PHP Attack Hits GoDaddy-Hosted Sites Again

In a recurring pattern, GoDaddy-hosted sites running PHP applications may be under attack again as hackers inject malicious code onto their sites.

Web administrators who host their domains on GoDaddy should check their source code again for rogue code that downloads malware, according to a security research firm.

Sucuri Security updated its Oct. 30 post warning about the latest malware attacks on GoDaddy-hosted sites with another note on Nov. 3. The research company was investigating reports of "another related outbreak of exploited sites on GoDaddy," read the update.

The affected sites generally ran some kind of PHP Web application, such as Zen Cart eCommerce or popular CMS packages including WordPress, Drupal and Joomla, according to a post on GoDaddy's blog. In a series of injection attacks, hackers were embedding malicious code into the site's Web application, often through blog comments, according to Chris Drake, chief executive of security-conscious Web host provider FireHost.

According to Sucuri Security, the code, when executed, inserted a single line of PHP code into every PHP file on the infected site: eval(base64_decode, followed by a string of random-looking characters, that hides actual PHP code that is being run. This command basically sets up a redirect to a malware site running rogue JavaScript code that automatically downloads fake antivirus and other scareware onto the visitor's computer, said the security firm.

With this code in place on every PHP file, any visitor coming to the compromised site is sent to the malicious domain and infected with malware. Because the offending PHP code is written in base64, it's also not immediately apparent to the owner what that line is actually doing.

In the original post, Sucuri Security identified a handful of malicious domain names that were part of this attack. The malware authors responded by changing the domain names delivering the malware. Hackers switch domains frequently as antivirus vendors blacklist attacking domains.

A quick domain WHOIS lookup indicated that many of the attacking domains were registered under the name of Hilary Kneber. This is an alias often used by criminal groups and sometimes associated with ZeuS Trojan gangs, according to security researchers.

As Sucuri Security and GoDaddy both noted, this is not a GoDaddy-specific problem, as other Website hosting companies, such as Dreamhost and Network Solutions, have been attacked.

Sucuri's researchers released a fix to help administrators clean up their code. It offers the file as a text file which Webmasters should rename as a PHP file and execute on the site to remove the offending lines.

The fix is a "very crude attempt" to clean up the attack, according to Richard Wang, manager of SophosLabs. While it would remove the malicious code from PHP scripts, there is "very little" error checking and "no way" to roll back changes if the script goes wrong, said Wang. If the comments on Sucuri Security's site and other security-based sites are any indication, at least the fix appears to work, which is what affected site owners care about.

If site owners decide to apply the Sucuri file, they should first examine the code to assess any impact on site content before running, said Wang. He added that site administrators should back up the site before running any scripts, just in case.

GoDaddy-hosted sites have been slammed with one attack after another this year. In May, five of the top 10 malicious domains in May were part of the GoDaddy attack. It was attacked in two separate incidents in May, twice more in September and at least twice in October, according to Sucuri Security.

GoDaddy originally said the attacks were succeeding because site owners were running insecure or older versions of software, and until the bugs in the Web application were closed, attacks would continue. Sucuri Security provided information to the Web host provider in May showing the attacks were not in the application layer. GoDaddy at the time acknowledged there was a deeper internal problem, but had no updates.

GoDaddy has said that of more than 4.3 million hosted sites, these attacks impact less than half-a-percent of its customers.