My usual morning ritual of reading some articles on WordPress while I’m having my Coffe lead me to this thread started by: Bishop3space
I manage a wordpress site for the company I work for and a customer sent us an alarming email yesterday about code being injected into our website for “Car Insurance”.
Basically the wordpress site is injected with a hyperlink that is positioned top:-999 so that the user never actually sees it but the search engine does. What is most surprising about this is the following:
- This code is not being generated within wordpress, it’s being injected via the Apache server (This was confirmed by completing deleting and whipping the webserver and then setting up a blank wordpress installation, the code is injected still).
- More Isolation test were conducted, whatever is injecting this code into the wordpress site its doing it on a higher level that the GoDaddy Customer has access to, we believe the code is being injected via the Apache server. Which means that Godaddy servers are being hijacked and Godaddy is keeping a tight lip on it.
- GoDaddy before was attempting to tell us that they aren’t responsible for our sites security and that we are responsible for securing and monitoring our site, which is fine if the problem was something that we had the ability to fix.After calling Technical support at GoDaddy and showing them the evidence that we collected to prove that nothing on our site was producing this injection code for “car Insurance” and that the problem was on their end. When we proved to them without a doubt that their apache servers were being hacked, they changed their ton of voice, they said that they would look into it and asked us not to tell anyone about this for “Security” issues.
- After doing a web search of sites displaying “By INSURANCQUO car insurance” 99% of the domains that are displaying this information in their meta data are:
- Running WordPress
- Running Godaddy hosting
- Have been infected within the last week
After running more test and inspecting more code and getting professional opinion, It was concluded that “GODADDY, LLC” has been hacked. So If you are running a wordpress site on Godaddy hosting be warned, your site might be linking to either of the domains bellow,
We’ve been monitoring page(s) indexes from search engines since about 15 hours ago, this exploit or whatever it is, is spreading and its spreading fast. So far about 230,000 pages have been infected and its increasing by the hour. I tried searching around for any information about this current exploit but I haven’t found anything discussing it. Hoping to give enough warning to individuals before their site is compromised.
If you google search “By INSURANCQUO car insurance” in quotations and then sort by date you’ll see how current this threat it and how its targeting only “Godaddy” hosted sites.
Additionally there is a new version of the injected code being spawned as of about 8 hours ago , if you google search “By EVLNS payday loans and By INSURANCQUO car insurance” in quotations and then sort by date you’ll see another version of the same inserted script.
Note: I remember, last week that ANON was targeting wordpress sites although there is no evidence to suggest that this is connected to ANON yet it might be a good topic to look into.
There is only one thing to say: Backup your WordPress websites and monitore your outbound links