GoDaddy-hosted sites at risk — WordPress, Joomla!, Pligg, ZenCart, others…

Recently, there was a malicious attack on GoDaddy-hosted sites. It’s tough to track down the exact date of the original attack — I was first able to find a mention of it on Slashdot from 4/26, and I found a topic in the WordPress support forums that supported that approximate time. However, I also found another post elsewhere with a Unix/Linux shell script that would fix what appears to be the same issue which was dated March 2, so this may have been around much longer.  At any rate, there seems to have been another major wave this past weekend.

Last month, Network Solutions was targeted by what appeared to be a malicious user who was able to gain access to sites’ databases by accessing the database server, username and password from the wp-config.php file common to all WordPress installations.  The attack took advantage of the fact that most users don’t change their file permissions, and left the wp-config.php file — with all the above information that it contained — in a public-readable state.  Once the database username and password were obtained, the hacker added a redirect script in the Site URL setting in the options stored in the database which redirected visitors to a site of his choosing.

This taught us the lesson to make sure your files — especially the important files with sensitive data contained within them, like passwords — are properly secured by correct file permissions.

This particular hack on GoDaddy sites did not attack the database, the upside of which means your data, stored passwords, posts, and everything else are still safe. However, according to the reports I found, what it did was embed a small javascript at the bottom of every php file.  The embedded code would ultimately cause visitors to be redirected to a malicious site that would install malware on their PC.  Based on the domain names that were grabbed by an independent security analyst, it looks like the end-goal was to infect a visitor’s computer with malicious software or viruses and then sell them antivirus software (the virus-scanning effectiveness of which would, presumably, be fairly suspect, given the circumstances) — the domains were things like safelinkhere.net, cleanupantivirus.com, letme-guardyourzone.com, systemmdefender.com, etc.  That post also points out that the person or people behind this attack have done this before.

So you have a GoDaddy site running WordPress, how do you know your site is infected?  If your site was infected, you would see this when you logged into your dashboard:

At first glance it just looks like the CSS is messed up, not anything that might suggest a virus.  However, when I tried to access the admin panel on two GoDaddy-hosted WordPress sites that we support, my antivirus software gave me a virus warning.  This happened, too, when the Network Solutions hack went down, so I became instantly suspicious.  (My virus software, by the way, is avast! which can be downloaded free for personal use.)

GoDaddy’s official initial response to the issue — which has been posted in a couple different places — was this:

A few of our customers were affected. Here’s what our CISO had to say about it:

“WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way.

This underscores the importance of installing the latest Web applications, no matter where you are on the Internet. If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure, and in a safe place.”

If you have questions or you’d like someone to take a look at your WordPress site, please get in touch with our 24/7 support team at http://fwd4.me/MBI

Alicia

Here’s the problem with that statement: it’s wrong.  Both the sites that I saw directly were running the 2.9.2 version of WordPress.  And I’m not alone.  I’ve read reports in forums and blog comments from many users who were not only running up-to-date versions of WordPress, but also had secure and unique passwords for their WordPress backend, FTP and database, and many had countermeasures in place to prevent attacks on their WordPress site.  None of which protected them from being infected.  Later, GoDaddy’s Chief Information Security Officer sent out the following message which is currently appearing on their support page:

If you are experiencing difficulties with your site, you may be using outdated software and unknowingly hosting malware…And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure and in a safe place.

Calls to GoDaddy support about the issue right now are apparently being met with “this is a WordPress issue”-type responses.  But careful viewers of how this particular infection works will see that there isn’t anything specific to WordPress about it — it’s targeting php files on GoDaddy-hosted sites.  Whereas the Network Solutions hack was looking for a specific file — wp-config.php — to gain access to the database, php files can be in any software written in that language, which includes Joomla!, Drupal, ZenCart, Magento, and on and on.  Blaming the issue on bad security practices is a gross misrepresentation of the facts. As of this writing, GoDaddy hasn’t yet tracked down the source of the infiltration or taken much more responsibility for the issue than the above statements.

The good news is that, as far as I can tell, there isn’t anything you did wrong to make your site more of a target. The bad news is no one is sure how the hacker was able to access a huge number of sites on GoDaddy and append a javascript code at the bottom of every php file on those sites. The fact that GoDaddy’s canned response inaccurately suggests that the affected installations were outdated isn’t very reassuring.

