GoDaddy Wants Your Root Password

Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials. There is an update where GoDaddy explains itself and says they will change policy."

Re:Feature, not a bug.

[Neil Blender]

If you give them a non-root user with all of the privileges of root, there's no way for them to know if you've really given them root.

sudo su

Re:Feature, not a bug.

[Thinboy00]

Why not just create an alternate account with sudo for them? Why give them root?

Give them sudo and they can grab root whenever they want:
sudo -i
passwd
[input new password twice]
exit

Re:Feature, not a bug.

[SpaceLifeForm]

sudo su -

The question is if GoDaddy is trustworthy.

[Futurepower(R)]

That's not the question. The question is if GoDaddy is trustworthy.

Judge for yourself. Here are some stories about GoDaddy on Slashdot, in order by date:
Go Daddy Usurps Network Solutions [slashdot.org] (2005-05-04)
GoDaddy Serves Blank Pages to Safari & Opera [slashdot.org] (2005-12-08)
GoDaddy.com Dumps Linux for Microsoft [slashdot.org] (2006-03-23)
GoDaddy Holds Domains Hostage [slashdot.org] (2006-06-17)
GoDaddy Caves To Irish Legal Threat [slashdot.org] (2006-09-16)
MySpace and GoDaddy Shut Down Security Site [slashdot.org] (2007-01-26) That incident prompted this web site:
Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names [nodaddy.com].
Alternative Registrars to GoDaddy? [slashdot.org] (2007-02-03)
GoDaddy Bobbles DST Changeover? [slashdot.org] (2007-03-11)
850K RegisterFly Domains Moved To GoDaddy [slashdot.org] (2007-05-29)
According to this March 11, 2008 story in Wired, GoDaddy shut down an entire web site of 250,000 pages because of one archived mailing list comment: GoDaddy Silences Police-Watchdog Site RateMyCop.com [wired.com]. See below for Slashdot's story about RateMyCop.com.
GoDaddy Silences RateMyCop.com [slashdot.org] (2008-03-12)
ICANN Moves Against GoDaddy Domain Lockdowns [slashdot.org] (2008-04-08)
GoDaddy VP Caught Bidding Against Customers [slashdot.org] (2008-06-29)

Those are just the stories until July of 2008.

GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable.

Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!! [archive.org]

He uses women's bodies to advertise: Bob Parson's Video Blog [bobparsons.tv].

Re:M$ pwnage

[Anonymous Coward]

Wow, that is the cleverest, most original post I have ever seen on Slashdot. I mean whoa - a negative Microsoft post. Who would have ever though of it? Hats off to you sir!

Another story, partly about GoDaddy. Chilling.

[Futurepower(R)]

Quote from the story, Registrars Still Ignoring ICANN Rules [slashdot.org]: "Over a year ago ICANN moved to clean up misbehaving registrars like GoDaddy..." (2009-07-22)

Another quote from that Slashdot story: "GoDaddy (and their reseller arm, Wild West Domains) have a different problem: They still block transfers for 60 days after a registrant's contact update, even after the ICANN update specifically prohibited doing so."

Re:Christian morality

[HikingStick]

What makes you think GoDaddy is founded on any sort of religious values? The ads don't suggest it.

Re:The question is if GoDaddy is trustworthy.

[Anonymous Coward]

"GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable. "

This is quite an understatement. I do occasional web development on the side, and I recently had my first client in a while. I told her to go ahead and sign up for the domain with GoDaddy, but she said she couldn't figure out what to do. So I helped her out in person and I couldn't *believe* the amount of crap they try to push on you. Pages full of options and "upgrades" and packages on every step ... even after you finish your purchase! It's a tremendously confusing experience for someone who doesn't know how to filter out the signal from the noise.

Re:Feature, not a bug.

[Tacvek]

Don't you mean "sudo -i". That will launch a root login shell. Using "sudo su -" just makes it look like you never read the sudo manpage.

Re:No Surprises Here

[neoform]

This was back in 2005, but lucky for me gmail archives everything. ;)

Dear *******,

Thank you for contacting Go Daddy's Spam and Abuse Department.

