Tweet
A new hacking campaign infecting hundreds of sites hosted by GoDaddy-hosted sites has been uncovered.
An investigation by the Wordfence Incident Response team found more than 280 websites hosted with GoDaddy’s Managed WordPress service were infected with a backdoor.
Among the compromised services are MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe, with a total of 298 sites found to be infected.
TechRadar needs you!
We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
This unnamed backdoor, it was further explained, has been in use for at least seven years. The threat actors add it to the beginning of wp-config.php and its goal seems to be to generate spammy Google search results, including resources customized to the infected site.
[HEADING=1]Russian TLD[/HEADING]
“If a request with a cookie set to a certain base64-encoded value is sent to the site, the backdoor will download a spam link template from a command and control (C2) domain – in this case t-fish-ka[.]ru – and save it to an encoded file with a name set to the MD5 hash of the infected site’s domain,” the researchers explained. “For example, the encoded file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.”
The C2 domain has a Russian top-level domain, but there’s nothing to indicate that this particular campaign has anything to do with Russia’s ongoing invasion of Ukraine.
Read more
The researchers are yet to discover how the threat actors made their way into GoDaddy’s services, speculating that it might be linked to last year’s attack on the company’s systems. In 2021, GoDaddy reported of an unknown attacker accessing its systems used to provision its Managed WordPress sites.
Customers of GoDaddy’s Managed WordPress platform are advised to manually analyze their site’s wp-config.php file, or run a scan with a malware detection solution, to make sure their premises are clean.
Those that do find something can use the instructions found on this link, to clean up their sites of any malicious code or viruses.
[ul]
[li]Check out our list of the best patch management solutions right now[/li][/ul]
Continue reading…
An investigation by the Wordfence Incident Response team found more than 280 websites hosted with GoDaddy’s Managed WordPress service were infected with a backdoor.
Among the compromised services are MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe, with a total of 298 sites found to be infected.
TechRadar needs you!
We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
Click here to start the survey in a new window p>
[HEADING=1]Russian TLD[/HEADING]
“If a request with a cookie set to a certain base64-encoded value is sent to the site, the backdoor will download a spam link template from a command and control (C2) domain – in this case t-fish-ka[.]ru – and save it to an encoded file with a name set to the MD5 hash of the infected site’s domain,” the researchers explained. “For example, the encoded file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.”
The C2 domain has a Russian top-level domain, but there’s nothing to indicate that this particular campaign has anything to do with Russia’s ongoing invasion of Ukraine.
Read more
GoDaddy breach exposes 1.2 million customer accounts
The Google Play Store is littered with dangerous trojans
The Google Play Store is littered with dangerous trojans
GoDaddy suffers embarrassing phishing attack
Customers of GoDaddy’s Managed WordPress platform are advised to manually analyze their site’s wp-config.php file, or run a scan with a malware detection solution, to make sure their premises are clean.
Those that do find something can use the instructions found on this link, to clean up their sites of any malicious code or viruses.
[ul]
[li]Check out our list of the best patch management solutions right now[/li][/ul]
Continue reading…