tl;dr Sucks to get hacked, GoDaddy is about to lose a customer.
I got hit this morning with the exact exploit mentioned here, I was able to clean out the codebase and get a half-working site back up just so I could close it out properly. I felt awful, I was keeping everything up to date, following security best practices, I couldn't figure out what had went wrong. This article is making me completely rethink GoDaddy as a host, namecheap will probably be getting my business pretty soon.
What's even more disheartening is that until this point I have never really had a reason to dig into the WordPress code, when I did I found ridiculous "easter eggs" that to my well trained PHP eyes looked like malicious code. It wasn't until I verified that it was release code and was meant to look that way did I realize it wasn't part of the exploit. Take a look at wp-admin/revisions-js.php and tell me it doesn't look like some dirty exploit is hiding in there.
I'd like to throw in my hat for http://dyndns.com. I've been a paying customer for about 5 years and have never had any significant problems. Their customer service is also quite good, in my experience.
Another wordpress blog hosted on godaddy that got hacked. Luckily, I caught it when it started redirecting and was able to restore the hosting account to a week prior. Coincidently I was moving my hosting over to media temple that weekend and fortunately didn't move the virus over.
After the headache that godaddya vulnerability caused, they sent me the exact same bullshit about updating wordpress. I have and always have updated wordpress and plugins within days of a new release.
Godaddy is for registering domains only, I learned that the hard way last weekend...
Also, I was in contact with a couple of people making money off of the base64 vulnerability: they have packages specifically for cleaning and securing the install. What's funny is that they have no way of securing it, just temporarily cleaning it until it gets hacked again. The article has some advice and you check out their services:
So you found the exploit code, nice work. But you can't actually say how it got there? Prove it's not a WordPress 0day vulnerability allowing the file to be created.
I understand your frustration with being stonewalled by GoDaddy support, but look at it from their end. Unless you can prove it's a vulnerability in their service, why should they take action?
In order for it to be a Wordpress vulnerability there would need to be a corresponding entry in the http logs showing the request, either a GET or a POST, hitting whichever exploitable file it was within Wordpress itself. There is no such server request.
This is something that they could have seen in about 2 minutes of opening the http file and visually scanning the few hundred requests prior to the file in question being created.
Why should they take action? Really? Your replying as if "taking action" means something more than not ignoring potentially actionable information.
Btw... they do not make any of the other logs available to their tech support, let alone their customers. They should look into it because only they can look into it. To suggest that they were in the right in not at least checking it out seems an odd stance to take, tbh.
Way more people than I would have thought, actually. They really upsell their hosting and other addons when you buy a domain, even if you are an existing customer. Unfortunately this results in a large number of non-technically oriented people as their clients, who wind up needing the most help when things go wrong.
I'm constantly disappointed in how GoDaddy's treatment of customers has gone down. It used to be really good, but now it's all marketing ploys, sending customers in mazes until they give up, and nickel-and-diming every purchase.
I got hit this morning with the exact exploit mentioned here, I was able to clean out the codebase and get a half-working site back up just so I could close it out properly. I felt awful, I was keeping everything up to date, following security best practices, I couldn't figure out what had went wrong. This article is making me completely rethink GoDaddy as a host, namecheap will probably be getting my business pretty soon.
What's even more disheartening is that until this point I have never really had a reason to dig into the WordPress code, when I did I found ridiculous "easter eggs" that to my well trained PHP eyes looked like malicious code. It wasn't until I verified that it was release code and was meant to look that way did I realize it wasn't part of the exploit. Take a look at wp-admin/revisions-js.php and tell me it doesn't look like some dirty exploit is hiding in there.