Go Daddy defines spam as any communication sent to recipients, as an
advertisement or otherwise, without first obtaining prior confirmed consent
to receive these communications from your domain by the recipient. This
includes, but is not limited to, the following:

- Email Messages
- Newsgroup postings
- Windows system messages
- Pop-up messages (aka "adware" or "spyware" messages)
- Instant messages (using AOL, MSN, Yahoo or other instant messenger
programs)
- Online chat room advertisements
- Guestbook or Website Forum postings

It appears that the complaint we've received regard off-topic or
unauthorized email advertisements. A copy of one of the
offending advertisement has attached to this message.

Please keep in mind that it is not our intention to cause anyone's business
to suffer and we do appreciate your cooperating with us on this matter.
Because of your cooperation and willingness to resolve this issue thus far,
your services have not been interrupted, but this situation remains
unresolved.

At this point you have two options available to you, each is outlined below:

----- Option #1: Discontinue all future unauthorized advertising practices.

If you wish to remain a Go Daddy customer and close this matter, you must
reply to abuse@godaddy.com with the following:

1. A statement that you (or your employees, affiliates, 3rd party marketers,
etc.) will no longer advertise or promote your domain name using
unauthorized instant messenger advertisements or any other unauthorized form
of communication.

2. Authorization for GoDaddy.com to charge a $199 non-refundable
administration fee* to the credit card on file for your account.

If you reply with this statement and agree to pay this fee, Go Daddy will
accept, in good faith, your commitment as proof of your desire to correct
this problem.

Please be aware that Go Daddy will continue to monitor this situation. If
after you commit to ceasing this activity it is determined that this problem
persists, your domain name may be immediately redirected and your service
suspended. We realize additional complaints resulting from the posts you
have just committed to stop may come in and we will of course consider this,
and contact you before taking action.

----- Option #2: Transfer your domain name to another registrar.

If option #1 is not agreeable to you, or you are unable to comply with these
terms, you must transfer your domain name to another registrar. We first
require that you pay a $50 administration fee before allowing you to proceed
with your transfer. Again this fee used to offset the costs of "cleaning up"
the outstanding spam complaints against your domain name.

You will need to provide the following in your reply:

1. A statement that you will initiate the transfer of your domain name to a
new registrar within the next 24 hours.

2. Authorization for GoDaddy.com to charge a $50 administration fee* to the
credit card on file for your account.

----

* You may want to log into your Go Daddy account and confirm that the card
on file is valid and has not expired.

-----

*PLEASE NOTE: If you do not follow one of the options outlined above your
domain name may be immediately redirected and your service suspended.

-----

Please let us know what option you choose, thank you for your cooperation.

Sincerely,

Spam and Abuse Department
GoDaddy.com

When I refused both those options (since I had paid for a years worth of registration and didn't feel like paying any penalties, they told me they would change my dns info without my permission).

Re:They physically own the box

[Anonymous Coward]

Two things:

First, your boss is right - it *should* be a big deal each time an external party wants access to your system.

Second, your boss wasn't wasting *your* time. As you were being paid by him, it was his time you were wasting.

Re:Feature, not a bug.

[Eil]

I was just about to write the same thing. This was something that was already brought up weeks ago in an Ask Slashdot. People who who don't have much exposure to the web hosting business (and that includes most Slashdotters) don't understand that web hosting falls into two major categories:

1) Unmanaged

2) Managed

Unmanaged hosting means you have full control over all of the software on your machine. (And by "machine" I mean both a real machine and a VPS or cloud node.) Nobody touches your configuration in the slightest once control has been handed over to you. If something goes wrong, including hardware failure, it's the customer's responsibility to notice it and either fix it or get it fixed. Any technical support beyond typical datacenter stuff usually incurs an hourly fee. Unmanaged hosting is ideal for people who want to admin their setup 100% on their own.

Managed hosting means the web hosting provider monitors the machine which can include external probes (checking for a response on various TCP ports) and internal metrics like system load and disk utilization. When a red flag pops up, a technician logs into the machine and tries to fix whatever is happening. You can call them up with all manner of ridiculous requests ("install WordPress for me and apply this theme") and they have to do it because, well, that's what the customers expect with a managed hosting account. Managed hosting is awesome for people who want a web server but don't have the expertise or will to actually configure and maintain it.

