Site Hacked

For all the complaints and frustrations NS has done everything possible to get this thing under control and get everyone cleaned up. They’ve also taken it seriously enough to bring in law enforcement and additional security consultants.

An internal breach is serious stuff.

@steve D: I agree with you. NS response was pretty good and they helped everyone who called and asked for help.

I am not seeing the same with GoDaddy yet.

times to switch hosts!

My english is so bad. Since today at 3:00 am (gt-5 Colombia) my site was hacked, i dont know why is the problem with goddady, because this problem happened about fifty days ago. ?What is NS??

Two different redirects so can I assume two different hacks?

Hard to tell but obviously these attacks have been extremely “organized” and formidable.

Look at this time line so you are prepared mentally if these attacks being launched on GD turn out to be similar in their intensity.

Timeline of Events:

April 7: Database injections are identified on our WordPress hosted accounts.
Actions: websites are scanned and cleaned and steps are commenced to contain the issue.

April 16: Additional malicious code appears on customers’ website files.
Actions: operations team continues to run scans that identify code and clean customer websites.

April: 18-24: The criminals dynamically inject code on customers’ websites and change signatures each time. The criminals add viruses and/or malware to customers’ sites.
Actions: security and network experts work to contain the infections and prevent additional issues.

April 25-present: Security and network teams confirm that security measures continue to contain the malicious code.

Ongoing: We continue to monitor and implement additional measures as needed to protect our customers. Customers who have not logged in to their sites for at least three weeks are now reporting infections and are being escalated to technical services. The security team confirmed that these are not new cases of infections.

seriesgo NS is Network Solutions.

Gracias Steve, acabo de restaurar complementamente mi sitio de godady al dia 28 de abril gracias a la utilidad de file manager. ?Qué nos aconsejaria a los que somos víctimas de este problema? . Un dato curioso es que tengo diversos sitios afectados, y los que están siendo víctima de la vulnerabilidad son los que están corriendo bajo php4, ?será una simple casualidad?

Saludos.

FYI – Godaddy users. It is true Godaddy denies any responsibility. I doubt yuo will recieve assistance without paying the minimum 150.00 fee.

In the Go Daddy file manager you have the ability to restore your sites to an earlier date. I just completed restoring 6 sites and so far(fingers crossed) I have removed the exploit. My source files are clean. Hope this helps!

First of all, this is not a GoDaddy issue. I have several friends with blogs hosted on other servers that are suffering the same fate. GoDaddy does have a great feature in the Account Management called the File Manager, which allows files to be restored from a previous calendar date. You can call GoDaddy support and they should be able to walk you through the process of using the File Manager.

As for the hacks themselves, I see this more as a WordPress issue than a server side issue. All of the files hacked on my site are the core WordPress PHP files. Perhaps the next update of WordPress will look at ways of locking the file permissions down to keep the hacks from changing them and injecting all this nasty code. I do know one thing, this can certainly suck the life out of the average blog owner.

First of all, this is not a GoDaddy issue.

What if in fact Goddaddy has been breached-ambushed and this is just the beginning of what could possible be a full assault similar to the attack on NS?

Certainly with all the evidence out there they’ve taken this into consideration.

https://www.ads-software.com/extend/plugins/wp-db-backup/faq/

First of all, this is not a GoDaddy issue. I have several friends with blogs hosted on other servers that are suffering the same fate.

As for the hacks themselves, I see this more as a WordPress issue than a server side issue.

its not just wp which is being hacked, other forum softwares are being hacked too !

so it has to be godaddy’s issue.

Here’s how to fix this hack…

First, let me say that any web host could be susceptible to a skilled hacker. It’s even happened to sites like YouTube, Twitter, Facebook, banks, government sites/hosting… you name it, all of which do everything possible to prevent these things from happening.

If you switch hosts, it could happen to your new host as well.

For GoDaddy users, here’s how you fix this problem.

The good news is that this hack doesn’t appear to do anything to your database, just all file extensions with the .php at the end.

First, back up your database and all your web hosting files (even though they are infected) to your computer. Always always always back things up.

Second, log into your web hosting control panel and go to your File Manager.

Click on the “History” button on the left (just above the list of your directory structure).

You should see then a list of all your files from previous days listed there. So if your site is hacked on May 1st, be sure you’re looking at April 30th’s backup. You should see the words “Changed” next to each file / folder which has been infected.

As a check, try opening the index.php file and make sure the base64 code is not located in there. If it’s not, then you’re probably good to go ahead and use this date’s backup; if it’s there, go back even further in your history.

Now that you know that date’s files are clean, go back to your root folder (current date’s folder) by clicking the “Current” button on the left.

Put a check mark next to all files and folders which which include .php files. This will include your wp-admin, wp-content, wp-includes folders as well as all your root files which end with .php.

Once those are all deleted, go back to your “History” button and to the date with clean files.

Check all the files which you had deleted from your Current area and then click “Restore” from the file menu above.

Once the restore is complete, you should be up and running.

Hope this helps. Also, you might want to check out how to help stop hacks from happening by visiting these sites:

WordPress Defender

https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Perishable Press 4G Blacklist

As for the hacks themselves, I see this more as a WordPress issue than a server side issue. All of the files hacked on my site are the core WordPress PHP files. Perhaps the next update of WordPress will look at ways of locking the file permissions down to keep the hacks from changing them and injecting all this nasty code. I do know one thing, this can certainly suck the life out of the average blog owner.

I have 6 sites written in php, not all wordpress, and ALL were hacked. The problem is most certainly with Godaddy.

I think its safe to assume that these attacks being launched upon the big host’s are of a new and different nature. They appear to be using techniques that are designed to overwhelm the servers in stealth by attacking every hole possible they can exploit quickly and efficiently. They obviously are targeting website owners who don’t have their site secured according reasonable protocols and is asleep at the wheel” doors open everywhere. Even more worrisome is the possibility of rouge accounts being set up.

That would mean Hosting providers are going to have to tighten up the requirements for shared hosting and impose a set of security standards one has to meet to get a shared hosting account. An application for shared hosting sort of speak.