Network Solutions Sites Hacked Again 68
CWmike writes "A week after Web hosting company Network Solutions dealt with a large-scale infection of WordPress-driven blogs, the company acknowledged that other sites it hosts have been compromised. 'We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,' said spokesman Shashi Bellamkonda in a blog post. 'At this time, since anything we say in public may help the perpetrators, we are unable to provide details.' Securi Security Labs said on Sunday that at least 50 sites hosted by Networks Solutions had been hacked, and that malicious JavaScript injected into those sites was redirecting unsuspecting users to a Ukrainian attack server. The same server was involved in the earlier attacks against Network Solutions-hosted blogs. According to the StopMalvertising blog, the attacks planted a rogue IFRAME on the hacked sites to shunt users to the attack server. That server then launches multiple exploits, including an attack kit of ActiveX exploits and three more leveraging Adobe Reader vulnerabilities, against visiting PCs. Several browsers, including IE8, Chrome and Firefox, display warnings when users are redirected to the attack site."
I have personally experienced this attack (Score:5, Interesting)
One of my clients' servers has had this spread around his box a few times by now; it's not a Network Solutions box though. Oddly, the NetSol VPS that I do work with hasn't (yet) experienced this. It's definitely automated and not all that smart as it infects PHP pages where it isn't appropriate, breaking code. It seems to search for the head section of a page and insert its obfuscated JavaScript; I'd guess it's a worm of some kind, possibly using PHP to look for more vulnerable hosts to infect.
Posting anon for obvious reasons.
happened to a friend's blog (Score:4, Interesting)
Perhaps Word Press could put a big red div on the top of the site until users correct the file permissions to prevent novice users from leaving their config files unsecured.
As a side note, I'm still a bit uncertain if I actually fixed the file permission problem. If you are on a shared host and the DB config file is readable by the apache user (which is a requirement for Word Press to function), wouldn't any script running on the same server be able to read it?
Those lying dogs (Score:5, Interesting)
I personally experienced this as well.
Network Solutions assured me this was my fault, even though I took every reasonable (and unreasonable) step required to harden my installation. I had my client migrate to MediaTemple. Problem solved.
Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.
Re:Why iframes? (Score:4, Interesting)
It is the easiest way to include the content from multiple html files into a single document. They are a pretty easy way to get data to and from an AJAX request. They are the ONLY way to transmit a file from a file dialog to the server without refreshing the entire page.
The iframe isn't bad, it is the javascript exploiting the iframe that is bad.
So what are you paying for? (Score:1, Interesting)
Seriously, NS charges more than twice the same amount for a personal domain per year than most other companies do (at least most major ones). I don't think any expects the mentality to be "I'm paying a premium for a perfect company", but some may say "I'm paying a premium for a company that's different or better than the other companies." So tell me, exactly, what are you paying a premium for?
Re:Those lying dogs (Score:3, Interesting)
You'd think with their brand name, premium rates, and large customer base, they'd have the budget to architect and administer a superior hosting solution, rather than the substandard packages they offer now. Instead they are milking it, dwindling, and will eventually go tits-up.
"There is an old story, something about a golden goose; I can't remember the particulars." -- Tycho (Penny Arcade) [penny-arcade.com]
-- 77IM
Re:Those lying dogs (Score:1, Interesting)
They did. We were building it. They laid us off, as the last kick in the face after two years of constantly doing stuff we told them was a bad idea.
The entire office (~20 people) that had designed and architected their hosting and email from the beginning was laid off in October. I doubt they've done a security patch since.
Re:This is no joke.. all of my NetSol sites hacked (Score:1, Interesting)
Yep, this is exactly what happened to me (I'm the anon from earlier). I couldn't find how it was actually scanning the files and inserting itself though as I didn't see any strange processes in ps as root. Any idea?