Fear not, for there is a fix.  One thing the infected sites seem to have in common is that they are all hosted on Linux servers.  If your GoDaddy site is hosted on a Linux server, you can use the History feature to restore an earlier backup of the files. Since the database was untouched, this won’t affect any posts you may have published, however it may (or may not) affect any media files you uploaded between the time you restore back to and now — so it’s probably a good idea to check those posts for broken image links and the like after you do it to make sure everything is okay.  Check out this help file for full instructions on how to restore your site to an older backup.

Over the weekend, GoDaddy posted a fix to their forums that they referred to as a “permanent” fix. The updated fix involves backing up your database, saving any files you may have uploaded to your site, deleting everything, then reinstalling and restoring your database backup. While this would resolve the issue, until they announce that they know where these attacks are coming from and why they are so widespread, I can’t see this as a “permanent” fix — it’s not any more permanent than restoring from a backup (presuming that the virus wasn’t present at the time the restore point you are using was created).  And evidence suggests that security best practices wouldn’t safeguard your site against attack either.  That said, changing your passwords is probably not a bad idea.

I would like to reiterate that this is not a WordPress compromise, but a GoDaddy compromise. In this case, the sites that were reportedly vulnerable (those that were using a version of WordPress prior to 2.9.2) was inaccurate and given the nature of the attack, I don’t see what the WordPress version really has to do with anything anyway.  Even if we assume the attack only targeted WordPress, 2.9.2 addressed an issue in which users who were logged into the admin panel could look at Trashed posts from other authors. 2.9.1 resolved a number of minor bugs but no security holes. Neither of these would have prevented someone injecting malicious code into the php files of your WordPress installation. Until someone is able to expose the breach, I’m not convinced that any of the posted resolutions and prevention methods are “permanent” nor do I believe that this is the last we’ll see of this attack — from what I’ve been able to gather, many bloggers who fixed the problem last week were hit again this past weekend. (Not surprisingly, domain transfers from GoDaddy to another registrar quadrupled in the last week of April. This doesn’t necessarily mean hosting went with it, but I’d be surprised if the two things weren’t related.)

I don’t like to tell people that you shouldn’t use a certain webhost because of x, y and z. I will make recommendations based on my personal experience and suggest hosts that I’ve had good experiences with, but I’m not one to badmouth other companies to our clients or their decision to go (or stay) with that company. So I’m not going to tell you to switch to something else if you are using GoDaddy. However, if I was using GoDaddy, I’d be very concerned about my site’s security if it was running any kind of web application (blog or forum or CMS, WordPress or otherwise) until their Security team says something other than “make sure your passwords are secure.” What’s more, while Network Solutions was able to respond to, and secure the attack on their hosted WordPress sites within 24 hours (at least the initial attack, if not the subsequent attacks that came later), GoDaddy was hit with this, initially, sometime around April 21 or even much earlier.  I’ve seen no indication that they resolved the initial breach, let alone these new modifications.

If you have been compromised, or you are concerned about being compromised, I urge you to contact GoDaddy and express your concerns and try to learn what they are doing to prevent this attack from happening again. The more concerned customers they hear from, the more urgent the issue becomes and, hopefully, the faster they will work to resolve it.  However, if you would rather not be at risk just waiting for this weekend and the next wave of attacks, we highly recommend 1and1 for web hosting, and if you have questions or concerns about your site, you can contact us for a quote.  We can fix your infected WordPress site, help with your webhost transfer, or clean your infected php site that uses a different platform.

Tomorrow I will be posting an article about what you can do to keep your website as safe as possible.

If you would like to learn more about the issue, here are some of my sources:

Massive Number of GoDaddy WordPress Blogs Hacked [slashdot]
Warning! Massive Number of GoDaddy WordPress Blogs Hacked This Weekend [BlogcastFM]
GoDaddy/WordPress ninoplas Base64Virus and the Fix [inspirated]
GoDaddy WordPress blog hacked [WordPress Support Forums]
What people are saying about “GoDaddy WordPress” [Twitter Search]
GoDaddy Hacked WordPress Hosting Accounts [Smooth Blog]
WordPress on GoDaddy.com Hacked [NeoWin]
WordPress Compromised? How to Fix It! [GoDaddy]
GoDaddy Support [GoDaddy]
WordPress 2.9.2 [WordPress Development Blog]
WordPress 2.9.1 [WordPress Development Blog]
Restoring a Linux Hosting Account [GoDaddy]
GoDaddy Domains Lost by Transfer QUADRUPLE!! [NoDaddy]
Registrar Report for GoDaddy [WebHosting.Info]
Ninoplas Base64 WordPress Hacked on GoDaddy [WPSecurityLock]
Cechriecom.com.js.php – WordPress Hacked [WPSecurityLock]
GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware [Dancho Danchev’s Blog]
Breaking News!  Dangerous Malware Alert — Self-Hosted Sites on Major Hosting Service Hacked Again! [WPSecurityLock]
Details on the Network Solutions/WordPress Mass Hack [Sucuri Security]
The Kneber botnet – FAQ [ZDNet]

