Researchers Identify Backdoor Infection Spike on Several GoDaddy-Hosted Websites

Bitdefender Gravity Zone Business Security

Security researchers have noticed a surge in backdoor infections on hundreds of websites hosted on GoDaddy’s Managed WordPress service, all compromised by the same payload.

The incident affects websites such as tsoHost, MediaTemple, Domain Factory, Heart Internet, 123Reg, and Host Europe Managed WordPress websites. The infected sites shared a nearly identical backdoor embedded in the wp-config.php file.

Among the 298 websites newly identified as infected with the backdoor, at least 281 are hosted with GoDaddy. The discovery was made by Wordfence researchers, who first observed the overall increase in infected websites on March 11.

Reportedly, attackers used a 2015 Google search SEO-poisoning tool, embedding it into the wp-config.php file. The malicious payload would fetch spam link templates from a C2 and use them to surreptitiously inject malicious pages among legitimate search results.

“The backdoor in question has been in use since at least 2015,” according to a Wordfence blog post. “It generates spammy Google search results and includes resources customized to the infected site.”

The C2 domain the attackers used has a Russian Top-Level Domain (TLD), but there’s currently no reason to believe that the incident is connected to the Russo-Ukrainian conflict. For the time being, the domain displays a blank web page, but a few years ago, it reportedly served adult content.

Although Wordfence is yet to determine the vector of the intrusion, they hinted at last year’s massive GoDaddy data breach that exposed the accounts of 1.2 million customers as a potential candidate.

Security researchers urge owners of websites hosted on GoDaddy’s Managed WordPress platform (including the websites mentioned above) to manually check their sites’ wp-config.php file or use an automated specialized malware detection tool to verify their integrity.

If you discover that your website has been compromised, you’ll need to clean it and remove any spam search engine results. Within the security advisory, Wordfence provides a list of instructions on how to clean up your WordPress website, should you suspect or discover it’s been hacked.