Hundreds of GoDaddy Sites Caught in Hacking Campaign

A new hacking campaign infecting hundreds of sites hosted by GoDaddy Hosted Sites has been discovered.

An investigation by the Wordfence Incident Response team revealed that over 280 websites hosted with GoDaddy’s managed WordPress service were infected with a backdoor.

Among the compromised services are MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet and Host Europe, with a total of 298 infected sites.

This unnamed backdoor, it was explained further, has been in use for at least seven years. Threat actors add it to the beginning of wp-config.php and its aim appears to be to generate spammy Google search results including personalized resources for the infected site.

Russian TLD

“If a request with a cookie set to a certain base64 encoded value is sent to the site, the backdoor will download a spam link pattern from a command and control (C2) domain – in this case t- fish ka[.]ru – and save it in an encoded file with a name set to the MD5 hash of the domain of the infected site,” the researchers explained. “For example, the encoded file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.”

The C2 domain has a Russian top-level domain, but there is no indication that this particular campaign has anything to do with Russia’s ongoing invasion of Ukraine.

Researchers have yet to uncover how the threat actors got into GoDaddy’s services, speculating it may be related to last year’s attack on the company‘s systems. In 2021, GoDaddy reported that an unknown attacker was gaining access to its systems used to provision its managed WordPress sites.

GoDaddy Managed WordPress Platform customers are advised to manually scan their site’s wp-config.php file or run a scan with a malware detection solution to ensure their premises are clean.

Those who find something can use the instructions found on this linkto clean their sites of any malicious code or viruses.

Comments are closed.