Note: an update has been posted regarding the content of this post.
You’ve read all the articles and seen all the tweets. I won’t comment on my personal/professional opinions of GoDaddy’s shared Linux hosting. What I will do is try to help out my fellow web professional recover from the recurring hacks in GoDaddy’s shared Linux hosting environment.
I WILL SAY THIS: This is not a WordPress issue. It’s a hosting environment issue. I have clients who were hacked that had no WordPress installation installed on their account.
Who knows. Bottom line, some doucher or group of douches have found vulnerabilities in the shared Linux hosting environment GoDaddy sells and have appended a line of base64 encoded PHP to be evaluated before nearly every PHP file is launched. This is normally causing malware warnings in updated browsers and I’ve seen some spoofing/redirects to search engine spiders as well.
Revert to a back-up before a hack or remove the malicious line from each .php file in the entire directory tree of your hosting account.
base64 Malware HackI have created a very simple script to allow you to sniff for these files recursively and remove the first line of any files whose first line contains the string: <?php /**/ eval(base64_decode(
This should clear things up, but I offer no guarantee or warranty and am not liable for what this file does. It’s simply a fix I used on a few client sites.
Instructions:
godaddy_hack_fix.php and upload to your document root.http://yourdomain.com/godaddy_hack_fix.phpFix Filesbutton. If you’re ready, press it and wait. It will tell you when it’s removed the malicious first line from the files.
This is a quick fix, but not complete. You should ideally remove and update from a back up, but let’s face it, most of us actually back things up. It’s human nature.
Much love. Let me know if this helped you out.
RSS feed for comments on this post. TrackBack URL
max says…
andy, thank you for this…
this is definitely the last site i will be hosting with godaddy…this hack has happened to me at least 3 times
i do not have wordpress installed…its definitely a hosting environment issue as you mentioned
im amazed that godaddy hasn’t fixed this yet…
thanks for the php file, much quicker than doing it by hand
andy says…
No prob, Max. Glad it helped. I used GoDaddy for dedicated hosting for a while, with little to no problems, but I was renting a box and managing the software/security myself (and with a friend who was an amazing sysadmin).
I bitch a lot about GoDaddy but I will say the only REAL issue I have with them is their shared hosting environment which seems to be on a terrible proprietary management system.
I can’t handle the caching/non-functioning
.htaccessfiles, upload throttling/limits and naggning “Pending Setup” messages that take 1-4 hours to create new databases and FTP accounts. Just a time suck that has no reason to exist!Ok, </vent>
max says…
Yeah…im on shared linux hosting…DIY is definitely the way to go…like they say, if you wan’t something done…
Peter says…
I have been curing my sites 3x already. Thanks for your help.
The big question is of course: how does the malware code get into the PHP files? It seems (http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/) a PHP file is uploaded to the site that executes, infests and then deletes itself.
HOWEVER, the main question remaining is HOW files can be dropped? How do they get in there? My passwords are pretty secure. I only use SFTP, have only one admin account, etc.. and and change my passwords after every hack. all in vain it seems…
peter
andy says…
@Peter no worries, glad it helped. I’m going to update the script today as I found the same issue on a non-Godaddy hosted account (GoDaddy, I apologize and you’re not alone in these attacks and I will blog a retraction/update post).
For those of you with the original GoDaddy version of the hack, this page is still accurate. Look for a follow up post soon with a new script and more details.
Thanks.
Anh Wu says…
That worked with my site. Thank you.
Peter says…
Andy, I did a small customization to your script, and republished it on this post http://www.blogtips.org/godaddy-hacked-again-another-way-to-cure/
I gave due credit..
Hope you don’t mind the changes.
Peter
dj says…
Thank you !! Very well done.
I noticed my sites were infected this morning, tried to run godaddy’s update…didnt fix the problem completely.
So I stumbled across your post through google. You should send this to them. I had 13,000 infected files when I ran your php script. It managed to fix all of them.
Again, thank you.
andy says…
@dj thanks. @peter (see previous comments) made some modifications to the script, he realized it was outputting 2 times the number of files for some reason.
I’ve updated the script with some new options thanks to @peter’s input and version from his site.
Good luck to everyone who needs this. I need to write a follow up post about cleaning up your sites as well. Stay tuned.