clundie

After the last 2 hacks, I moved my hosting to a different provider. In fact I re-did my whole site and it doesn’t even use PHP anymore. The logs of my new web server show a request for “/—–_—–.php”, (I have replaced the actual letters with dashes in case it would identify me.) which of course was unsuccessful (404 error). But it obviously fits the pattern of the Godaddy attacks and happened at the right time. (Middle of the night May 16/17)

So anyway it’s plausible that someone created the malicious script on the Godaddy server (my hosting there is still active for a few more days, though my domain name doesn’t point to it anymore) When they tried to run the script they connected to my new server which of course failed to work.

Sure enough, this same BS happened to my Godaddy site again last night. I restored from backup. I’ve never had WordPress installed etc. Strong passwords, all different.

I can see the one line in the apache log where a script was executed:
74.54.—.— – – [11/May/2010:22:02:10 -0700] “GET https://www.——–.—/——.php HTTP/1.1” 200 429 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)”

I censored out the bits that would identify me or the attacker but I can tell you: it was a .php script that doesn’t exist on my site, so somebody must have uploaded it, ran it, then deleted it. My apache logs have no other access from that IP address. I do not see any exploit being done thru a script on my site. The attacker has to be breaking in some other way. But my passwords are all strong & I only log in thru encrypted SFTP.

In any case I am taking my business elsewhere.

@gdhosting Thank you. I filed my information for the security team. I may also take a look at the apache logs from this morning.

Yes, never had WordPress installed on my site. Just a few .php files written by me, on a mostly static site. I don’t have scripts to allow file uploads or anything like that. All the .php files got modified as described above. Now – my site is on shared hosting, so it’s possible there was a WordPress site was hosted on the same server. My file permissions were set so that only I (the owner) could write/modify them, but maybe someone figured out how to bypass that. In any case I changed all my passwords, which were strong and unique. I also use a Mac & there is zero chance of a virus on it. Ironically I was already planning to leave Godaddy next week.

This happened to me today, on a site hosted with godaddy, which doesn’t run WordPress and never has.