GoDaddy Hosting? You Might Want To Think Twice Before Trusting Your Site To GoDaddy

As came under a malware attack last weekend, I had an opportunity to first-hand witness how the largest web hosting company in the country – – handles such sensitive and time critical issues. The view was not pretty.

GoDaddy officials Thursday said they were aware that several sites it hosted had been under attack by the “Hilary Kneber” group since at least last Saturday. They said they had been working as fast as possible to get rid of the virus and keep their customers informed. They insisted that my site was cleared of any virus and  malware was found on only two data bases GoDaddy hosted for us that we used for backups and testing. No malware was actually found on the CtWatchdog site, they said. Those databases are not connected to CtWatchdog.

However, from Sunday through Wednesday, every one of the more than 15 technical advisers and at least four supervisors I and our web master, Ted Funsten, talked to, denied having knowledge that GoDaddy sites were under attack.

In fact all – including at least three members of their security division – said they were unaware of any virus attacks similar to what CtWatchdog was experiencing. During every conversation they assured me that they had found no malware on and had reported that to Google.

As of Wednesday night, Joshua, a security division supervisor at GoDaddy said he was unaware that GoDaddy hosted sites had been subjected to virus attacks similar to what I had described to him we had found at CtWatchdog.

I pointed out to him that the issue had been reported Saturday on the Internet by, a firm that specializes in getting rid of viruses. It was on that site that on Tuesday I first learned of the nature of the attack.  I had signed up for the virus protection from Sucuri on Tuesday when it became clear to me that GoDaddy was not providing us the necessary information or help.

“It seems that after a few months quiet, the “Hilary Kneber” group is back at it again. Their latest approach is very typical of Hilary Kneber style attacks affecting GoDaddy shared hosts. Basically they modify every PHP file and the database to make sure every page in the infected site is loading malware'” says the Saturday posting.

Anyone going to the home page of would have been unaware of the attack other than the lede blog on the page warning readers that we were under attack.

It was only by clicking on a story that a popup warning appeared. Instead of the story, a warning from Google appeared saying that going beyond that point could infect a computer. I foolishly failed to heed the warning as I wanted to make sure it was real. As a result my PC crashed and I am in the process of rebuilding it.

From Sunday – when it was first clear that we were under attack – until today, only one person at GoDaddy gave us a straight answer.

After being assured late Monday or early Tuesday that CtWatchdog was not a threat to any readers and Google had taken the site off the virus list, we were still seeing warning popups. I called GoDaddy Tuesday afternoon.

Terry answered the phone and told me the same story that Ted and I had been hearing since Sunday – no malware had been found on your site. I asked Terry to go to the actual site and try to view a column to determine if the pop-warnings were still there.

She refused. I asked her why? She said “security.”

I frankly had trouble believing it and insisted on an explanation. Terry told me that when she had been on on Monday – apparently answering Ted’s questions – her computer became infected and she was afraid to return to the site.

On Wednesday afternoon I received a voice-mail message from “Mike” telling me that “abnormal code” was found on the databases and had been cleaned up. Yet even after his call I saw a popup warning. That is when I talked with Joshua who actually helped me restart the website. He spent at least three hours with me attempting to figure out the issues. In the end he said he was turning the issue over to the hosting department because they were more knowledgeable about my platform. He said he would instruct them to reset my site to where it was on Feb. 18, before the virus struck.

When I woke up this morning, instead of Feb. 18, my site was restored to last May. Ted and I have been rebuilding the site and hopefully everything will be back to normal in another day or two.

GoDaddy spokesman Phil Stuart conceded today that several sites on GoDaddy were attacked by the malware and said he would look into the complaints I had with his company.

He promised to call me back at 5 p.m. to discuss what he had learned. Stuart did not call back but Brian Goble, a member of the Office of the President at GoDaddy did.

Goble said he wanted to be “totally transparent” with me, admitting that his company was aware of the attack and conceding that “parts (of GoDaddy’s interactions with Ted and myself) could have been handled better.”

He said it appears there was miscommunication, but denied any of the 20 people we spoke to lied to us.

Goble had no explanation on why Terry told me her computer was struck by a virus after going to CtWatchdog and said even when he finds out he won’t be able to tell me. Nor will he be able to tell me what other improvements the company will make as the result of my complaints.

However, Goble insisted that several security teams were aware of the malware attacks.

“I can assure you they were aware,” he said.

His only explanation for why the 20 people Ted and I talked to denied knowledge of the attacks was because they were not permitted to discuss other clients’ issues.

He offered me three months of free hosting and three months of free virus protection.

I told him we would be moving CtWatchdog to a more responsible hosting firm and would not need the additional hosting.

As far as his virus protection, I told him we had already had a taste of how well it works.

Similar Posts:


6 Comments on "GoDaddy Hosting? You Might Want To Think Twice Before Trusting Your Site To GoDaddy"

  1. I have sites on IX Webhosting and about a month ago I had a warning from Google about this type virus on one of my sites. When I contacted the specialist at IX Webhosting, they informed me they had already found and cleared my site of this virus and I was able to restore my standing with Google. I was impressed with their fast response.

  2. about a week ago i clicked on one of your news storys from the register website and my norton virus came on and said an attack was tried on my computer.i ran a program that took care of it.

  3. Leslie Holbrook | February 25, 2011 at 11:44 am |

    It’s kind of sad that GoDaddy is still dealing with this; they’ve been infected by this before.

    Kneber is a ZeuS Trojan variant, which is an old and well-known problem. ZeuS is really a pain in the butt, because it’s simple-to-use crimeware. Kneber’s goal is to steal credentials in order to build a zombie botnet that it rents out criminals, terrorists, rogue goverments, etc. You will want to really grill GoDaddy on what they’re doing to protect themselvels form Kneber, ZeuS, and also Waledac, which is a peer-to-peer spambot that is used to deliver malware. More than half the machines infected with Kneber have Waledac. Kneber can reinstall Waledac, and Waledac can reinstall Kneber — it’s a survival mechanism.

    The Kneber botnet has been around since March, 2009. For the folks in the tech security business, this is old news. This recent attack was huge, and all over the tech press. I’m including a whole bunch of links below about last week’s attack, and guess what? Most are dated February 18 — LAST FRIDAY — before when you guys were tearing your hair out over this. So, the options for GoDaddy is that they’re either incredibly naive and ill-informed or were lying to you. Or maybe both.

    Anyway, unless GoDaddy can prove that they know what they’re doing, it sure doesn’t seem like they’re a safe host. My understanding is that other shared hosting services have experienced similar issues. Here’s an interesting blog on the September attack, and the pains of shared hosting:

    Here are links to stories about last week’s attack:,2817,2360032,00.asp

  4. Leslie Holbrook | February 25, 2011 at 12:01 pm |

    PS: Waledac steals FTP passwords, so if you’re experiencing Kneber / ZeuS issues, be sure to change those passwords!

  5. George, thank your for your very thorough and helpful discussion of the problem — and reminder of how much we rely on these companies. Best wishes for happy travels on the Internet highway….

Comments are closed.