What do you call it when an unauthorized user injects code into every page on your website? I call it hacking.

Well, that’s exactly what GoDaddy did to two of my client sites yesterday. Hacked them. Injected code without our knowledge or approval.

Here’s how it played out…

I woke up to this email from GoDaddy Pro because I use their Pro Sites (ManageWP) service to monitor the uptime and security of client sites:

I log into the Pro Sites dashboard and here’s what I see:

I verify it in my browser. Here’s the injected code between the </body> and </html> tags:

<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpsh'},{'server':'a2plcpnl0551'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script></html>

I paid particular attention to the comment:

// Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.

and thought to myself “if that doesn’t sound like social engineering to get you to leave this code alone, what does?”

I search the Internet and can’t find any references to this code, so I consider it some sort of new malware and go through the usual drill:

  • Notify the clients
  • Change all the WordPress administrator passwords
  • Change all the FTP passwords
  • With the client’s approval, start the hunt for an infected PHP file somewhere in the installation

I’ll shorten the story to say that after hours of looking at PHP files, I decided to take another tack and investigate this “wsimg.com” domain. It turns out wsimg.com is OWNED by GoDaddy. Could it be? Could GoDaddy Pro be alerting me to code GoDaddy Hosting secretly injected into our site? I called up GoDaddy Pro Support, spoke with a nice rep named J.P. and after speaking with a higher up he found out that it WAS TRUE! Talk about irony – GoDaddy rats on itself!

I was furious and I let the rep know (in as restrained a manner as I could muster under the circumstances).

So that’s the story. The injected code isn’t malware (as far as I know). There’s no notification of it being done (unless you are monitoring for such changes). There’s no way to turn it off from cPanel. Instead, if you detect it, you can call your friendly GoDaddy support rep, give them a piece of your mind and ask to manually opt-out. Oh and tell them Larry sent you.

October 11, 2017 Good News Update: See the comment from Mario Frith and my reply for instructions on how to turn this “hack” off without having to call GoDaddy.