One of my sites was hacked. I'm looking for help to find out the reason.

Looks like you are just SPAMMING for your antivirus.

Yes, it is a GoDaddy issue and no, I don't think that you have the right solution: my operating system is Fedora 11, not Windoze and have yet to see a spyware retrieving my FTP passwords.

 

Look at ur post count...and look @ mine...and see who's spamming...are you a banned member?

 

Well, post count....that's an effective argument.

But no, I'm not a banned member (at least, not yet). Your suggestion about checking PC for infection simply does not make sense in this specific case.

First, I use Linux (Fedora) and although it is not impossible to create a virus / spyware / backdoor for Linux, it is far from easy.

Second, I use the same FTP client to manage 12 websites and if a spyware had stolen my FTP passwords, my other sites (which are not hosted at GoDaddy) would also have been compromised.

 

I didnt know you were on Linux! Many sites were affected with this malware since April 24th. Most hosted on godaddy...and mostly blogs. It leaves an encoded rogue javascript on footer which decodes a huge funky s### on top of all php files...It happened to me! I suggested Panda cuz I never used it before and it was the only AV that detected the spyware on my laptop. I moved out of GD since...believe me it had affected one of my biggest sites and i almost lost sleep...

 

Hello,

I think that I find the hole or one of the problems. Is GoDaddy security hole and I hope I will help them and other people.

It was verry funny that I find 4-5 scripts injected on my site. This injected scripts is tool with wich hacker can access my site... upload files, download files, execute linux commands, start automated injections scripts ect. very nice tool I didnt have a time to undersend it complitly

Ok The hole or one of the problems...
Extension filter of parsing file work wrong!

All injected scripts have a names:
image.php.jpg
somthing.php.jpg

and this files was executed like normal ".php" files I tried a file with name "somthing.php.whatafuckisthat" and server normaly executed cod in it ... bat I dont have a reistred extenson ".whatafuckisthat" but server is parsing it why ?

Hacker fake my checking if image becouse he writed in file content to look like a image... and after it is passed the uploaded ... the file "image.php.jpg" was nice parsed by server like php code.

I thing that GoDaddy extension sistem that decide which file to parse like php code have a bug.

Hope this will help!

PS.
If is predefined massive attach change your files that can not be writed... is temporary solution...

 

My Non-Wordpress site hosted in GoDaddy was hacked for second time the last Saturday May 1st. Everything I did to increase the security didn't work. I'm almost sure this is a GoDaddy bug. What else could be? Everybody complaining on the net about this hack is people with websites hosted in GoDaddy...

I'm now I just thinking when is coming the next attack?? this is freaky! What would be a good hosting service to replace Godaddy?

Thanks!!

 

Hi,

A little tutorial to see if you have a issue executing multi-extension files.
Create a file with name "info.php.jpg" and add in it following code:

<?php
phpinfo();
?>

upload to your webpage and try to get it.("www.yourdomain.com/info.php.jpg")

if your file is parsed (you will see a php information) insted of get an inexistent image you have this security issue.

What this means?
This means that if you have upload file funcionality hacker can upload script on your site and run it.
It not based on single cms (wordpress, joomla...) is general issue.
I find a script that look like a image inside but is a tool.

This issue is not related to this attack maybe, but is security issue that you can check and prevent to you file injection.

Above I posted a fix for GoDaddy that is little bit different from wordpress fix.

Hope this can help somebody... and safe some working hours

 

Some screenshots of tool that was injeced trought multi-extension hole... nice tool

 

Yep! The issue is now fixed and found many solutions for that
Just do a google to get that!

 

Hi,

Fix is to create .htaccess file and put in it following for GoDaddy:

RemoveHandler application/x-httpd-php .php
<FilesMatch "\.(php|php5|php4|php3|phtml|phpt)$">
SetHandler x-httpd-php5
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler x-httpd-php5-source
</FilesMatch>

for maybe other servers you can see a wordpress fix:
"http://core.trac.wordpress.org/ticket/11122"

Sorry I forgot to put a solution.I wroted all around the other forums but I forgot to put it here.

Im happy that I helped at least one person

 

Hey! I forgot to add one of my domain had the same interface it was hacked
The loophole i found was on i left a upload management system unprotected and that guys used their scripts and executed them on my domain
Any how i deleted all the files in that domain
But the file they uploaded was in turkish or arabic and it was like a php ftp file browser

 

Hi,

It think that I readed a post injection with turskish flag... same hole multiextension parsing file... they just uploaded a code like avatar in wordpress and after they run it.
If they have the FTP access this means can inject everywhere them malicious files.

My suggestion is:

1. download agent ransak is free tool that is very good to search in files content and files name (just google it "Agent Ransack")
2. download your site
3. first search for "base64"
4. second search check for filenames "*php*" (becouse can be "somthing.php.jpg")
5. check with AVG or similar antivirus application
6. try to search for cotent "<?php" if you see in strange files
7. If you have your clean backup you can use it to beyond compare tool to compare your backup with downloaded site and check changes (this will help you to find files that they maybe changed or injected in your folders)
8. check your folders permissions and forbid where you dont need access from "world" (execution, reading and writhing)
9. change the passwords of database and FTP

This can help to find a scripts but is not a prove that you find all injected scripts but is at least some check.
I have a luck that I maded my own CMS and is not big and I know all code and for me was easy to detect strange files.
I checked with AVG antivirus and he found 2 injections but I find it 2 more that he didnt detected.

Hope this helps...