Massive Number of GoDaddy WordPress Blogs Hacked

← Back to Stories (view on slashdot.org)

Massive Number of GoDaddy WordPress Blogs Hacked

Posted by CmdrTaco on Monday April 26, 2010 @03:54AM from the sucks-to-be-them dept.

A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.

29 of 112 comments (clear)

Min score:

Reason:

Sort:

I like their commercials by BadAnalogyGuy · 2010-04-26 03:56 · Score: 5, Funny

Their hosting services are pretty spotty, from what I've heard. On the other hand, they have commercials that really appeal to me.
The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/
Goddamned Perl strikes again.
1. Re:I like their commercials by Locke2005 · 2010-04-26 04:04 · Score: 2, Insightful
  
  Unless you've got a Danica Patrick fetish, there is a lot better porn than GoDaddy commercials available for free on the 'net. But then, I think anybody that selects GoDaddy for hosting without googling for the many complaints about their service probably deserves anything they get.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
2. Re:I like their commercials by WrongSizeGlass · 2010-04-26 04:05 · Score: 2, Informative
  
  The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/
  I was redirected to a few 'malwarename'.xorg.pl sites on Saturday when clicking links pointing to wbir.com from CNN. I notified WBIR with several e-mails but they hadn't addressed it as of 11pm last night. CNN pulled the link after 16 hours so I don't know if they just moved on to other stories or acted on the warings I sent.
  
  I wonder if infected sites should be held accountable for PC's that get infected. Luckily I wasn't running Widows so the Setup_422.exe that downladed was harmless.
3. Re:I like their commercials by ircmaxell · 2010-04-26 04:18 · Score: 3, Interesting
  
  I wonder if infected sites should be held accountable for PC's that get infected.
  I wonder if Godaddy should be held accountable for PC's that get infected. After all, it was on their servers, and they have the power to either pull the plug on the affected server(s) or to roll back backups (assuming they take backups). Considering this is a mass attack, does it imply that a weakness in their servers allowed the attack (As in one site was compromised, and the attacker gained access to the entire server through that one site)? If so, Godaddy is absolutely responsible. In fact, I would think they'd be liable to both the end users (people who got infected) and their customers for not adequately protecting them and affecting their reputation (Just take down the server already)...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
4. Re:I like their commercials by WrongSizeGlass · 2010-04-26 04:31 · Score: 2, Interesting
  
  It looks like the 'WP Admins' (if that's what we're calling them) used weak passwords for their hosting account, FTP and/or DB, used 'Admin' username and possibly even used the same password for all of them. Rocket surgery, indeed!
5. Re:I like their commercials by elysiana · 2010-04-26 05:36 · Score: 5, Insightful
  
  You know, a while back a friend of mine told me he had bought hosting at GoDaddy and was wondering if I'd help set up a site for him. I told him I wouldn't touch it until he got a better host, and he was shocked. His reaction was roughly, "What do you mean they're not reputable? They had Super Bowl commercials and everything!" Apparently people think that if a company spends millions on advertising, they must be upstanding.
  I worry.
6. Re:I like their commercials by Lumpy · 2010-04-26 05:55 · Score: 4, Insightful
  
  No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?
  This is as much go-daddy's fault as a drunk drivers crash is Fords fault.
  If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.
  
  --
  Do not look at laser with remaining good eye.
7. Re:I like their commercials by Locke2005 · 2010-04-26 06:31 · Score: 4, Funny
  
  Apparently people think that if a company spends millions on advertising, they must be upstanding.
  
  Explain to them that Enzyte and ExtenZe also spend millions on advertising... upstanding indeed!
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
Inconceivable! by eldavojohn · 2010-04-26 03:57 · Score: 4, Funny

But but when I registered for a hosting service on GoDaddy, their commercial lead me to believe that even stripping sexy models use GoDaddy so how could something like this happen to such a reputable and honest company?!

--
My work here is dung.
1. Re:Inconceivable! by Thanshin · 2010-04-26 04:03 · Score: 2, Funny
  
  their commercial lead me to believe that even stripping sexy models use GoDaddy
  
  I don't really follow your line of reasoning. You want to use the same things stripping sexy models do?
  So before GoDaddy you went for coke and rich old guys?
2. Re:Inconceivable! by jemtallon · 2010-04-26 04:03 · Score: 2, Funny
  
  You keep using that word. I do not think it means what you think it means.
3. Re:Inconceivable! by elrous0 · 2010-04-26 04:09 · Score: 3, Insightful
  
  It's hard to believe, but I used to refer clients to them back in the day. But those commercials put a stop to that. I'm not sure what they were trying to accomplish by running commercials more appropriate to Hooter's or a strip club chain. But if their goal was to drive away their serious customers, I'd say they picked the right strategy.
  
  --
  SJW: Someone who has run out of real oppression, and has to fake it.
4. Re:Inconceivable! by thijsh · 2010-04-26 04:14 · Score: 3, Funny
  
  What makes you believe the stripping sexy models weren't already infected to begin with? ...
5. Re:Inconceivable! by igaborf · 2010-04-26 04:22 · Score: 3, Funny
  
  Wait, those commercials were selling something? I never noticed.
6. Re:Inconceivable! by Hatta · 2010-04-26 04:38 · Score: 4, Insightful
  
  That probably was their strategy. McDonalds doesn't get a lot of business from serious diners, but they're not doing too badly. There's a lot of money to be made catering to the general public who's too ignorant to know good service from bad.
  
