GoDaddy Shared Linux Hosting Hack Fix

Note: an update has been posted regarding the content of this post.

You’ve read all the articles and seen all the tweets. I won’t comment on my personal/professional opinions of GoDaddy’s shared Linux hosting. What I will do is try to help out my fellow web professional recover from the recurring hacks in GoDaddy’s shared Linux hosting environment.

I WILL SAY THIS: This is not a WordPress issue. It’s a hosting environment issue. I have clients who were hacked that had no WordPress installation installed on their account.

What Happened?

Who knows. Bottom line, some doucher or group of douches have found vulnerabilities in the shared Linux hosting environment GoDaddy sells and have appended a line of base64 encoded PHP to be evaluated before nearly every PHP file is launched. This is normally causing malware warnings in updated browsers and I’ve seen some spoofing/redirects to search engine spiders as well.

What do I do?

Revert to a back-up before a hack or remove the malicious line from each .php file in the entire directory tree of your hosting account.

Fixing the GoDaddy Hosting base64 Malware Hack

I have created a very simple script to allow you to sniff for these files recursively and remove the first line of any files whose first line contains the string: <?php /**/ eval(base64_decode(

This should clear things up, but I offer no guarantee or warranty and am not liable for what this file does. It’s simply a fix I used on a few client sites.

Download the Fix

Instructions:

  1. Download the GoDaddy Hosting Malware Hack fix
  2. Rename the file godaddy_hack_fix.php and upload to your document root.
  3. Visit the file in a browser, e.g. http://yourdomain.com/godaddy_hack_fix.php
  4. Review the location and number of files that are assumed infected and back them up (download them to your local machine in case of catastrophy)
  5. At the bottom of the script’s output, there’s a Fix Files button. If you’re ready, press it and wait. It will tell you when it’s removed the malicious first line from the files.
  6. I’d follow up by personally checking a few random files to ensure you seem right.

This is a quick fix, but not complete. You should ideally remove and update from a back up, but let’s face it, most of us actually back things up. It’s human nature.

Much love. Let me know if this helped you out.

18 Comments

  1. max says…

    andy, thank you for this…
    this is definitely the last site i will be hosting with godaddy…this hack has happened to me at least 3 times
    i do not have wordpress installed…its definitely a hosting environment issue as you mentioned
    im amazed that godaddy hasn’t fixed this yet…
    thanks for the php file, much quicker than doing it by hand

  2. andy says…

    No prob, Max. Glad it helped. I used GoDaddy for dedicated hosting for a while, with little to no problems, but I was renting a box and managing the software/security myself (and with a friend who was an amazing sysadmin).

    I bitch a lot about GoDaddy but I will say the only REAL issue I have with them is their shared hosting environment which seems to be on a terrible proprietary management system.

    I can’t handle the caching/non-functioning .htaccess files, upload throttling/limits and naggning “Pending Setup” messages that take 1-4 hours to create new databases and FTP accounts. Just a time suck that has no reason to exist!

    Ok, </vent>

  3. max says…

    Yeah…im on shared linux hosting…DIY is definitely the way to go…like they say, if you wan’t something done…

  4. Peter says…

    I have been curing my sites 3x already. Thanks for your help.

    The big question is of course: how does the malware code get into the PHP files? It seems (http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/) a PHP file is uploaded to the site that executes, infests and then deletes itself.

    HOWEVER, the main question remaining is HOW files can be dropped? How do they get in there? My passwords are pretty secure. I only use SFTP, have only one admin account, etc.. and and change my passwords after every hack. all in vain it seems…

    peter

  5. andy says…

    @Peter no worries, glad it helped. I’m going to update the script today as I found the same issue on a non-Godaddy hosted account (GoDaddy, I apologize and you’re not alone in these attacks and I will blog a retraction/update post).

    For those of you with the original GoDaddy version of the hack, this page is still accurate. Look for a follow up post soon with a new script and more details.

    Thanks.

  6. Anh Wu says…

    That worked with my site. Thank you.

