Table of Contents [TOC]
BREAKING UPDATE: Data breach at GoDaddy exposes critical information for WordPress websites on the Cloud
After discovering unauthorized third-party access to its managing hosting environment in December, GoDaddy has announced a data breach today. As a precaution it reset the WordPress Admin password that was set at the time of provisioning as well as any re-used passwords.The company discovered the breach through because of an exploited WordPress vulnerability.
Is your WordPress website hosted on GoDaddy Hacked?
If so, you may want to reconsider your web-hosting partner. After a client’s GoDaddy hosted wordpress website was hacked and their customer support was unsupportive, it pushed us to write a detailed post on this topic. In this post you will know more about the recent breach via altered SSH file in GoDaddy’s hosting environment and suspicious activity on a subset of GoDaddy’s servers which affected roughly 28,000 customers’ hosting accounts. This has lead to a number of wordpress sites vulnerable to hacking. Also you will learn How to fix hacked godaddy hosted wordpress site easily & few preventive measures that you can take to protect your site from hacking
Worried about an vulnerbaility that might be exploited on your wordpress site. Get it scanned today. OR If you are seeing “This site contains malware” or “The site ahead contains harmful programs” message for your site, Check further >> go to https://secure.wphackedhelp.com/ >> enter your site >> Start scan >> See is it hacked or not.
A public service announcement (PSA) has been made by professional experts with regards to a security issue that might impact some of the customers. GoDaddy, which is one of the biggest companies in the world providing website hosting, has recently disclosed that an unauthorized attacker has hacked into the SSH credentials of around 28,000 hosting accounts on May 4, 2020. It appears that the breach itself occurred on October 19, 2019.
GoDaddy’s security team detected suspicious activity on April 23. when it detected that Its servers were attacked on October 19, 2019. GoDaddy recently reported that usernames and passwords used to access clients’ servers were compromised during the attack.
GoDaddy issued an email noting that more than 28 thousand accounts were hacked, the company noted that only a malicious actor has participated in the attack, where it was able to access login data of those affected.
The company assured affected users that “only their hosting accounts were affected as part of the incident,” while their primary GoDaddy account was not accessible to attackers.
“There is no evidence that the files on the compromised accounts have been modified in any way, but it is also unknown whether during the time he had access he was able to perform any unidentified actions.”
According to Bleeping Computer, GoDaddy revealed that the affected hosting accounts were exposed after altering an SSH file that allows login via console.
The company pointed out that this file was removed from its platform to protect its users, it also indicated that the attacking access was totally blocked and the data of the affected clients was restarted.
GoDaddy Site Suspended Notice – Fix Hosting Suspension Issue
Is Your Site Affected ? Lets Check Out
In 2019, GoDaddy removed more than 15,000 subdomains after more than two years’ investigation revealed that these subdomains were hacked through credential padding attacks, where passwords stolen from a previous violation are used by hackers on other websites or platforms. where victims reused the same passwords.
After deleting them, the company deleted the affected credentials and notified customers.
If you are a client of GoDaddy, a famous hosting service, and have been affected by the last famous hack of the year, you have surely already received an email with the details: 28,000 clients of the company have been affected in a security breach.
Apparently, only one individual has had access to the login information of all affected users. There is no evidence that the files in the compromised accounts have been altered in any way, but it is also unknown whether during the time you accessed you were able to perform any unidentified actions.
The company assured affected users that “only” their hosting accounts were affected as part of the incident, while their primary GoDaddy account was not accessible to attackers. Currently the hacker has already been blocked.
Usernames and passwords used to access clients’ servers were compromised, data that has already been reset. Even so, if you have received the email, it is important to be aware of any strange movement that may occur on your servers, just in case you have managed to install any “timer” program.
Nothing is known about the identity of the attacker, and the GoDaddy note does not report whether the perpetrator is being actively sought.
GoDaddy sends notifications to buyers to alert them of a hosting security breach. The security breach is described in vague terms by GoDaddy as someone obtaining login information that could have given the hacker the ability to download or modify website files.
According to the California Department of Justice, the security breach occurred on October 19, 2019 and was reported about a few months after May 3, 2020.
SSH is known as Secure Shell. It is a secure protocol used to execute commands on a server as well as to download and modify files.
If an attacker has SSH access to a website, the website is compromised.
In general, only administrator-level users should have SSH access because of the vast changes that can be made to the main files on a website.
GoDaddy revealed that an unknown attacker had compromised some of their servers.
GoDaddy’s official electronic declaration:
“The study found that an unauthorized person had access to your login information used to log into SSH on your hosting account.”
According to GoDaddy, the compromise in SSH started in October 2019 and was discovered in April 2020.
