I recently had to update a client's website on GoDaddy shared hosting. The common.inc file was repeatedly rejected with the message response 226 **malware detected**. I contacted GoDaddy about this and they said that recently they changed their security standards to reduce cross site scripting. Hard coded links in include files (common.inc) and possibly other files - maybe even content - may be blocked.

The common.inc file has two instances of hard coded links to drupal.org. Lines 341 & 826. The support guy I was talking to said these are more than likely the offending lines. However, when I took out the hardcoded urls it still did not accept the file. So I'm digging around some more.

The guy said "the fact that it is an included file with a hardcoded link with 3rd party link" is what is causing it to be labeled malware. I asked if there was a way to create some sort of exception. he said no way! that is on a global server level for all shared hosting. He said WP was having similar problems but "wp brought coding standards up to snuff to our coding guidelines." He said "tell the guys over at Drupal to get up to speed with coding standards" :p

Either there are a lot of sites on GoDaddy shared hosting that need to be updated, or the sites were updated before the change. I asked for reference information about the standards change, but the guy who I was speaking with said he didn't know where that would be.

Another thought is what happens with sites created with Fantastico? I'm going to test that myself. Does anyone have any GoDaddy sites that are working or not working that have been updated in the past couple of weeks?


kappaluppa’s picture

I purchased a hosting account and set up a Drupal install via their cPanel app. It worked. And I ftp'd common.inc. And it worked. The support guys said that they are rolling out Cerberus to the new cPanel hosting and I probably got in under the radar. It should have kicked it out.

Apparently they recently (within the past couple of months) started rolling out their shared hosting with cPanel. I tried using the auto install there and it worked. and FTP'd the common.inc file and it worked. Well, it turns out that they are phasing in the use of Cerberus and it probably just hasn't hit the server I'm on - which made for a bad test. So that's why the file and install went ok. He said as they roll it out to all servers that file will probably start failing again when uploaded via FTP. I don't know how drush will come into play on all of this. He also said that files that were already there are like "grandfathered in". BUT Cerberus may make the rounds and catch the existing file and kick them out. One other twist is that the hosting with cPanel replaces their now 'old' 4GH Grid Hosting. All the old 4GH hosting accounts should have this common.inc problem when updated. According to the guy I spoke with (and he didn't sound too sure), the only way to get around this is to use the auto install via cpanel because the files are not going through FTP.

kappaluppa’s picture

Uploading the file via the file manager in the GoDaddy hosting admin accepted the file. No telling if it might be kicked out again. GD support says "if you use the file a lot it may get caught and be blocked." :p

JamesOakley’s picture

I replied to you on Twitter as well, but 140 characters doesn't allow much nuance...

It seems to me that they should be willing to whitelist a file for you. I can see how a host on their scale cannot whitelist any file requested by everyone who asks - it would consume too much of their time to investigate each claim. But where that file is a core file from a well-used CMS like Drupal, then they should at least be willing to entertain the possibility of whitelisting. To rule it out without investigation is not on.

The investigation comes in because, just because a file's in a CMS core, it doesn't mean it's harmless. As an example, I had a problem where two core files in Moodle were being picked up as malicious because of a line in them. Looking at them, I could see that one of the files was definitely a false positive. I use a third party for AV-signatures, so I reported it to them and they had issued updated signatures in a few hours that didn't block that file.

The other file was not actually doing anything harmful, but it sure looked like it was. (It was part of a test suite, and attempted to copy an illegitimate file as part of Moodle's internal backup routine, to make sure that it was blocked correctly by Moodle. The file it tried to copy was /etc/passwd on the server. The fact it's meant to fail wasn't the point. If a file was being picked up as malicious for trying to make a copy of /etc/passwd, then the scanner is working correctly. They need to pick a different file for their test routines. So that file stays being detected as malware - but as it's only used by Moodle for its own internal integrity tests, it won't affect a running site.

However to block common.inc on Drupal is to cripple the site. They told you the lines that were probably triggering it, but it seems that they don't actually know why. Anyone can inspect the code in common.inc and see it's not doing anything harmful. So: Why won't they whitelist the file? Bizarre

Solid VPS providers that I've used and can recommend first-hand:
  Managed VPS Providers  ||  Unmanaged VPS Providers
kappaluppa’s picture

I totally agree. I'm still trying to work with GoDaddy to see if I can reach someone who can tell me exactly why it was being rejected. Sounds like Cerberus may have had an issue with it. But still, no one has been able to tell me exactly what the issue is.

In the mean time I am looking for others with hosting on the old 4GH servers so I can try to replicate the issue.

JamesOakley’s picture

I can't help you there - I don't use them. Whether or not you manage to replicate it, and whether or not that helps solve it, I'm glad you posted here. If someone searches for why that file's gone AWOL, finding this thread could save them hours of bewildered lack of progress.

I'm sure you'll update this thread as you work out more.

Solid VPS providers that I've used and can recommend first-hand:
  Managed VPS Providers  ||  Unmanaged VPS Providers
SStorch’s picture

I just spent the better part of the afternoon on the phone with GoDaddy.
First I was told that they do not scan for malware.
Then I came across your article. Thank you!
The story quickly changed to they do scan for cross site scripting when you FTP the files.
Their work around is to have you login into the GoDaddy account and use their clunky File Manager to transfer the files.
Or upgrade to a newer hosting version.
This is a hobby for me and I am doing community service. I am not being paid to make changes and I don't have that kind of time.
So for me I guess I will have to use the clunky File Manager.
I am going to go test that out now.

orbitalpopdog’s picture

Using the clunky file manager to upload common.inc fixed the issue for me.

