POSSIBLE GoDaddy.com / ELGG / WordPress HACK Exposed!

I am going to make this as short as possible. A few months ago there was a MASSIVE HACK of Several Hundred or more Web Hosting (Shared and more) accounts on GoDaddy.com. Since I use GoDaddy.com and ELGG the first thought was ELGG has a nice Backdoor.

Well that thought changed a few seconds later when both my other Two Domain Names with WordPress installed were also hacked. I search on GoDaddy support and found many other people having the same problem all of their .html and .php files were all HACKED with very bad Malware Code that would force a Re-Direct of the browser and also will set off all Virus Protection and show a FAKE Virus Scan running in the background.

It took GoDaddy a long time to fix the thousands of Hacked ELGG and WP files that I had and all domains crashed for a few hours. After all files were fixed then everything went back to normal. But just yesterday (11/10/2010) another very simular PHP Attack occured and it forced a Re-Direct of my main domain RapiChat.com.

What was found out is these attacks were designed to STEAL all your Traffic for as long as the code was inplace. Since this code was injected into 1,000's of .php files it was very hard to get rid of. Thanks to GoDaddy they have a solution around it but they were still not sure how to stop it 100%.

I then researched about this PHP Injection Attack and found a possible solution. Also tech support confirmed that this could in fact fix this for good.

Problem lies in all Folder and File Permission Settings. GoDaddy Support advised me via phone to change all Files to CHMOD Permission Setting 604. Also they advised me to change any and all File Folders to CHMOD Permission Setting: 705. All Folders have been changed also files to those numbers and ELGG and WP have been running fine all day no problems at all. A BIG PROBLEM was the ELGG /data folder being set to: 777 and also another folder that I found (which I do not remember ever creating) in the root directory was also 777. There were several other files and folders with the same 777 settings.

I am letting people know if you ever had this issue and if you use GoDaddy.com you have had this happen already. You need to check all your File and Folder permission settings using an FTP Client Program or using the Webhosting Company internal Cpanel or File Manager. Do not have ANYTHING with 777 or you will be Sorry one day!

Let me know if you have any questions.

  • What is the name of "..another folder that I found (which I do not remember ever creating) in the root directory was also 777.." ?

  • One more THING GoDaddy.com Also Strongly Advises anyone that was affected by this Attack either in the Past or ANYTIME then you should do your DUE DILLIGENCE and CHANGE all Passwords including the ELGG and WP or ANY MySQL Database Passwords and make sure you Change this in the ELGG Setting Area or you site will be BROKEN until you change it.

  • Ok just sent a message with the name of it. I am debating just deleting that folder looks like it's only .txt cache files

  • Elgg data folder by recommended set up is not suppose to be inside the web root directory. Also file/directory permissions set at 777 do not constitute an exploit, rather it constitutes hackers taking advantage of a hole left by whoever set up Elgg or Wordpress. 

    I feel for anyone who has their site hacked, but becoming familiar with how to securely set up a web application is a must. 

    Unfortunately, this is an area often not given the attention it deserves. 

  • @Zakary Venturo I agree with the /data folder the installer will not let you continue if you do not set up the /data file outside of the root directory. So that problem has been solved unless someone gets around that. But I had that folder set to 777 which was a mistake most installer programs would also force you to delete the install.php file or folder and also to change back any 777 or 755 settings because of security reasons. A great FTP program called FileZilla lets you change everything in your entire root directory including all other sub folders / files and domains. I did that today took almost a whole hour to complete but was worth it.

    I would recommomend anyone to use that FTP program for that feature alone plus it is free. I wanted to post all of this because it is a HUGE issue when it happens to someone and if they have a busy site can cost them a great deal of rankings even in a few hours.

  • @soldierone

    regarding root directory, Elgg recommends a directory for data outside the web root, not just root directory (aka install directory). Often Admins install Elgg inside a subdirectory because it can be difficult to figure out how to set a data outside the www or htdocs folder. 

    Beyond being aware of file/directory permissions, there is more admins can do to protect their installs. .htaccess is one way admins, who dig into this issue, can find ways to discourage hackers from making attempts on an installation. 

    I might also suggest using a service like CloudFlare for DNS purposes, which has both paid and free services for web sites that add an element of protection and other advantages. 

     I will say this is good food for thought and I think I might put together some info on this subject and post it on my blog.

     

  • i just attempted to set my site up on a live server with the settings suggested by godaddy..

    the site didn't run at all.. permission errors from the webserver (apache).

    i looked through the community, the wiki and the installation notes.. i haven't yet found a detailed 'officially recommended' set of permissions to use on the site.. 

    i've set it back to 755 for 'data' folders and files

    644 for other files - e.g. main elgg files

    and 755 for other folders - e.g. main elgg folders

     

    and the site is back online..

    i'm surprised elgg worked with the permissions recommended by godaddy.. but perhaps their servers are setup differently to mine.