Wordfence announced that they have noticed an increase in infected websites hosted on GoDaddy’s Managed WordPress service, including MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. According to the announcement, these sites have an identical backdoor prepended to the wp-config.php file.
298 sites infected
Wordfence stated that 298 sites are newly infected by the backdoor starting March 11. 281 of these websites are hosted on GoDaddy. The backdoor has been in the use since 2015. The backdoor generates spammy Google search results and includes resources customized to the infected site. The intrusion vector for the campaign is still unclear.
Wordfence urged users who own a site hosted on GoDaddy’s Managed WordPress, including MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress, to manually check your site’s wp-config.php file, or run a scan with a malware detection solution. If the website is infected, the owner will need to have it cleaned and also remove spam search engine results.
Wordfence also stated that they have contacted the hosting giant and offered to share additional information, however, GoDaddy didn’t provide a comment yet.