Who's your GoDaddy? SSH keys compromised

[justpoet]

https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/

https://www.techrepublic.com/article/godaddy-data-breach-shows-why-businesses-need-to-better-secure-their-customer-data/

 

This is hosting accounts of theirs.  So, DNS users get a pass this time 'round.

Quote

This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor.

Quote

On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers.

While they haven't said it is related, this could be additional persistent threat fallout from the March GoDaddy employee phishing breach.

https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/

 

In short, if you use GoDaddy for anything, especially hosting at this time, you should go change your ssh keys and set up 2 factor auth if you're able.

Also, check the history of files and minor edits in your sites (particularly if you're using any of the popular CMSs), as this is notification NOW of a breach that appears to have occurred last October.

[Kisai]

All bulk-hosts have this problem, it's just a question of when someone uploads a rootkit to their own account to jack the accounts on the machine. I'm not even joking, I found this kind of thing happening on Dreamhost for largely the same reason. If someone is trying to target a specific account, it might be a whack-a-mole process to get an account on the same machine as the target. But it only takes one compromised account on a machine to compromise all of them.

 

With that said, bulk hosts have to not give "real unix" accounts that can run any host scripting language (eg php) in that environment. If someone wants to run php, let them pay for their own machine so only their machine can be compromised. Given how prevalent and security swiss-cheese wordpress is, I'd not not even let WP sites run machines shared with anyone. Not even a VPS.

 

[justpoet]

1 hour ago, Kisai said:

Given how prevalent and security swiss-cheese wordpress is, I'd not not even let WP sites run machines shared with anyone. Not even a VPS.

I'm curious which CMS you'd suggest to folks then.

Wordpress seems to not be horrible, so long as you're not running every random bit of code you can find a plugin for.

[Kisai]

3 hours ago, justpoet said:

I'm curious which CMS you'd suggest to folks then.

Wordpress seems to not be horrible, so long as you're not running every random bit of code you can find a plugin for.

Anything that is specifically turned to the Content you publish. WP has a lot of code-rot (look how long it take to use a DBAL and not be married to php's legacy mysql library,) and thus php will break WP or a plugin, or the plugin won't get updated, or a theme won't get updated, or WP change functionality for no reason, or php renames a function for no reason, or whatever. Like you can not simply set it up and have it download minor updates when needed and last 10 years. If you're still running a WP site that has survived 10 years of updates, chances are you use no plugins, have no comments, and locked down the wp-admin to just your ip address.

 

It takes over 128MB of memory resources just to process one page on WP, where as a tuned CMS should take no more than 10MB. You don't need everything and the kitchen sink, when all you need is the kitchen sink. Like at last check, the core WP was taking around 70MB and the "highly recommended" Jetpack plugin added another 70MB on top. You know, on bulk-hosters that do not run op-caches or FPM. Slow as all hell even with caching plugins.

 

If all you need is a business-card site, just use WIX or Squarespace, and leave all the nonsense to them.  If you need a "brand" site, then Joomla or Drupal would be better options. Brand sites are things like multimedia entertainment properties. However Joomla and Drupal also have the same core-rot problems WP has, just at a slower pace. (Joomla had 4 and 8 years between LTS versions.) Drupal so far is having faster core-rot, but most of the needed functionality is actually part of the core.  I don't personally like the direction Drupal has gone (Symphony and Twig) as at least one of those have insanely fast code rot, and "script language on top of script language" is just a bad idea in principle.

 

However, if you're going to invest in Drupal, you probably want staff that actually know how to use it, where as WP, "looks easy" but but it's so easy screw up since you can actively edit it's own php code from within the CMS.

 

Any sane website administrator would never permit a user to use wordpress on a shared-system, since it will be able to read any file on the server the HTTP server has access to, and many servers are simply "run out of the box" configurations which is so much worse for that. Drupal and Joomla likewise. With the advent of all the Intel cpu side-channel attacks, I 'm just going to say shared systems where executable code can be processed are done. If a company like godaddy or dreamhost, or bluehost, etc wants to continue to sell business card sites, they need to stick to the kind of "let me do it for you" style WIX and Squarespace use, and not permit any php/perl/python/ruby/java/javascript(node) to be uploaded at all.

 

So between the incredibly steep system requirements and necessary security, wordpress is something you only deploy on one machine, with only one WP installation to serve all the WP sites, and you lock it the hell down so that only the machine admin can install plugins or themes. That's the only way it runs efficiently.

 

Blogger and Tumblr still exist if all you need is a blog.

[rcmaehl]

Well it's a good thing I use my godaddy account as a redirect to my github instead of a webhost. I try not to cross the service provider stream. GoDaddy being a domain registrar is enough for me, I'll host my own server thanks