PHP Attack Hits GoDaddy-Hosted Sites Again

In a recurring pattern, GoDaddy-hosted sites running PHP applications may be under attack again as hackers inject malicious code onto their sites.

Web administrators who host their domains on GoDaddy should check their source code again for rogue code that downloads malware, according to a security research firm.

Sucuri Security updated its Oct. 30 post warning about the latest malware attacks on GoDaddy-hosted sites with another note on Nov. 3. The research company was investigating reports of "another related outbreak of exploited sites on GoDaddy," read the update.

The affected sites generally ran some kind of PHP Web application, such as Zen Cart eCommerce or popular CMS packages including WordPress, Drupal and Joomla, according to a post on GoDaddy’s blog. In a series of injection attacks, hackers were embedding malicious code into the site’s Web application, often through blog comments, according to Chris Drake, chief executive of security-conscious Web host provider FireHost.

According to Sucuri Security, the code, when executed, inserted a single line of PHP code into every PHP file on the infected site: Hack_try_with_evalbase64_decode, followed by a string of random-looking characters, that hides actual PHP code that is being run. This command basically sets up a redirect to a malware site running rogue JavaScript code that automatically downloads fake antivirus and other scareware onto the visitor’s computer, said the security firm.

Leave a Reply