Thanks to Dan Allen who alerted me to this series of attacks! Links to the original articles at the bottom of this article.

You may be aware of the recent spate of attacks against GoDaddy hosted WordPress sites. After doing a bit of research, it appears that successful attacks are not limited to GoDaddy hosted accounts, or WordPress installations. Further, the successful exploits appear to be limited to systems with shared hosting (e.g. many sites on one server).

To my eyes, it looks more like it's a javascript injection that is enabled by an installed PHP application. Specifically, it looks like it may be a vulnerability that is created when sites are running the CGI version of PHP rather than running PHP as an Apache module.

We stopped running the cgi version of PHP at least 5 years ago, as it creates security vulnerabilities that are difficult to mitigate. Many hosting companies use it because it allows them to 'jail' user websites, and keep a better level of separation between them, which is beneficial when hosting a large number of sites on a single system. Since we run only about 50 domains on our server, and access is tightly controlled, we made the decision to move to Apache2 and mod_php fairly early on.

At this time, I believe that our webserver is protected from this attack. We use mod_php on the server, and we only host a (comparably) small number of sites. We stay current with updates, and we're running an updated version of PHP that is not part of the standard CentOS distribution.

We will continue to monitor this situation carefully, and will update this page as we learn more.

Feel free to e-mail us with any questions or use the Contact Us page!

References:

[1] http://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

[2] http://www.GoDaddy.com/securityissue

[3] http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html

[4] http://www.tgdaily.com/security-features/49744-go-daddy-counters-php-hack-attacks