Beyond the general declaration of the date of the violation and its link with SSH, GoDaddy does not seem to have revealed other information.
GoDaddy does not say if this is a new flaw.
GoDaddy did not say if it was a known flaw in October 2019 that had not been fixed.
The only thing GoDaddy has admitted is that the servers were compromised by a third party in October 2019 and went undetected for six months.
A search for SSH flaws shows that a serious flaw was discovered in OpenSSH 7.7 to 7.9 and all versions of OpenSSH 8 to 8.1.
The flaw in OpenSSH was corrected on 10/09/2019 in version 8.1. This date coincides with the date of October 2019 that GoDaddy confirmed as the date on which their hosting servers were compromised.
GoDaddy has not confirmed if the above is the flaw.
The report is deposited in the report of the national information base of the American government on the fault CVE-2019-16905
But the flaw was discovered and described by the security team where they have full disclosure.
Here is the description of the security team:
“If an attacker produces a state where ‘aadlen’ + ‘encrypted_len’ is greater than INT_MAX, it is possible to pass verification…
Any OpenSSH functionality that can scan a private XMSS key is weak in the face.”
If the above is the SSH flaw affecting GoDaddy, which, according to GoDaddy, started in October 2019, the one who was in charge of maintaining GoDaddy servers failed to update the flaw and servers were not updated until April 2020.
But we have no way of knowing for certain what happened. GoDaddy did not explain why the security breach went undetected for six months.
GoDaddy has emailed affected buyers to let them know that their passwords have been altered. The email contains a link to the procedures for resetting the password.
GoDaddy did not say if any websites were hacked. The email sent to buyers indicates that GoDaddy has detected “suspicious activity” on their buyers’ servers.
According to GoDaddy:
“The study found that an unauthorized person had access to your login information used to log into SSH on your hosting account.
We have no evidence that files have been uploaded or altered on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate the potential impact on our environment. “
GoDaddy did not provide any information on how the hackers acquired access to the SSH login information. However, GoDaddy sent an email to compromised buyers notifying them that their passwords have been reset.
It would be a nightmare to find that your godaddy hosted wordpress site has been hacked. Luckily, there is a fix for that but you need to act fast in this case.
Hackers can use your site for all sorts of malicious activities such as sending spam mails and stealing sensitive data. This can damage your website and put your business at risk.
At times the repair process takes much time when done by inexperienced developers and this gives more time to hackers to carry out their malicious activities.
Recently, we had a situation wherein one of our client’s site hosted on Goddaddy got hacked. Even though the wordpress site had under 50 web pages, however Google Analytics was showing it over 1 million pages! This was a sure sign that our client’s website had been hacked.
On further scanning their website we found that the hacker has created a bunch of spam pages in Japanese language and got them indexed in search engine, in bid to get them ranked while tanking the rankings of the actual pages. This was a peculiar example of Japanese keyword hack. While the hacking situation has been resolved and their website fixed, it could have been prevented .
In another scenario, user’s WordPress got infected with ransomware thanks to criminals managing to hack the DNS records of Go Daddy hosted websites. Hackers break into legitimate web hosting accounts on GoDaddy to serve up messages promoting websites offering snake oil products. In some cases, users wordpress site is infected with a redirect malware and is automatically redirected to another site.
Before we know more about the cleanup process of your hacked site, you must go through below mentioned steps and dont forget to do a thorough security scan of your wordpress site to confirm if your WordPress website is hacked or not.
There are many signs to looked for in a hacked site. Never assume your site to be hacked simply by seeing wordpress errors on your site or any false alert by a security plugin. It can be misleading. Before moving ahead with the cleanup, let’s take a quick look at the signs of a hacked site:
If you’ve noticed these signs on your website then your wordpress site is hacked, you need to scan it immediately to find and fix the infection.
Godaddy, is one of the largest hosts when it comes to WordPress and is a target for hackers to infect the WordPress sites they host. I
Although they inform their customers that their site is hacked and ask them to clean it up, but website owners do not have much idea to remove the hacked code from their site which is quite complex process depending on the kind of hack.
If you do not clean up your hacked goddady site , you risk being ending up your website to be blacklisted by google meaning that your site visitors will be shown that this site is harmful in google and it will eventually lead to loss of trust and branding. GoDaddy of course will provide you with no help at all – they won’t even check if it’s a hack, they will just assume it’s some WordPress issue and not even give you a place to start trying to fix it.
STAY CALM!
We have cleaned thousands of Godaddy WordPress Site Hacked and can get your site cleaned out right away as well for a very affordable cost.
We know exactly what to look for and how to identify and remove all malicious code and infected files you have on your site.
