Analysis Of The Holasionweb And Zettapetta Malware At GoDaddy. This is an observation carried out by Kevin Reville to arrive at the conclusion of a malware attack triggered remotely.
This post is a sequel to the following previous news:
- Zettapetta Attack – Mass Site Infection / Site Attack For WordPress Users Hosted Mainly With BlueHost And GoDaddy
- holasionweb Aka Zettapetta v2 – And The Saga Of Mass Infection For PHP Based Systems Continues At GoDaddy’s Shared Hosting [Code Name MW:MROBH:1]
It Was More Likely GoDaddy To Be Blamed Rather Than Its Customers
GoDaddy was blaming his customers / clients for those infections due to their lack of attention in keeping their PHP-based systems up-to-date.
But finally, as noted by the excellent Sucuri Security Labs, GoDaddy announced and acknowledged that the problem was apparently on their end. Here’s there response:
“Early into our investigation, Go Daddy noticed a majority of exploited websites were all running WordPress. After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress.
Transparency is a core value at Go Daddy. We intend to continue our commitment to communications. There are times, however, when publicly revealing too much, such as specific code from the attack, helps the criminals causing the issue.
We are aggressively collecting data to see how the attack is maturing and to discover ways we can help prevent our customers from being impacted and shut down ‘the bad guys’ altogether. Go Daddy is leading an ongoing effort, working with industry security experts and other top hosting providers.
As part of our investigation, Go Daddy is encouraging customer input about their related website issues, which is why we set up a special form: http://www.GoDaddy.com/securityissue.
Look for further updates from Go Daddy on this topic, at http://Community.GoDaddy.com/support
– Todd Redfoot, Go Daddy Chief Information Security Officer”
Nature Of These Holasionweb And Zettapetta Malware Infection At GoDaddy
It is to be noted that this discovery was made by Kevin Reville who is a client at GoDaddy.
How He Did This?
He made a cron script (aka an automated program) which will log (save) any activities on his site. When a log was found, the cron would alert him instantly.
His Observation:
- There was indeed a malware used by an attacker
- The attacker could somehow create his own php file on Godday’s server and then execute it from a remote server. And it happened that this remote server was from Holasionweb And Zettapetta respectively.
- Sucuri Labs details this analysis here!
Now how did this attacker able to create his own php file on GoDaddy’s server?
That’s the biggest concern which nobody has been able to deduce till now. I will be looking forward for any news around this cause.
WordPress, Joomla Or The Alikes Are Not To Be Blamed!
As you have observed yourself, WordPress is not to be blamed as they initially claimed. I think before any such claims are made in the future, those bodies need to make sure of it, since after all the alikes of WordPress are not just any PHP package.
Here’s a confirmation from Sucuri Labs:
[..]
Just to be clear: Nothing to do with WordPress.
In fact, in one site we were monitoring, nothing got logged related to WordPress, [..]. We also saw Joomla sites getting hacked and many other web applications.
I believed it was going to be some boring old post, but it truly paid for my time. I’ll post a link to this page on my weblog. I’m confident my visitors will find that extremely useful.