[byline]

Scam Alert: “Testers needed to test the Apple iPad” – testitandkeepit.com

i got an email last night sent from a client we did a website for about a year ago inviting me to become a tester for an Apple iPad.  actually, i got two emails — one sent to each of my main addresses.  The subject line of the email was “Testers needed to test the Apple iPad.” redundancy aside, i was curious — also, skeptical.  it’s a little late in the game for there to be iPad testing; usually testing (and certainly anything calling itself “beta testing”) is conducted before the device is ready to ship — the iPad already has a hard release date.  the only kind of testing that would even be feasible is some kind of user experience testing for the purposes of market research (in which case it wouldn’t matter when the product was released, but it would probably make more sense after the producer got some initial sales figures). barring someone hanging out in your home and following you around as you use the thing, something like that would almost certainly need some special software installed, and it’s been well documented and established that the only software that gets onto an iPad is — like the iPhone or iPod Touch — from the iTunes App Store.  The body of the email had this to say:

Hello [my name],

Your contact “[contact’s email address]” invited you to join our TestitandKeepit program.

At this time we are actively searching for people who will be willing to test the new Apple iPad. The testing period will take only two months, after which you may keep it as compensation.

To see more details and register to our program, follow the link below:

http://www.testitandkeepit.com/1

Thanks,

The TestitandKeepit Team

This immediately made me search for “test it and keep it ” — certainly if this was an established company, their website would be high ranked on a search for their own business name.  and, if it was a scam,  i should see some blog posts or scam reports on such.  the results?  well, i didn’t find the company, or even their website, by searching for “test it and keep it”, but i did find several posts in various different places that gave the impression that it was, in fact, a scam.  most of them, however, were not based on any hard evidence as the authors hadn’t actually gone through all the steps.  it wasn’t until i found this post on the sophos blog from earlier this month that i could see what the take was, summarized in this handy-dandy youtube video.

all of these so far, though, are referencing this as being a facebook scam, and it wasn’t an email (or invitation to join a group) from facebook that sent the invitation i received.  thus prepared, i ventured to the site.  a few things caught my attention early on:

  1. the top navigation links work, sure, but the links to “contact”, “home”, and “rss” links at the bottom of the site don’t link to anything.
  2. while there is what appears to be a newsfeed on the right side of the page, complete with number of comments, none of the “posts” actually link to anything.  neither do the comments.
  3. there is no specific evidence of this group ever conducting a test like this before, other than a mention in the non-functioning news feed
  4. although the company description freely says that they are not directly related to the product manufacturers and are an outside organization called in to select participants for product tests and report back their findings, a company as large as apple would not be very likely to hire an outside organization — especially their policy for extreme secrecy when it comes to new products.
  5. from their about page:

    Our mission is simple:
    “Make life easier for everyone.”

    We offer solutions hassle-free to companies who want their products reviewed. We select participants and we deal with all the paper work, the logistic behind selecting the participants, getting their reviews, etc… Plus we make life easier for all the people who will purchase the product in the future, because of our help, the product will be improved and fixed from its original conceptual bugs or malfunctionning.

    this is the sort of meaningless copy that people who have never been directly involved with product manufacturers or large corporations might believe.  are there companies that get hired by large organizations to test their products?  sure.  but are the primary incentives in hiring such a company a) selecting participants, b) dealing with paperwork, and c) making life easier?  no, they have staff that can handle stuff like that.  would a company like apple hire the “Test It and Keep It Team” based on their company’s description on their about page?  very unlikely.

