit these attacks is to only make the wp-content/uploads directory writable by the webserver. Everything else is owned by the user or root. To take things further, each install is placed inside a unique directory name that is chmod'd to 701 (its parent is also 701). If an attack manages to crack one install, they can't just attack another by going through the file system.

    Not trying to trash Wordpress here, its just too popular and they have had a number of security mistakes in the past. Wordpress installs require a lot of maintenance to keep up to date. Wordpress makes it easy on attackers by listing the version number right in the damn HTML. Sure, they say that it doesn't matter because people can figure it out anyway. But hey, why not just leave your house unlocked at night. Attackers are just going to get in anyway.

    --
    until (succeed) try { again(); }