White Fir Design Blog

SG Managed Provides Hosting For Important Spam Hack Component

SG Managed is providing hosting for c4412d2ffc4bf832.info, which is an important component of a spam hack that has affected a large number of Zen Cart based websites. The website is one of eight that the hacked websites attempt to retrieve a file containing a set of spam links to display when search engines request pages from the website. This website is the only one currently active and if the hosting was shut off the hacked websites would no longer contain spam links unless new hosting could be found. We contacted SG Managed about the issue several weeks ago, we have received no response and the website is still being hosted by them. When we contacted another host who had been providing service for another website used by the hack they shut down the service within a hour.

We are currently in the process of contacting the websites that have been affected.

The Planet Hosts Critical Component of SEO Poisoning Campaign

The Planet, a large US hosting provider, provides hosting for two websites that are critical for a major SEO poisoning campaign. SEO poisoning involves getting web pages listed in search engines that when accessed attempt to infect the computer with malware. This particular campaign involves two sets of hacked websites and the websites hosted by The Planet. The first set of websites has been hacked to display the content from a file requested from either getalllinks.info or dvc44ftgr.com when a page from the hacked website is requested by a search engine. The files from getalllinks.info and dvc44ftgr.com, hosted by The Planet at the IP address 174.133.193.218, include links to pages on the second set of hacked websites. The content of those files can be seen at http://www.getalllinks.info/links/0.txt or http://www.dvc44ftgr.com/links/0.txt. Search engines crawl those pages on the second set of hacked websites and they get included in search engines results. When people access the pages through search engines they are redirected to fake anti-virus scanner that attempts to infect their computers with malware. Without the two domains hosted by The Planet the pages on the second set of websites are never crawled and never get included in the search results where the could be accessed by users.

We twice contacted The Planet about the issue and in both cases they took no action. The first time they claimed the issue had been already been resolved and the second time they claimed they could not find anything. We did not receive the same response when we contacted another provided who had been providing service for one of the domains. EveryDNS, which had been providing DNS service for getalllinks.info, shut off the service a day after we contacted them. Two weeks later the domain became active again after the domain starting using DNS service hosted on the same server at The Planet.

Rackspace Failed to Upgrade Software with Critical Vulnerability for 5 Months

Rackspace is the latest in a string of recent hosting provider caused hackings of client websites. Unfortunately some hosting providers continue to not take the basic steps to keep their customers secure from hack at the hosting provider level. One of the most basic security steps is keeping software updated, which Rackspace has failed to do so with at least one major software component. On January 27, phpMyAdmin, a widely used MySql database administration tool, released a security advisory warning of “critical” vulnerability in version of 2.11.x prior to version 2.11.10. The secure version of phpMyAdmin had been released month prior to the security advisorie’s release. Rackspace finally upgraded their installation of phpMyAdmin running on their Rackspace Cloud service on June 13 and that was only after “after customer reports brought” it to their attention. Up until then, they had not updated phpMyAdmin since version 2.11.3 was released, which was back in December of 2007. Rackspace claims that they have “reviewed and adjusted our procedures so that going forward we will do better to stay up to date with the latest security releases of phpMyAdmin”.

Go Daddy Admits to Not Knowing Source of Malware Infections

For Several weeks Go Daddy has been blaming the bibzopl.com malware, that has been infecting some Go Daddy hosted websites since February, on users running either outdated versions of WordPress or outdated versions of software installation in general. These are both not true as the malware has infected websites running up to date software and websites not running any web software, which we and others have been telling Go Daddy. In a topic, in Go Daddy’s Community Forums, about the code that is causing the website’s files to become infected a Go Daddy employee using the username ScottG said they are “currently working on determining the source of the file”. The employee also claimed that Go Daddy had been aware of the code. It was nearly two weeks ago that they had claimed they had determined source of the infections. No explanation was given why they previously claimed that they had determined the source of the infections and why they have not admitted that their previous information was wrong. The employee also said that they are having to get help from other hosting provider to secure their own systems.

Here is Go Daddy’s employee entire post:

This is information that we have been aware of and are currently working on determining the source of the file. This is not an issue that is localized to Go Daddy. Several other hosting companies are seeing this same attack and we are working with them to determine the source of the attacks and the best way to mitigate them.

Go Daddy Continues PR Campaign Instead of Fixing Security Issue

Early this morning a new variant of the bibzopl.com malware, this variant calls a JavaScript file from holasionweb.com, infected a large number of Go Daddy hosted websites. By this morning their PR department had already contacted us again, with continued misinformation about the issue. If they eventually decide to work on discovering and fixing the underlying security issue, instead of running a PR campaign that claims they are secure, the websites would stop getting reinfected.

Go Daddy continues to claim, when not claiming the issue is due to outdated WordPress installations, that this malware is due to “Individuals running outdated applications and software”. As we have posted before , and Go Daddy is well aware of, the malware has infected websites running up to date software and websites not running software.

If you are Go Daddy customer who has been infected and is running updated software, we would be interested to know what response you have received from Go Daddy about this issue.

Go Daddy Again Blames Malware on Outdated WordPress Installations

In an interview Tuesday, Go Daddy’s Chief Information Security Officer Todd Redfoot claimed that the bibzopl.com malware that has been infecting some Go Daddy hosted websites was due users with outdated versions of WordPress installed in their account, which were exploited. Last Friday Go Daddy made the same claim, but by Monday they were claiming that issue was with users running outdated software, not just WordPress. In our contact with them they made they stated that it was not WordPress specific. There was no explanation for the most recent change in the claimed source of the infections.