JamesOakley’s picture

Be very careful.

It seems their malware scanner is mistuned to pick up common.inc as a false positive. But although they may be unique in this, the chances are that the way their scanner works would be in common with many other hosts.

In an ideal world, hosts would scan every uploaded file in real-time, blocking the upload if it's flagged as suspicious. In practice, there are so many ways that files can be uploaded into a hosting account, it's either tricky to implement or too resource-hungry to do.

So what do you do? You have to hook into certain upload processes - such as FTP - so that all malicious uploads are detected instantly if they arrive by that method. But you then have to run a periodic scan over all new files (or even over all files) so as to pick up all the ones that arrived by other methods.

I'm not privy to how GoDaddy have their servers set up. I do know that they run large servers with lots of accounts, so re-scanning every client's home directory on a server may take some time; the scanner may not sweep past your account again for quite some time. But it is at least possible that, the next time their scanner sweeps your files, that file could be removed.

So at the very least keep backups and have a plan ready if that does happen.

Solid VPS providers that I've used and can recommend first-hand:
  Managed VPS Providers  ||  Unmanaged VPS Providers
fwood’s picture

So, I am getting ready to embark on a project that involves GoDaddy's servers and since it is a particularly mind bending project I hope this isn't a deal breaker for me.

But the real question is: Do you think other hosts will follow in suit with this?

Happy Drupaling :-)
The Site Lady

Mo Omar’s picture

I had this problem a couple of weeks ago. My file manager uploaded all files except common.inc. When I tried repeatedly to upload it again with my file manager (filezilla) it didn't upload. When I went over to godaddy and I used their file manager it worked and went on with the installation successfully.

Today, on the other hand, I tried both, my file manager and their file manager without success. It seems that I will spend my morning on the phone with godaddy!

I am an accountant and I love drupal. I build websites for my projects

Jaypan’s picture

Ignoring all the other reasons not to use GoDaddy hosting, this alone is a good reason to get off GoDaddy hosting.

jbcbirder’s picture

I had been wondering why I was having so many problems with my drupal sites lately and I kept seeing that common.inc. This explains a lot and I'm seriously annoyed by GoDaddy. It just seems like a lot of work to move but now it seems like a lot of work to stay. Thanks for posting this. GoDaddy doesn't have any issues listed about this on their site.

BTW the file manager under tools seems to have worked for me now to get common.inc to show up (long enough for me to get back into my sites to set up a proper update of core).

RKopacz’s picture

I thought I was going crazy. I am having exactly the same problem with GoDaddy, exactly the same file. They must be nuts over there. A CMS in the top three, and they are booting out one of the core files? I'm going to try their file manager trick and have a very heated discussion with them. Thanks everyone for your posts on this thread, I am so glad I found it. If I get any positive benefits from them I'll post it here.

RKopacz’s picture

Just got off the phone with GoDaddy tech support. They basically confirmed what has been reported here:

1) They persist in saying that their system is not coming up with a false positive, that the file is infected.

2) That you can at the moment upload the common.inc file via their file manager, but that file might still get deleted at a subsequent date without warning.

3) There is nothing that they will do to fix the problem. Tough luck for Drupal websites on GoDaddy shared hosting.

It looks like GoDaddy has made a conscious strategic decision to do away with Drupal customers. I only have two clients on GoDaddy, so I can just move them to my server (not in the hosting business, but I can do that in a pinch).

I have created a thread on Google+ https://plus.google.com/102644706081744770687/posts/9TfBx3xkMcP and also put out a tweet on this https://twitter.com/RosenetTV/status/460064983246962688 in case anyone wishes to spread the word via social media.

JeffOnWire’s picture

Just experienced this. Uploading common.inc didn't work when using Firezilla, but worked just fine with GoDaddy's File Manager. Any recommendations on alternate hosting (or would that be inappropriate for this forum)?. I'll submit a support request to GoDaddy (not that it will be any more successful, but maybe if they get enough complaints?).

RKopacz’s picture

I would just move your sites. IMHO, for low traffic sites on a budget, Hostgator provides reasonable shared hosting packages. Cpanel, SSH, git already built in, and with the SSH you can easily install Drush. If your client is purchasing the hosting, I would only recommend buying it a year at a time. That way, if the company's policies or services go south, you can always change.

GoDaddy's refund policy is here.

JamesOakley’s picture

If your client is purchasing the hosting, I would only recommend buying it a year at a time.

No - buy it a month at a time.

Seriously. And after a few months, if you feel things are working out, move to annual billing to save a bit. But never move to longer than a year, because both the host and your needs may change.

But when your starting out, only pay as much as you're willing to lose - in case the host is not right for you. In the first month, what if the refund policy doesn't materialise in the way you expect it to? After the first month, you may be beyond the refund policy, but (IMO) a month is not enough to evaluate a host adequately.

Solid VPS providers that I've used and can recommend first-hand:
  Managed VPS Providers  ||  Unmanaged VPS Providers
RKopacz’s picture

For those following this, there is a small potentially positive development on Twitter: https://twitter.com/RosenetTV/status/460064983246962688

RKopacz’s picture

It looks like the problem with common.inc on GoDaddy shared hosting has been resolved. I just tested it and it seems to be working now. See either the Twitter thread to which I linked above, or this one on Google+.