{"id":9116,"date":"2022-03-21T12:44:03","date_gmt":"2022-03-21T12:44:03","guid":{"rendered":"https:\/\/www.hostingseekers.com\/blog\/?p=9116"},"modified":"2022-03-21T12:44:03","modified_gmt":"2022-03-21T12:44:03","slug":"godaddy-hosted-websites-got-infected-by-backdoor","status":"publish","type":"post","link":"https:\/\/www.hostingseekers.com\/blog\/godaddy-hosted-websites-got-infected-by-backdoor\/","title":{"rendered":"Hundreds of GoDaddy Hosted Websites are infected by Backdoor Malware in a Single Day"},"content":{"rendered":"

Backdoor<\/span><\/a> is a type of malware that nullifies the normal authentication procedure to access a system. Therefore, remote access is given to resources within an application like databases and file servers, which gives perpetrators the ability to access a system remotely using commands and they can easily update the malware.<\/span><\/p>\n

Internet security analysts have identified a spike in backdoor infections on WordPress websites hosted on GoDaddy\u2019s Managed WordPress service<\/a>. All these websites featured an identical backdoor payload. This case has also affected other internet service resellers like<\/span> Host Europe Managed WordPress<\/span>,<\/span> MediaTemple<\/span>,<\/span> tsoHost<\/span>,<\/span> 123Reg<\/span>,<\/span> Domain Factory<\/span>, and<\/span> Heart Internet<\/span>.<\/span><\/p>\n

The investigation is first carried out by Wordfence whose team observed the malicious activity on March 11, 2022, where 298 websites got infected by the backdoor within 24 hours. 281 of these websites were hosted on GoDaddy.<\/span><\/p>\n

\"GoDaddy<\/p>\n

\n

Old Form Of Spamming \u2013<\/b><\/h2>\n

The backdoor infecting all sites is a form of the 2015 Google search SEO-poisoning tool form. Where the tool is implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious webpages into search results.<\/span><\/p>\n

This spam campaign predominately used pharmaceutical spam templates and served the visitors of the compromised websites instead of the actual content.<\/span><\/p>\n

The goal of this spam campaign was to entice victims to purchase fake products, lose victims\u2019 money and gather victims\u2019 payment details.<\/span><\/p>\n

Also, the threat actors used to harm a website\u2019s reputation by altering its content and making the breach evident, although this wasn\u2019t their primary aim, at this time.<\/span><\/p>\n

This type of attack is usually harder to detect and stop from the user\u2019s side. This is because, these attacks take place on the server and not on the browser, and as such, local internet security tools won\u2019t detect anything suspicious, making it unnoticeable.<\/span><\/p>\n

\n

Is it like Supply Chain Attack?<\/b><\/h2>\n

Although the intrusion vector of threat actors hasn\u2019t been determined, yet, this looks suspiciously close to a supply chain attack, but not yet confirmed.<\/span><\/p>\n

Bleeping Computer<\/span><\/a> has contacted GoDaddy and asked to find out more possibilities about the attack, but still, no answer has been delivered yet.<\/span><\/p>\n

GoDaddy has disclosed a data breach in November 2021 that has affected nearly 1.2 million customers and multiple Managed WordPress service resellers, including the six that we have mentioned above.<\/span><\/p>\n

That breach contains authorization access to the system that provisions the company\u2019s Managed WordPress sites. Still, it\u2019s not suggested to conclude that the two occurrences might be linked.<\/span><\/p>\n

In any case, we advise that if your website is hosted on GoDaddy<\/a>\u2019s Managed WordPress platform, then make sure to scan your wp-config.php file to identify the potential backdoor injections.<\/span><\/p>\n

\"GoDaddy<\/p>\n

Wordfence also wants to remind all admins that removing the backdoor should be your first step and removing spam search engine results should also be a priority.<\/span><\/p>\n

If you enjoyed reading this news, you are surely going to cherish these too \u2013<\/em><\/h4>\n