Saturday, October 4, 2014

GoDaddy Has Hosted Malicious and Abusive Traffic for over a Year and Doesn't Care

A little over two weeks ago I attempted to contact GoDaddy's Abuse contact about malicious scanning coming from a GoDaddy IP. This post will describe how GoDaddy not only ignored my warnings about this criminal use of their IP space, but has allowed this same scammer to use this same IP to exploit legitimate users for years, ignoring numerous warnings from their own customers, industry security experts and even other hosting companies. I will also explore some possible reasons as to why GoDaddy has become a so-called "Bullet-Proof" host; an honor usually reserved for basement "data centers" from Southeast Asia and Eastern Europe.

This IP tried to scan my server for Wordpress vulnerabilities, and then tried to scrape some content. The traffic was ham-fisted and amateurish; the kind of traffic that is obviously malicious. The attempt was logged, immediately blacklisted, and forwarded to me.

This sort of thing happens all the time. And ordinarily, I am very sympathetic to hosting companies. Most hosting companies spend a lot of money and energy getting rid of scammers that abuse their service in this way. Once, many years ago, I worked for a hosting company where resolving such complaints was one of my primary responsibilities.

We all know that this kind of malicious traffic is a danger to people who are new to the internet; normal folks who just want to blog with their friends or get a little free advertising for their small business. Web pedestrians. But thats not the only danger. Scanning like this devalues the IP space maintained by the hosting company who is used to facilitate it. Scanning gets IPs blacklisted. When the next (legitimate) customer comes around and tries to use one of those IPs, she finds that email doesn't work like it should, and that some people can't get to the websites hosted on her server. This is a huge hassle. Word gets around: this hosting company sells broken IPs. Customers decide to go elsewhere.

GoDaddy has grown large over the years by going in the opposite direction of most hosting companies. Rather than by providing quality resources with well-trained engineering staff, GoDaddy provides half-broken resources with incompetent customer service representatives. GoDaddy is the very bottom of the down market; the catfish of datacenters. I should point out that GoDaddy's approach is not just about low prices. Providers like Linode, for example, appeal to tech-savvy people by providing very good infrastructure with no support. GoDaddy provides unreliable infrastructure with no support. GoDaddy has survived by competing on solely on price for inexperienced customers. Web pedestrians.

Despite GoDaddy's long-standing position as the butt of jokes, the overall opinion is that they have and continue to do the bare minimum. That's why I was so surprised to find them providing long term hosting to scammers. Preventing the use of your data centers to steal from people is, by any measure, the absolute bare minimum.

Here is a sample of the scanning looking for Wordpress vulnerabilities:

64.202.161.41 - - [08/Sep/2014:10:26:27 -0400] "GET /admin HTTP/1.1" 404 15 "-" "User-Agent\tMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

64.202.161.41 - - [08/Sep/2014:10:26:28 -0400] "GET /wp-login.php HTTP/1.1" 404 15 "-" "User-Agent\tMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

64.202.161.41 - - [08/Sep/2014:10:26:28 -0400] "GET /administrator HTTP/1.1" 404 15 "-" "User-Agent\tMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

64.202.161.41 - - [08/Sep/2014:10:26:28 -0400] "GET /user HTTP/1.1" 404 15 "-" "User-Agent\tMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

And here is a sample of the same host attempting to scrape content:

64.202.161.41 - - [08/Sep/2014:10:26:26 -0400] "GET / HTTP/1.1" 200 7218 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; CrawlDaddy v0.3.0 abot v1.2.0.0 http://code.google.com/p/abot)"

As you can see, not much is hidden. What I was immediately interested in was this bit about User Agent identification on the last bit of that last log entry. abot is a an opensource webcrawler - a completely legitimate one, I should add. 64.202.161.41 has apparently developed their own fork of abot that they are using to scrape. They are so confident of their relationship with GoDaddy that they have used the GoDaddy name to brand their fork - calling it CrawlDaddy.

This bit of branded hubris gave me a means to start doing some historical research. Most scammers have a fly by night relationship with hosts. A scammer gets at best a few months, and more usually a few days or weeks of abusing a hosting service before they get the boot. You don't name you malware after a hosting provider that you plan on leaving anytime soon.

Sure enough, I found article after article talking about CrawlDaddy. Jetfire Networks, a VPS host, warned their customers of the scanning. Jetfire also blacklisted GoDaddy's IP space from reaching their share hosting customers, apparently to prevent a successful Wordpress exploit. Jetfire had absolutely nothing to do with hosting the attacks - unlike GoDaddy - yet took proactive precautionary measures. Jetfire published their notification October 2013; the earliest reports I found published were from September 2013.

I should note at this point that I am a GoDaddy customer. Several months ago I purchased a single domain name from GoDaddy for 99 cents. The money isn't really the point; the point is that I have a GoDaddy customer ID number. I'm not just some random lunatic to them.

So I emailed GoDaddy. I outlined all the technical details above, confirming those details with valid log data. I provided URLs to websites that also posted valid log data. I even explained to them how they could verify my claims using traffic sampling (netflow, etc). That was over two weeks ago. I received no reply. The host is still online, and from what I can tell, still scanning.

Others have already contacted GoDaddy about 64.202.161.41 over the last year. 64.202.161.41 could just as easily (likely more easily) be scanning other GoDaddy customers. And the scanning continues.

No comments:

Post a Comment