Analysis Of The Holasionweb And Zettapetta Malware At GoDaddy

This post is a sequel to the following previous news:

It Was More Likely GoDaddy To Be Blamed Rather Than Its Customers

GoDaddy was blaming his customers / clients for those infections due to their lack of attention in keeping their PHP-based systems up-to-date.
But finally, as noted by the excellent Sucuri Security Labs, GoDaddy announced and acknowledged that the problem was apparently on their end. Here’s there response:

“Early into our investigation, Go Daddy noticed a majority of exploited websites were all running WordPress. After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress.

Transparency is a core value at Go Daddy. We intend to continue our commitment to communications. There are times, however, when publicly revealing too much, such as specific code from the attack, helps the criminals causing the issue.

We are aggressively collecting data to see how the attack is maturing and to discover ways we can help prevent our customers from being impacted and shut down ‘the bad guys’ altogether. Go Daddy is leading an ongoing effort, working with industry security experts and other top hosting providers.

As part of our investigation, Go Daddy is encouraging customer input about their related website issues, which is why we set up a special form:

Look for further updates from Go Daddy on this topic, at

– Todd Redfoot, Go Daddy Chief Information Security Officer”

Nature Of These Holasionweb And Zettapetta Malware Infection At GoDaddy

It is to be noted that this discovery was made by Kevin Reville who is a client at GoDaddy.

How He Did This?

He made a cron script (aka an automated program) which will log (save) any activities on his site. When a log was found, the cron would alert him instantly.

His Observation:

  • There was indeed a malware used by an attacker
  • The attacker could somehow create his own php file on Godday’s server and then execute it from a remote server. And it happened that this remote server was from Holasionweb And Zettapetta respectively.
  • Sucuri Labs details this analysis here!

Now how did this attacker able to create his own php file on GoDaddy’s server?
That’s the biggest concern which nobody has been able to deduce till now. I will be looking forward for any news around this cause.

WordPress, Joomla Or The Alikes Are Not To Be Blamed!

As you have observed yourself, WordPress is not to be blamed as they initially claimed. I think before any such claims are made in the future, those bodies need to make sure of it, since after all the alikes of WordPress are not just any PHP package.
Here’s a confirmation from Sucuri Labs:

Just to be clear: Nothing to do with WordPress.
In fact, in one site we were monitoring, nothing got logged related to WordPress, [..]. We also saw Joomla sites getting hacked and many other web applications.

If You Appreciate What I Do Here On Seven PHP :: 7PHP, You Could Consider:

  1. Following me on Twitter | @7php
  2. LIKE-ing my FaceBook page
  3. Subscribe to my Email List - see top-right subscription box
  4. Help diffuse this interview to the PHP ecosystem - Share & Spread the word as far as you can ==> That would be a FREE way to thank me
  5. Use my DigitalOcean referral link if you plan to use it as your VPS (it starts at only $5/month btw) or if you can refer it to your friends, highly appreciated.
  6. Support via Paypal donate - my Paypal ID is

{I'm thankful to your response(s)!}

Valuable Feedback / Comment / Review From People Like You

  1. Santiago Altice says:

    I believed it was going to be some boring old post, but it truly paid for my time. I’ll post a link to this page on my weblog. I’m confident my visitors will find that extremely useful.

Speak Your Mind