The malware has infected websites and accounts that did not contain WordPress installations, and websites and accounts that only had WordPress installations running the latest version. There is no reason they should be unaware of this because they claimed to have “scanned our 4M hosted sites to identify sites impacted”, we have mentioned this information in our contact with them, their clients who do not have WordPress installations have been contacting them about the malware, and there are many comments on the Internet from their clients who do not have WordPress installations.

Mr. Reedfoot also stated that Go Daddy first spotted the “attack” on May 1, but the malware infections actually began in February and began to infect a large number of websites in April.

Go Daddy’s continued attempts to deflect the blame for issues within their own systems will not solve the issue. If they do not discover the actual underlying issue and fix it, websites could be reinfected with malware.

Clearing Up Misinformation About Go Daddy’s Malware Issue

Go Daddy has released another statement about the bibzopl.com malware that has been infecting some Go Daddy hosted websites. The most recent statement continues their misinformation about the issue, while claiming that they are a “target for speculation and misinformation”

The largest piece of misinformation is that the cause of the malware is outdated software whether WordPress, as Go Daddy first blamed, or other software. The malware has infected websites running up to date software and websites not running any web software. As we have explained, since February, the malware infects files with the php extension. Many pieces of web software use the .php files, possibly leading to Go Daddy’s most recent inaccurate identification of the issue.

In their most recent statement Go Daddy claimed “both the prevention and the cure not under ” their control, which is not true. The cause of the infection is due an issue within Go Daddy’s systems. They are the only ones that can discover and fix the issue.

There has also been misinformation that the malware has infected websites not hosted on Go Daddy. What seems to be causing confusion is that some people are unaware that there are many different hacks and pieces of malware out there, and they are not all related. The binglblats.com malware, that has been infecting Network Solutions hosted websites due to security issues they have,which has been claimed to the same is unrelated. The vast majority of hacks and malware are due passwords compromised due to password stealing malware on computers, outdated software, SQL injections, and other issues that have nothing to do with hosting providers. This malware has only infected Go Daddy hosted websites.

Here is Go Daddy’s entire statement:

Go Daddy Cares! Here’s some info…

We do take our position as an Internet leader seriously, especially when it comes to security. This is why we are going the extra mile to get the word out. We appreciate your invitation to answer the question, ‘What is Go Daddy doing to help?’

As the world’s #1 Web host provider, Go Daddy is a logical target for speculation and misinformation. With this exploitation issue, both the prevention and the cure are not under our control — because the customer decides whether to update the software they run. (If you think about it, it’s like forgetting to lock your car and blaming the auto manufacturer when your car is stolen.) Our job is to help identify issues and inform our customers about how they can protect their sites.

This is why we are working to proactively communicate and educate Internet users about this situation.

Here are a few of the initiatives we have going right now.

As a service to our customers and all Internet users:

Go Daddy scanned our 4M hosted sites to identify sites impacted (we did this immediately upon learning about the issue last week, and again over the weekend).

Contacting Go Daddy customers impacted by phone and/or email to let them know how to protect their sites (in some cases, we’ve alerted them even before they realize they are impacted).

Go Daddy is also taking the leadership role with educational communication — posting Help Articles to our Community & Customer Service pages to provide “1,2,3 Info” on how to properly update software.

We’ll update the Help Articles as needed and also be posting another Help Article with actual illustrations/screen shots to make the security update process easy for even the most remedial of Web users to follow.

Phil Stuart
Go Daddy Communications

Go Daddy Changes Statement After Websites Reinfected

On Friday, Go Daddy released a statement that claimed that “extensive investigation” they had determined that bibzopl.com malware that has been infecting some Go Daddy hosted websites was due to users running an outdated version of WordPress that had been “set up in a particular way”. In our post about the statement, we explained why this was inaccurate and warned that if the actual underlying issue was not discovered and fixed websites could again be infected with malware. Early on Saturday the websites were reinfected, this time the malware calls a JavaScript file from kdjkfjskdfjlskdjf.com.

By this morning Go Daddy had amended their statement. They have removed the claim to having performed an “extensive investigation” into the issue. The have also removed the claim that the malware is WordPress specific, simply blaming the infections on the use “outdated software”. This claim is inaccurate as it has infected websites running up to date software and websites not running software. As we have explained since February the malware infects files with the php extension. Many pieces of web software use the .php files, possibly leading to Go Daddy’s most recent inaccurate identification of the issue. Again, if the actual underlying issue is not discovered and fixed websites could be reinfected with malware.

Here is Go Daddy’s amended entire statement:

If you are experiencing difficulties with your site, you may be using outdated software and unknowingly hosting malware.

For easy-to-understand information on how to remove the malware and update your software, please click on our Help Article.

If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure and in a safe place.

Go Daddy Blames Recent Malware on Outdated WordPress Installations

After an “extensive investigation”, Go Daddy today released a statement with their findings about the bibzopl.com malware that has been infecting some Go Daddy hosted websites beginning in February. They claimed the malware infection is due to users running an outdated version of WordPress that have been “set up in a particular way”. This information is inaccurate as the malware has infected websites that are not running WordPress and websites running version 2.9.2 of WordPress. The malware infects files with the php extension. Since WordPress uses .php files and is the most popular content management system, a lot of the websites infected have been WordPress based. This possibly led to their inaccurate identification of the underlying issue that caused the websites to become infected. If Go Daddy does not discover and fix the actual underlying issue, websites could again be infected with malware.

Here is Go Daddy’s entire statement:

WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way.

This underscores the importance of installing the latest Web applications, no matter where you are on the Internet. If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure, and in a safe place.

Google Localizes Google Suggest in the US

Google Suggest, the feature in Google search that suggests search queries based on what has been typed into the search box, now displays localized search results in the US. The results will be localized by region, Country specific localization was introduced last year.