Forgive me, this is pretty lengthy....

I recently found an exploit which was being used to search for vulnerabilities in Joomla based websites. I found this because my own website was being targeted, luckily I caught it before it was too late.

I remembered a couple months ago reading a news article on Godaddy's website about how they were doing everyhthng in their power to beat these hackers. It stated they were teaming up with Wordpress, and other hosting companies to try to bring these hackers down. I thought well perhaps they can help bring this guy down.

First let me explain how this exploit appeared to work.

First off this exploit was located hidden deep in an image folder on a dutch website. I actually found it due to the referral link from my site stats tool which tracks my visitors. This referral link lead me straight to it.

Upon landing on this site, the first thing I noticed was the strange url, and that this page was residing in an image folder, this immediately through up flags for me. On this page there was a field for adding website urls, and their was a submit button, the text was all in Dutch but it was pretty obvious. Out of curiosity I decided to try my website, so I added my site to the list and hit the submit button. The site then stated vulnerability found (now fixed), and enabled a Link that read "Exploit". Again my curiosity, I clicked the "Exploit" link, and it redirected me to my website, to the password reset page, with a message stating a token has been sent, enter the token in the appropriate field to reset password. This is where I began to freak out a little, as I am sure anyone would. Did I just send my administrator password to the hacker? I'm not sure, but that's what it seemed like.

We I immediately took appropriate measure to protect my site, and decided to do what I could to report this exploit. So I reported the url to a few internet crime sites, I submitted it to the FTC, then I remembered Godaddy's crackdown on hackers and thought this would be perfect for them to look into.

The first thing I did was go to their Facebook page to see if I could get some special attention. See Post Here.

Trevor immediately responded requesting for me to open a ticket to Godaddy and reply with the ticket id and he would make sure its taken care of. Well I had already submitted the ticket while waiting on his response, but I did give him the ticket ID. A couple hours later, I get the following from Godaddy.

With the details provided, we were not able to find any connection to your website and the URL that was provided. The URL provided goes to a site that does not appear to have any malicious content noticeably visible. There are a few objects referenced one that site that do not pull up content, so it is possible those were previously inserting malicious content. We would recommend you verify your sites contents have not been modified recently and if so, restore them from a known-good backup. If you have more details, please provide them in a reply to this email.
Please contact us if you have any further issues.

Regards,

Justin A.

Well this response was not what I expected at all. Considering Godaddy is claiming to be cracking down on hackers, you would think they would jump all over an obvious attempt to exploit someones site. He was basically telling me because my site wasn't hosted with them they didn't care, and he obviously did not investigate very hard, as the exploit page had markings from a very well know underground hacking organization.

Anyways I was pretty hot, and this was my response....

Hi Justin,

This website was found after I found a suspicious visitor on my site, which is not hosted with you, however the domain is registered with you. I contacted you because I read in your security blogs that Godaddy was teaming up with many other agencies and companies to fight hackers and malicious attempts to hack sites. I assure you the script on the page I referred to you is definitely up to no good.

One key piece of evidence is that it is hidden deep within an image folder, and I am more than willing to bet that the owner of this site doesn’t even know that it’s there. If you inspect closely you will see that the scripting searches for vulnerabilities, and when it finds the vulnerability it’s looking for, it activates an exploit link, which sends a password reset token to the hacker. I found this out the hard way, by entering my own website skilledgraphics.com into the site list and hit the submit button, just out of curiosity. Soon as it did this it found the vulnerability on my site and enabled the “exploit” link. Again my curiosity got the best of me and I clicked the link, which redirected me to my own Joomla site ( http://skilledgraphics.com - the password reset page with the fields empty and awaiting the token to be entered along with the new password) with a message stating a password reset token has been sent. Though this script may not seem malicious I assure you it is being used for malicious activity. If I am wrong in thinking that Godaddy is investigating this as deeply as they says they are, than I will definitely be taking my business elsewhere, along with dozens of my own web design clients. As I have pointed out to you a definite threat to sites using the Joomla platform. I hope that you do not intent to turn your head on this. I am pretty sure a company as big as Godaddy can find some way to at least contact the host that this scrip is located and have it removed before you find yourselves receiving hundreds of phone calls wondering why people can’t access their sites, and knowing that this could have been prevented.

I have been a victim of these attacks before and I know what a pain it is. Please do not look the other way on this, and send this to your investigating team, so that some good can come from this.

Thank you,

Well a couple hours later, I notice another visitor on my site which came from the same exploited link. Only this time the ip number was 64.202.161.177, which belongs to Godaddy. Now here is a bigger problem. The only way he could have been referred to my sites password reset page, form that exploit page, was if he actually added my site to the list and hit the "exploit" link, and in turn once again sending the hacker a token to reset the password. If this wasn't irresponsible, I dont know what is.

A few moments later, I get the following response...

After reviewing the issue further, the site in question appears to be looking at the site entered into the text box and trying to determine the version of the CMS it is running. Neither the domain name nor the hosting the site is on is with us. The domain name is registered at a company called "NL Domain Registry". The site is hosted at a company called "XL Internet Services Amsterdam Network". The IP address you said was accessing your site appears to be from a DSL provider in Saudi Arabia called "Saudi Telecom Co. Registry". Unfortunately none of the 3 are under our control. We would recommend you contact the provider of the hosting and see if they are able to investigate this issue. If not, you may be have some luck contacting the users ISP or domain registrar.

As a temporary measure to secure your site if you feel this is a threat, you can research 'htaccess' to find the required 'deny' rules to block users who access your site with 'voordeligehost.nl' as the referrer.

Please contact us if you have any further issues.

Regards,

Justin A.

Again just brushing it off and avoiding any real interest in bringing down this exploit, not to mention he fails to mention that he may have unintentionally compromised my site.

My Response....

I know that you clicked the “exploit” link, and I know that you know it’s doing more than just looking up the version, when you clicked the “exploit” link did you not see the message that an email has been sent with the token? You may have just gave this hacker my credentials. I guess Godaddy’s big crackdown was just for public relations as I have pointed out an obvious exploit and you won’t even contact these hosts? Or put this in the hands of someone that can?

I have been a long time Godaddy customer, but I am sad to say this is not what I expected and will be moving all of my services to another provider.

Needless to say I am pretty disappointed in Godaddy and their so called crackdown. And I am considering upholding my threat and moving all domains and accounts from Godaddy.

The biggest thing that bothers me is not the fact that they wouldn't do anything as much as it is that they are claiming to do everything in their power to bring down these exploits and protect peoples websites.

Anyways that's my rant for the month, if you made it through all of this , I appreciate you reading.



UPDATE***  After being told by Godaddy that they were powerless in this case, I did take matters into my own hands, and within minutes and the help of XLS Hosting, this exploit is now gone....Thanks for nothing Godaddy.

< Prev		Next >