  7. Peter says…

    Andy, I did a small customization to your script, and republished it on this post http://www.blogtips.org/godaddy-hacked-again-another-way-to-cure/

    I gave due credit..

    Hope you don’t mind the changes.

    Peter

  8. dj says…

    Thank you !! Very well done.

    I noticed my sites were infected this morning, tried to run godaddy’s update…didnt fix the problem completely.

    So I stumbled across your post through google. You should send this to them. I had 13,000 infected files when I ran your php script. It managed to fix all of them.

    Again, thank you.

  9. andy says…

    @dj thanks. @peter (see previous comments) made some modifications to the script, he realized it was outputting 2 times the number of files for some reason.

    I’ve updated the script with some new options thanks to @peter’s input and version from his site.

    Good luck to everyone who needs this. I need to write a follow up post about cleaning up your sites as well. Stay tuned.

  10. Is WordPress VIP Beyond Reach? Let HostCo Wipe Away The Tears | The Blog Herald says…

    [...] it comes to shared hosting plans (the oft popular choice among bloggers which hackers unfortunately love to [...]

  11. Paul says…

    Hi Andy.

    Came across your post when googling “GoDaddy Hosting Virus”

    To keep this as brief as possible, we had major issues with over a dozen GoDaddy Shared Hosting accounts going back to April 2010, and since it’s now April 2011, and same crap different day is happening again.

    Lot’s of time and money was lost last year, and all GoDaddy did was pass the buck, at first didn’t even admit there was a problem, then did – sorta. We still had to painstakingly fix all of this over 500 websites.

    Tried your script in this post, but it doesn’t seem to be detecting this new “virus strain”.

    Here is the bs code that is implanted on hundreds of index files on the bottom of each page after the “body” tag:

    These sites do not have WordPress, but the same GoDaddy Shared Linux hosting accounts may have some WordPress installs on them.

    The index pages on these landing pages do have an index.php extention.

    Since we are not super techie, and GoDaddy is no help, even though we have multiple VIP accounts and thousands of domains with them too, need a permanent solution to not have these hosting issues again.

    I’m sure more readers will be visiting your same post over the upcoming days, as it was on first page of Google for this problem, and I know there are more people having same issue again.

    Any suggestions are greatly appreciated.

    Thanks!

    Paul

  12. Paul says…

    Update, I noticed my last comment didn’t include the bs virus code:
    src = description2011.ru/in.php?a=QQkFBwQHBAEABQQMEkcJBQcEBwUABAECAA== width=”0″ height=”0″ frameborder=”0″

    I’m deleting out the iframe, brackets, , http : // , etc…

    Hopefully it will appear here, so other people maybe able to identify the same / similar virus code they may be experiencing.

    Paul

  13. andy says…

    @Paul interesting. I’m booked on many projects right now, so I have minimal free time to play with this, but if you’ve got tons of sites affected, you can use my quote form to contact me and I can try to see if I can fit building you a custom solution into my work queue.

  14. jrzgirlzz says…

    I have a GoDaddy account and have been affected by this malware. I also have a GoDaddy Shared Linux hosting account. I tried to fix the problem myself but each time the infection keeps returning. I alerted GoDaddy and at first they told me it was an internet explorer issue. I kept complaining and they insist it’s a WordPress issue and they charged me $150.00 to “restore” all of my 109 sites to a date a few weeks ago. That hasn’t worked either and I’m not computer savy enough to try your fix. Any help is appreciated

  15. jrzgirlzz says…

    Also, I have tried removing the code from my index.php files and my sites will look good for about 5 minutes and then they revert back to being all messed up again and the malicious code has been restored…

  16. jrzgirlzz says…

    I was able to follow your instructions and text for the malware but it said 0 infected files – however, I can see on my GoDaddy hosting account that the index.php file is infected… how can I fix this?

  17. sonofara says…

    Is there any way to prevent godaddy hosting from being affected by malware?

  18. andy says…

    @sonofara please refer to any information from Sucuri Security

RSS feed for comments on this post. TrackBack URL

Leave a Comment

May 12, 2010

Filed in Development

There are 18 comments »


« Back to the Blog