In a recurring pattern, GoDaddy-hosted sites running PHP applications may be under attack again as hackers inject malicious code onto their sites.
Web administrators who host their domains on GoDaddy should
check their source code again for rogue code that downloads malware, according
to a security research firm.
Sucuri Security updated its Oct. 30 post warning about the
attacks on GoDaddy-hosted sites
with another note on Nov. 3. The research
company was investigating reports of "another related outbreak of exploited
sites on GoDaddy," read the update.
The affected sites generally ran some kind of PHP
, such as Zen Cart eCommerce or popular CMS packages
including WordPress, Drupal and Joomla, according to a post on GoDaddy's
. In a series of injection attacks, hackers were embedding malicious
code into the site's Web application, often through blog comments, according to
Chris Drake, chief executive of security-conscious Web host provider FireHost.
According to Sucuri Security, the code, when executed,
inserted a single line of PHP code into every PHP file on the infected site:
eval(base64_decode, followed by a string of random-looking characters, that
hides actual PHP code that is being run. This command basically sets up a
and other scareware onto the visitor's computer, said the
With this code in place on every PHP file, any visitor
coming to the compromised site is sent to the malicious domain and infected
with malware. Because the offending PHP code is written in base64, it's also
not immediately apparent to the owner what that line is actually doing.
In the original post,
Sucuri Security identified a handful of malicious domain names that were part
of this attack. The malware authors responded by changing the domain names
delivering the malware. Hackers switch domains frequently as antivirus vendors
A quick domain WHOIS
lookup indicated that many of the attacking domains were registered under the
name of Hilary Kneber. This is an alias often used by criminal groups and
sometimes associated with ZeuS Trojan gangs, according to security researchers.
As Sucuri Security and GoDaddy both noted, this is not a
GoDaddy-specific problem, as other Website hosting companies, such as
Dreamhost and Network Solutions, have been attacked.
Sucuri's researchers released a fix to help administrators
clean up their code. It offers the file as a text file which Webmasters should
rename as a PHP file and execute on the site to remove the offending lines.
The fix is a "very crude attempt" to clean up the attack,
according to Richard Wang, manager of SophosLabs. While it would remove the
malicious code from PHP scripts, there is "very little" error checking and "no
way" to roll back changes if the script goes wrong, said Wang. If the comments
on Sucuri Security's site and other security-based sites are any indication, at
least the fix appears to work, which is what affected site owners care about.
If site owners decide to apply the Sucuri file, they should
first examine the code to assess any impact on site content before running,
said Wang. He added that site administrators should back up the site before
running any scripts, just in case.
GoDaddy-hosted sites have been slammed with one attack after
another this year. In May, five of the top 10 malicious domains in May were
part of the GoDaddy attack. It was attacked in two separate incidents in May,
twice more in September and at least twice in October, according to Sucuri
GoDaddy originally said the attacks were succeeding because
site owners were running insecure or older versions of software, and until the
bugs in the Web application were closed, attacks would continue. Sucuri Security
provided information to the Web host provider in May showing the attacks were
not in the application layer. GoDaddy at the time acknowledged there was a
deeper internal problem, but had no updates. GoDaddy
has said that of more than 4.3 million hosted sites, these attacks impact less
than half-a-percent of its customers.