Is GoDaddy shared servers compromised?

Today I got new case for clean up wordpress malware, I love this job since I have a chance to see new hosting company system and how they work. Web hosting my client use is Godaddy.

I prefer to use ssh and Godaddy provide it with easy to activate interface, I use ssh since their file manager not fit for my 10 inch netbook and their ftp java also not help me a lot for doing my job.

As usual, scan for base64 hidden code and checking .htaccess give me clue where the bad code reside. Cross check it using sucuri scanner and dump lynx result with my vps server . Everything is ok.

After a few minutes I recheck with semrush on how it goes on search engine and try to open it straight from google result. Ooops, the malware seem to go back and redirect traffic to their website (a russia domain).

Being curios I decide to :

– replace all wordpress files with fresh one from wordpress.org

– write shell code to change back all .htaccess that changed.

– Change manually all plugin that I know available from wordpress org plugin

This time everything is ok but I still monitoring it, click result from search engine work well, I can see good wordpress display that suppose to appear.

After hours I decide to check again and voila, the malware came back and this time I believe its come via ftp since the password has not changed until I stumble upon this fact when I login with ssh.

FTP access

Ftp access on Godaddy configured with chroot on mind, that mean you can not  go anywhere  above your area.

SSH access

I login to my client account with ssh and here what I found :

-bash-3.2$ ls -al
total 80
drwx—r-x 6 bejita inetuser 4096 Oct 1 00:40 .
drwx—r-x 107 root 0 4096 Oct 1 00:40 ..
-rw——- 1 bejita inetuser 2838 Sep 30 23:42 .bash_history
-rwx—r-x 1 root 0 24 Apr 19 17:52 .cgi_auth
-rw-r–r– 1 root 0 498 Sep 30 18:49 .disk_usage
-rw-r–r– 1 bejita inetuser 234 Oct 1 00:13 .htaccess
-rw——- 1 bejita inetuser 6503 Oct 1 00:30 .viminfo
drwx—r-x 4 bejita inetuser 4096 Oct 1 00:40 data
drwx—r-x 21 bejita inetuser 4096 Oct 1 00:32 html
-rw-r–r– 1 bejita inetuser 234 Sep 30 23:20 htt
drwxr-xr-x 2 bejita inetuser 4096 Oct 5 2010 scc
-rwxr-xr-x 1 bejita inetuser 466 Sep 30 22:13 semua.sh
drwx—r-x 3 bejita inetuser 32768 Oct 1 00:01 tmp
-bash-3.2$

after a few minutes

-bash-3.2$ ls -al
total 84
drwx—r-x 6 bejita inetuser 4096 Oct 1 00:40 .
drwx—r-x 107 root root 4096 Oct 1 01:40 ..
-rw——- 1 bejita inetuser 401 Oct 1 00:58 .bash_history
-rwx—r-x 1 root root 24 Apr 19 17:52 .cgi_auth
-rw-r–r– 1 root root 498 Sep 30 18:49 .disk_usage
-r–r–r– 1 bejita inetuser 5084 Oct 1 01:01 .htaccess
-rw——- 1 bejita inetuser 6503 Oct 1 00:30 .viminfo
drwx—r-x 4 bejita inetuser 4096 Oct 1 00:40 data
drwx—r-x 21 bejita inetuser 4096 Oct 1 00:32 html
-rw-r–r– 1 bejita inetuser 234 Sep 30 23:20 htt
drwxr-xr-x 2 bejita inetuser 4096 Oct 5 2010 scc
-rwxr-xr-x 1 bejita inetuser 466 Sep 30 22:13 semua.sh
drwx—r-x 3 bejita inetuser 32768 Oct 1 01:01 tmp
-bash-3.2$

ok, I remove it.

-bash-3.2$ rm .htaccess
rm: remove write-protected regular file `.htaccess’? y

-bash-3.2$ ls -al
total 76
drwx—r-x 6 bejita inetuser 4096 Oct 1 01:58 .
drwx—r-x 107 root root 4096 Oct 1 01:55 ..
-rw——- 1 bejita inetuser 401 Oct 1 00:58 .bash_history
-rwx—r-x 1 root root 24 Apr 19 17:52 .cgi_auth
-rw-r–r– 1 root root 498 Sep 30 18:49 .disk_usage
-rw——- 1 bejita inetuser 6503 Oct 1 00:30 .viminfo
drwx—r-x 4 bejita inetuser 4096 Oct 1 00:40 data
drwx—r-x 21 bejita inetuser 4096 Oct 1 00:32 html
-rw-r–r– 1 bejita inetuser 234 Sep 30 23:20 htt
drwxr-xr-x 2 bejita inetuser 4096 Oct 5 2010 scc
-rwxr-xr-x 1 bejita inetuser 466 Sep 30 22:13 semua.sh
drwx—r-x 3 bejita inetuser 32768 Oct 1 01:01 tmp

Now, I’m waiting.

-bash-3.2$ ls -al
total 84
drwx—r-x 6 bejita inetuser 4096 Oct 1 02:01 .
drwx—r-x 107 root root 4096 Oct 1 02:00 ..
-rw——- 1 bejita inetuser 401 Oct 1 00:58 .bash_history
-rwx—r-x 1 root root 24 Apr 19 17:52 .cgi_auth
-rw-r–r– 1 root root 498 Sep 30 18:49 .disk_usage
-r–r–r– 1 bejita inetuser 4862 Oct 1 02:01 .htaccess
-rw——- 1 bejita inetuser 6503 Oct 1 00:30 .viminfo
drwx—r-x 4 bejita inetuser 4096 Oct 1 00:40 data
drwx—r-x 21 bejita inetuser 4096 Oct 1 00:32 html
-rw-r–r– 1 bejita inetuser 234 Sep 30 23:20 htt
drwxr-xr-x 2 bejita inetuser 4096 Oct 5 2010 scc
-rwxr-xr-x 1 bejita inetuser 466 Sep 30 22:13 semua.sh
drwx—r-x 3 bejita inetuser 32768 Oct 1 02:01 tmp
-bash-3.2$

Perfect, if you pay attention to the time. You’ll see a pattern. Every hour .htaccess file modified or generated automatically with malware code injected.

Hmmm, maybe its cron job. I’ll look into it and here is what I got :

cron job setting

I’m looking for x:01 if I want to do same work as malware did ( malware change .htaccess file every hour and 01 minute).

My conclusion so far is same as Sucuri, for the moment what you can do if you got same problem :

– Contact godaddy support and ask them to investigate this issue.

Move to new web host if they don’t fix it 🙂

P.S : semua.sh and htt files you see above is mine. I change real username to bejita.