A widespread exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend on April 24th. As with the "Largest Link-Hack In History" exploit, it only triggers when the traffic is referred by Google, making it the sort of thing that site owners won't easily notice. More details after the jump…
The exploit code points to one of several sites, including "cechirecom.com/js.php" (WARNING, DO NOT VISIT) and tries a variety of browser exploits in order to install malware on your PC. The code is obfuscated with Base64 encoding So far it appears to only be affecting Godaddy's Linux hosting accounts, leading security researchers to wonder if there is a Linux-specific exploit involved, or if it may be dependent on GoDaddy's hosting platform for Linux servers.
The malicious script uses a cookie that triggers it to activate again in 20 days, so it will need to be removed from the affected sites before that time.
The affected sites appear to have several things in common:
- The hosting accounts were running PHP Version 4.x .
- Some or all directories and/or files had their permissions were to 777 and/or 755.
- The Wp-config.php files had weak or missing Authentication Unique Keys (the "secret key").
- Weak passwords were typically used for database access, FTP logins, and wp-admin.
- It appears that the site can be restored to an earlier date to remove the virus (see GoDaddy for information on doing this).
- The WordPress database does not seem to be affected as far as anyone can tell (but don't hold your breath).
If you're using WordPress, WordPress-MU, or Buddypress (whether you're using GoDaddy or not), now would be a good time for you to update your passwords and check your file permissions.
GoDaddy Released this statement:
"Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you."
All in all, we don't disagree. Security is, in large part, up to YOU.