  6. and then there’s the little matter of grammar.  most people who receive spam on a daily basis know that the easiest way to detect spam and phishing emails from their legitimate counterparts is that, more often than not, the language and grammar in the spam and phishing emails is atrociously bad, riddled with spelling and punctuation errors as well as simple sentence structure errors that any large company’s PR and marketing team would have caught before going to press.  however it’s also widely known that people don’t read, and certainly when it comes to something like this, they are more likely to skim the page. yuo konw taht eamil taht yuo gte wehre lla teh wrods aer splled wrnog and this is to prove that as long as all the letters are there, it doesn’t matter what order they come in in terms of being able to read it?  well, that just goes to show how much we can skim and not even realize we’re doing it, but anyone somewhat trained in picking out errors like this will see these things as glaringly obvious.  certainly no company trying to impress the likes of apple would let such mistakes be published on their website.

none of these things looked too promising for this little site, but out of pure curiosity, i decided to see what happens when i try to sign up.  like the facebook version, the signup is split up into 3 parts.

step 1 — submit your name and email address (interestingly, though, the name fields are labeled as “Name” and “Last Name” — usually, when first and last name are required, they are at least listed as “first name” and “last name”)

step 2 — invite all your friends.  since they can’t do this automatically directly on facebook, they’ve built in a method by which you can invite all of your friends from various different networks simply by entering your username and password!  (because i love giving out my username and password to shady companies.)  presumably this mass emails all your friends on various different networks with a message similar to what i received trying to get more people to sign up for step 3.

step 3 — complete registration.  you might think that this would be like a submit button or send you a validation key or something like that.  in fact, this button redirects you to a completely different site, online reward center (i am providing the link for reference purposes only, submit your information at your own risk).  at first glance, this looks exactly like those other sites where you go through 20 pages of offers and surveys to get a free iPod, only to come to the last 2 or 3 pages which require you to sign up for 10 different trial offers in order to receive your iPod.  no good will come of these sites — trust me, i’ve tried.  at one point in time i had heard a story of someone i knew personally who had set up a fake email address and gone through the steps and did actually get their ipod which led me to try it myself.  i chickened out at giving out my credit card number, though, so the only thing i got was spam and added onto Camel’s list for product samples and coupons.  i don’t smoke, but at some point there was an option to choose which cigarettes i preferred, marlboro or camel, and neither wasn’t an option.  as a sidenote, i googled “online reward center” too, and found several entries on the scamminess of that, too, including several questions to Yahoo! Answers to the effect of “is the free stuff you get here for real?” to which the answers were “no,” “no,” and “sometimes if you’re lucky and prepared to get a lot of spam.”

so here’s what i think: this started out as a facebook scam.  ultimately, though, it got banned from facebook from so many complaints (but not before racking up thousands upon thousands of fans).  after that, either a copycat scam popped up, or the same guys with a different catch who, rather than harvesting cell phone numbers, is getting commission on all the crap you sign up for on those survey things — a gimmick that is almost as old as the internet itself (and more than likely based on those publisher’s clearing house sweepstakes offers).

the moral here is: if it looks like a duck, acts like a duck, and quacks like a duck, it’s probably a duck, no matter how much you want that duck to be a free iPad.

also: as a further side note — i contacted the person from whom i received the email originally, including the link to the sophos post.  his response was that he recieved it but did not sign up for anything.  after doing a twitter search, it looks like possibly this scam is even more insidious than it seems, exploiting gmail contact lists to get email addresses.

Update 3-31-2010:

For anyone who’s signed up inadvertently and are interested in “what are my risks” read this from the scam warners forum.  The short response is: don’t give anyone your credit card information over the phone.

If I briefly describe the Florida holiday scam it’ll give you an idea how this can turn into a very shady business.

There are many ways used by marketing companies to collect people’s details. Many sites offer money off coupons and they insist you enter personal details including your phone number. They also have booths at country fairs, race meetings or exhibitions with entries to a free competition for a holiday (of course, there’s no holiday). They then sell these details on to a boiler room with one purpose only – to get your credit card details. They ring up telling you that you’ve won a holiday and that you just need to pay some small deposit, and it’s pressure tactics that you wouldn’t believe. They then clear your account.

It isn’t just spamming.

wifi encryption lifehack

random thought: if i had a wifi router but disabled dhcp, theoretically you could almost disable any kind of encryption or wireless security with the theory that most people wouldn’t be smart enough to know how to hard-code their ip address to connect to your unsecure network to connect to the internet.