What the submitter ran into is that he though he had unmanaged hosting but actually has managed hosting. I don't completely blame him, because a lot of hosting providers don't explicitly state which style they provide. Sometimes it's even hard to tell after you've purchased the product. But its something you have to figure out or else you're going to be deeply dissatisfied with the company's technical support, as the submitter was.

Re:Feature, not a bug.

[deblau]

http://www.gratisoft.us/sudo/man/sudoers.html [gratisoft.us]

Re:Another story, partly about GoDaddy. Chilling.

[Anonymous Coward]

Another quote from that Slashdot story: "GoDaddy (and their reseller arm, Wild West Domains) have a different problem: They still block transfers for 60 days after a registrant's contact update, even after the ICANN update specifically prohibited doing so."

It gets worse. GoDaddy forces an update of 'invalid' contact details (which may have been inherited from a previous transfer) when trying to change an admin address (to transfer the domain out). GoDaddy then forces you to agree to a 60 day transfer hold via a checkbox because the said details were changed. Online support refuses to change just the admin email. This isn't just against the ICANN rules, this is thuggery.

Re:They physically own the box

[Anonymous Coward]

You should get familiar with your rights, then. Landlords have to give 24 hour notice before entering your apartment. Failure to do this constitutes breaking and entering and I have taught one of my landlords this lesson the hard way.

As trustworthy as a Bernie Madoff

[pushf popf]

This is quite an understatement. I do occasional web development on the side, and I recently had my first client in a while. I told her to go ahead and sign up for the domain with GoDaddy, but she said she couldn't figure out what to do. So I helped her out in person and I couldn't *believe* the amount of crap they try to push on you. Pages full of options and "upgrades" and packages on every step ... even after you finish your purchase! It's a tremendously confusing experience for someone who doesn't know how to filter out the signal from the noise. That's why I use ChangeIP.com for domain registrations.

You pick the name, give them a credit card, press the button and get on with your life. They won't hijack it, hold it hostage, try to sell you anything (except DDNS if you want it). You pay, they register. As it should be.

I now have three (count'em 3) clients that have lost their domains to GoDaddy. However, for only $400 or so, GoDaddy will sell you back your own domain.

I wouldn't use GoDaddy if my ass was on fire and they had free water.

Re:Feature, not a bug.

[DarwinSurvivor]

su simply switches the user, sudo -i actually starts up a new shell (as if you logged in) and parses the .input, etc files and set up the environment variables.

The truth is both funny and sad, a story of fakery

[Futurepower(R)]

"Another dumb freetard."

Another comment from someone who didn't bother to read the article or understand the issue.

Here's a quote from the Microsoft press release [microsoft.com]: "Upon completion of the migration, Go Daddy® will have moved all its parked domains from Linux to the Windows platform."

A "parked domain" is one with no real content, but just one small static web page that says something like "coming soon". The implication is that Microsoft Windows servers are fully capable of serving parked domains.

At the time, March 21, 2006, the story was that the Microsoft marketing department got GoDaddy to make the change by offering a lucrative deal. Why would Microsoft do that? This April 7, 2006 story explains: Microsoft Server gains 4.7% market share of hosted domains. [webmasterworld.com]

A parked domain, even though it is never visited except by accident, is a "hosted domain". Now it was possible for Microsoft sales people to talk about how Microsoft Windows server software was rapidly gaining market share. That would be entirely misleading, however.

Note that the press release misspelled GoDaddy as "Go Daddy", even though it was spelled correctly a few words earlier. That gives a picture of the level of competence involved at Microsoft's P.R. agency, Waggener Edstrom.

You may find it interesting that Pam Edstrom's daughter Jennifer and a former Microsoft manager wrote the book, Barbarians Led by Bill Gates. [amazon.com] (August 15, 1998, eight years earlier) The Amazon.com review says the book "... presents a harsher and messier history, sharply questioning Microsoft's ethics and corporate wisdom..." The book seems authoritative; the authors certainly had inside access to the facts. It's certainly unusual that the daughter of one of the heads of Microsoft's P.R. agency would write a book discussing Microsoft's abusiveness in detail.