This is a true story, and while I am posting because it is rather funny, it’s indeed sad the trials and problems this merchant has suffered at the hands of GoDaddy hosting.
This client, running Zen Cart 1.3.8 was sent an email from GoDaddy regarding her database queries. They wanted her to reduce them as it was in their estimation causing an unfair load on the server and affecting the other gazillion other websites hosted on the server. The client, phoned us and explained her troubles and we set a plan to upgrade in a short time and reduce the queries for now.
Now we knew going in that the website given it’s old age Zen Cart 1.3.8 was likely hacked with the common hacks we see in this version such as php files in the images directory. What we didn’t expect was a full class hack which was capturing and routing credit card information to an email address from the checkout confirmation page file. We have seen this hack before, just a couple of times, so we knew to look.
Long story short we cleaned up all the hacks, lowered permissions, protected directories and patched the cart to “hold her over” until she can upgrade. Cleaning up hacks is a common task around here for the 1.3.X series and we even have a “Post cleanup” email we send them. This time we had some issues which needed to be directly handled by the host, GoDaddy…. so we forwarded them to her as well to send to GoDaddy. The rest is just way to ignorant to believe….
Please tell GoDaddy the following:
- Fully Disable Front Page Extensions
- Do a full backup of the “clean” state for potential restore
- Please deep scan and check for root kits
- Hack which breached credit cards occurred on 6/8/2012 @ 8:35pm and is attached. Access for the hack appears to have been authenticated.
- Please remove the VTI folder from the stats directory
I cleaned, replaced and lowered permissions on nearly all core files. I replaced the missing software .htaccess files which were removed using command syntax from the images directory hacks and other injected php files within the file structure in many places.
I applied all version patches and secured all ancillary folders to both prevent browsing and the execution of scripts. Quarantined files are in the public_html in a folder called /lockdown/
1. Fully Disable Front Page Extensions
Front page is not enabled as Godaddy runs on Linux Hosting.
—- Apparently the hosting control panel icon saying they are enabled and all the FrontPage extension files are imaginary. FrontPage extensions are both vulnerable and a PCI fail.
2. Do a full backup of the “clean” state for potential restore
not sure what this means? did you want me to do a backup on the database?
—- The word full must have been too vague??
Please deep scan and check for root kits
We have no idea on this I spoke with checked with upper level admins who have no idea what rootkits are?
—- Don’t even know what to say here… It’s just that completely inept! (http://en.wikipedia.org/wiki/Rootkit)
Please remove the VTI folder from the stats directory
Remove this in the FTP File manager but why would delete this folder as it is provided by Godaddy to enable me to do traffic stats?
—- _vti_cnf is NOT a folder to do anything with stats. It is in fact a FrontPage extensions folder. We cannot remove it because it is within their /stats/ system folder in the public root and the permissions are protecting it from removal.
Moral for the story….. GoDaddy is not proper hosting for ecommerce websites, your security, liability and business should not in the hands of monkeys!