A new hacking campaign infecting hundreds of websites hosted by GoDaddy hosted websites has been uncovered.
An investigation by the Wordfence Incident Response team found that more than 280 websites hosted on GoDaddy’s managed WordPress service were infected with a backdoor.
Services compromised include MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet and Host Europe, with a total of 298 infected websites.
This unnamed backdoor, it was further explained, had been in use for at least seven years. The threat actors add it at the beginning of wp-config.php and its aim seems to be to generate spammy Google search results including resources customized to the infected website.
“When a request is sent to the site with a cookie set to a specific base64-encoded value, the backdoor downloads a spam link template from a command-and-control (C2) domain — in this one case t-fish-ka[.]ru – and save it in an encrypted file with a name set to the MD5 hash of the infected website’s domain,” the researchers explained. “For example, the encrypted file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.”
The C2 domain has a Russian top-level domain, but there is nothing to suggest that this particular campaign has anything to do with Russia’s ongoing invasion of Ukraine.
Researchers have yet to figure out how the threat actors infiltrated GoDaddy’s services and speculate that it could be related to last year’s attack on the company’s systems. In 2021, GoDaddy reported an unknown attacker accessing its systems used to serve its managed WordPress sites.
GoDaddy managed WordPress platform customers are advised to manually analyze their website’s wp-config.php file or run a scan with a malware detection solution to ensure their premises are clean.
Those who find something can use the instructions on this linkto clean their websites from malicious code or viruses.