A new hacking campaign infecting hundreds of sites hosted by GoDaddy-hosted sites has been uncovered. The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy’s Managed WordPress service.
The backdoor infecting the sites is a 2015 Google search SEO-poisoning tool implanted on PHP file wp-config.php to get spam link templates from Command and Control (C2) domains that are used to inject malicious pages into search results. The campaign uses mostly pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual websites content.
Users of GoDaddy’s Managed WordPress platform should scan the wp-config.php file to locate potential backdoor injections.
Read more about it here.