Also the best part is the security enhancements we complete once the site is clean.
Do not hesitate and take action now to get your WordPress Infection cleaned up right away!
There are two ways to scan your website for malware – manually and using a plugin.
METHOD 1 – Automatic scanning via WordPresss security plugin
First method is using a wordpress security plugin which is the least recommended way because security plugin work in a specified manner and they compare the website code with their set of database containing the malicious footprints, which is usually not updated as hackers these day have become intelligent, they keep on changing the malware footprint and signatures to avoid easy detection by security plugins.
As we know that every brick and mortar is selling their wordpress security plugin and there are hell lot of security plugins available on internet.
There are many WordPress malware scanners available in the market including one offered by GoDaddy. But not every scanner can find all types and traces of malware. We recommend using only these best WordPress malware scanners.
METHOD 2 – Manual, In-depth Scanning for malicious code
The manual method is time-consuming but the most effective way. We need to access your WordPress files and database and then manually search for the malicious code. This method is least risky .
A malware scanner can check files and folders where malware is usually found.
Hackers have more options to place their malicious code, since websites these days have tons of GB of data in their backend which includes wp files. They tend to infect multiple files and folders. A scanner needs to do a deep scan of your website in order to locate all instances of malware. This is where our Advanced wordpress malware scanner comes into play, It runs a deep scan of your wordpress files and folders and identify vulnerable areas of your website which needs further investigation.
Wp hacked help will run a complete and thorough scan of your WordPress site. It checks every file, folder, and database of your website. You can try our scanner here and see for yourself.
Although, GoDaddy also offers a Website Security plan. After you subscribe to it, you can request a cleanup, and a cyber security analyst will be assigned to your case. They will then manually scan your site. But, This entire process can take days! And their customer support is a pity.
However, WP hacked help scanner uses an automated process that will get the job done in a matter of hours. After it locates the infected files, we clean it up instantly. Same day cleanup is our USP. alongwith money back guarantee.
Now that you’ve identified the hacked files, you can use our wordpress security services to help you remove malware from hacked wordpress site and restore your site back to normal quickly.
(details already discussed in above section)
In case your site is suspended by GoDaddy, you can contact them via chat, email or phone. Take a screenshot of your ‘site is clean’ status on our security scanner report. Submit the steps you took to clean your site along with this screenshot to GoDaddy. Once, they verify that your site is clean, they will remove the suspension and your site will be back online.
This post will guide you through the entire process in order to remove google warning messages.
In case anyone has not received a notification regarding the impact of this breach, they will be notified in the coming days.
The attacker’s public key has been removed and the account passwords have been updated as indicated by GoDaddy. Although the steps taken should not let the attacker to access the impacted sites via SSH, it is strongly recommended that you change your site’s database password which might have been easily compromised without any modifications to the account.
GoDaddy allows the enabling of remote database connections on many of its hosting accounts. Hence, control can be gained upon these WordPress sites with the help of the compromised database credentials. It is recommended that unauthorized administrative users should be checked on your sites, as they might have been created without the modification of any files on the site.
Prime targets for attackers using phishing campaigns as a platform to infect users can be created using breaches like this. Phishing is in general defines as an attack where emails are created which appear to be coming from a legitimate source. In reality, it intends to obtain sensitive information from users that are unsuspecting. There is a possibility that millions of users out there are worried to receive the notification regarding their hosting account being breached.
GoDaddy users have a high likelihood of being targeted by this phishing campaign. The customers should take extra precautions while clicking on links or accessing an email demanding actions so that they do not fall victim to a phishing attack, as recommended by experts.
Following are a few key points that can be checked to verify if your site has been targeted by the phishing attack:
The email header should be checked for its authenticity. It is most likely an attempt at phishing if the source of the received email does not originate from a registered GoDaddy domain.
As professional emails do not contain many typos or misspellings; this can be one of the determining factors. The email content might contain a large number of misspellings and typos in case it is sent by an attacker.
The security incident disclosure email as sent by GoDaddy should be direct in informing about the breaching in case you have been impacted by it. It should not ask for any personal information. It might be a phishing attempt in case you receive an email that appears to be scaring you.
It is better to directly contact the standard support channel as given on the GoDaddy site in case you are not able to verify the legitimacy and source of an email. Your account’s security can hence be verified.
The above-mentioned data is a public service announcement by professional experts, as a courteous gesture to the large WordPress community and its customers. In case there are any questions regarding the security of your account or about the breach in general, please contact the GoDaddy site directly. It is also recommended that this post should be circulated among your contacts who might be using GoDaddy hosting, to make them aware of the mentioned issue.