Comments on: GoDaddy Shared Linux Hosting Hack Fix

By: andy

andy — Thu, 12 May 2011 15:21:02 +0000

@Paul interesting. I’m booked on many projects right now, so I have minimal free time to play with this, but if you’ve got tons of sites affected, you can use my quote form to contact me and I can try to see if I can fit building you a custom solution into my work queue.

By: Paul

Paul — Wed, 27 Apr 2011 00:07:52 +0000

Update, I noticed my last comment didn’t include the bs virus code:
src = description2011.ru/in.php?a=QQkFBwQHBAEABQQMEkcJBQcEBwUABAECAA== width=”0″ height=”0″ frameborder=”0″

I’m deleting out the iframe, brackets, , http : // , etc…

Hopefully it will appear here, so other people maybe able to identify the same / similar virus code they may be experiencing.

Paul

By: Paul

Paul — Wed, 27 Apr 2011 00:02:57 +0000

Hi Andy.

Came across your post when googling “GoDaddy Hosting Virus”

To keep this as brief as possible, we had major issues with over a dozen GoDaddy Shared Hosting accounts going back to April 2010, and since it’s now April 2011, and same crap different day is happening again.

Lot’s of time and money was lost last year, and all GoDaddy did was pass the buck, at first didn’t even admit there was a problem, then did – sorta. We still had to painstakingly fix all of this over 500 websites.

Tried your script in this post, but it doesn’t seem to be detecting this new “virus strain”.

Here is the bs code that is implanted on hundreds of index files on the bottom of each page after the “body” tag:

These sites do not have WordPress, but the same GoDaddy Shared Linux hosting accounts may have some WordPress installs on them.

The index pages on these landing pages do have an index.php extention.

Since we are not super techie, and GoDaddy is no help, even though we have multiple VIP accounts and thousands of domains with them too, need a permanent solution to not have these hosting issues again.

I’m sure more readers will be visiting your same post over the upcoming days, as it was on first page of Google for this problem, and I know there are more people having same issue again.

Any suggestions are greatly appreciated.

Thanks!

Paul

By: Is WordPress VIP Beyond Reach? Let HostCo Wipe Away The Tears | The Blog Herald

Tue, 14 Sep 2010 18:46:55 +0000

[...] it comes to shared hosting plans (the oft popular choice among bloggers which hackers unfortunately love to [...]

By: andy

andy — Tue, 18 May 2010 02:09:06 +0000

@dj thanks. @peter (see previous comments) made some modifications to the script, he realized it was outputting 2 times the number of files for some reason.

I’ve updated the script with some new options thanks to @peter’s input and version from his site.

Good luck to everyone who needs this. I need to write a follow up post about cleaning up your sites as well. Stay tuned.

By: dj

dj — Mon, 17 May 2010 23:34:15 +0000

Thank you !! Very well done.

I noticed my sites were infected this morning, tried to run godaddy’s update…didnt fix the problem completely.

So I stumbled across your post through google. You should send this to them. I had 13,000 infected files when I ran your php script. It managed to fix all of them.

Again, thank you.

By: Peter

Peter — Mon, 17 May 2010 19:40:48 +0000

Andy, I did a small customization to your script, and republished it on this post http://www.blogtips.org/godaddy-hacked-again-another-way-to-cure/

I gave due credit..

Hope you don’t mind the changes.

Peter

By: Anh Wu

Anh Wu — Mon, 17 May 2010 10:23:01 +0000

That worked with my site. Thank you.

By: andy

andy — Fri, 14 May 2010 14:03:43 +0000

@Peter no worries, glad it helped. I’m going to update the script today as I found the same issue on a non-Godaddy hosted account (GoDaddy, I apologize and you’re not alone in these attacks and I will blog a retraction/update post).

For those of you with the original GoDaddy version of the hack, this page is still accurate. Look for a follow up post soon with a new script and more details.

Thanks.

By: Peter

Peter — Fri, 14 May 2010 13:54:12 +0000

I have been curing my sites 3x already. Thanks for your help.

The big question is of course: how does the malware code get into the PHP files? It seems (http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/) a PHP file is uploaded to the site that executes, infests and then deletes itself.

HOWEVER, the main question remaining is HOW files can be dropped? How do they get in there? My passwords are pretty secure. I only use SFTP, have only one admin account, etc.. and and change my passwords after every hack. all in vain it seems…

peter