  --
  Give me Classic Slashdot or give me death!
7. Re:Inconceivable! by lwsimon · 2010-04-26 05:34 · Score: 2, Funny
  
  Did you renew for 10 years by chance because it took so long for their admin panel to load, you didn't want to have to do it again any time soon?
  
  --
  Learn about Photography Basics.
This weekend, or two weeks ago? by devjoe · 2010-04-26 04:15 · Score: 4, Informative

I found this story mentioning a similar incident regarding WordPress blogs, but it happened two weeks ago, rather than this weekend. The original site is slashdotted, so I can't tell if this is really the same incident or not.
1. Re:This weekend, or two weeks ago? by mzs · 2010-04-26 04:24 · Score: 2, Interesting
  
  That one was likely different. In that earlier one the interesting bit was the use of a cookie. So you would only be redirected one time (if the cookie was not there).
Slashdotted to death. by gimmebeer · 2010-04-26 04:25 · Score: 4, Funny

Who needs viruses and chinese hackers to take down blog sites when you can just use slashdot?
Only php4 users affected by Anonymous Coward · 2010-04-26 04:27 · Score: 2, Informative

Well you're asking for trouble running php4.
It baffles me why people still do it but it also baffles me why people still use Windows. Go figure?
http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/
Network Solutions had a similar thing by Anonymous Coward · 2010-04-26 04:32 · Score: 4, Informative

happen about a week ago, though I believe they indicated their FTP accounts had been hacked.
http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/
It was annoying, but I just restored from the prior days backup and went on. I only had one FTP account and a strong password and mine got hit.
1. Re:Network Solutions had a similar thing by Lumpy · 2010-04-26 05:58 · Score: 4, Insightful
  
  there is no such thing as a strong password on a FTP account.
  If you did not upgrade to SSH and SFTP from your control panel then you should not be managing a hosting site.
  
  --
  Do not look at laser with remaining good eye.
We reported this to them on 3/11 by isThisNameAvailable · 2010-04-26 04:36 · Score: 4, Informative

One of our departments decided to do their own thing and host a site on GoDaddy. Not sure if it was Wordpress or not, but the same thing happened to them. We reported it back on 3/11 and moved the site. Way to get in front of this thing GoDaddy! Oh, and it wasn't just Google. Referrers from Bing and Yahoo would redirect to the same link spam page.
no mention of google by mzs · 2010-04-26 04:41 · Score: 2, Informative

This may be referring to the same attack:
http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/
Don't you mean the worst part? by DigitalReverend · 2010-04-26 04:50 · Score: 4, Funny

The best part is that the exploit only executes when the traffic is referred by Google

I suppose if this was a hacking site, it would be considered the best part, but it's actually the worst part because it may go unnoticed. Who's side are you on?

--
I read Slashdot for the headlines, because the headlines, unlike the articles, are usually original and never duplicated
Alt Link by MrTripps · 2010-04-26 04:51 · Score: 3, Informative

Not sure if this is the same thing, but "Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hoster specific." http://www.ghacks.net/2010/04/12/wordpress-hack-terrifies-webmasters/

--
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
Re:Don't put any details in the post or anything.. by TheDarAve · 2010-04-26 05:04 · Score: 2, Informative

Posting a story on Slashdot is almost as bad as having a botnet DoS a site anyway. No exploit needed, just exploits of the common geek.
Re:Wow by phantomcircuit · 2010-04-26 05:50 · Score: 2, Interesting

Wordpress the opensource Blogging software, not wordpress.com the hosted blogging provider.
This attack did not target Google at all. Whoever modded you interesting failed.
Sadly nothing new with Wordpress by SnapperHead · 2010-04-26 06:25 · Score: 3, Informative

I have been dealing with a large number of Wordpress installs in the past 2 years and I am hear to tell you this is NOTHING new. This is a very common attack that is being used and its hard as shit to find. Sometimes they embed it in Javascript, sometimes its in PHP. Sometimes they encode the PHP or Javascript in base64. Sometimes they have it binary encoded inside image files. They go to great lengths to hide the code.
There is also a large number of free themes out there that come with this crap included. You can typically find it by looking at the footer include file. Look for a large base64 string. Most people ignore those because there are a number of developers who find it amusing to put that crap in their footers that if removed it will prevent the theme from working. Sure, I understand they want to prevent people from removing their credit but come on. Its leading to security issues across the board.
The only thing that I have found that helps limit these attacks is to only make the wp-content/uploads directory writable by the webserver. Everything else is owned by the user or root. To take things further, each install is placed inside a unique directory name that is chmod'd to 701 (its parent is also 701). If an attack manages to crack one install, they can't just attack another by going through the file system.
Not trying to trash Wordpress here, its just too popular and they have had a number of security mistakes in the past. Wordpress installs require a lot of maintenance to keep up to date. Wordpress makes it easy on attackers by listing the version number right in the damn HTML. Sure, they say that it doesn't matter because people can figure it out anyway. But hey, why not just leave your house unlocked at night. Attackers are just going to get in anyway.

--
until (succeed) try { again(); }