Forgot your password?
typodupeerror
Security The Internet Windows News Technology

Network Solutions Sites Hacked Again 68

Posted by Soulskill
from the at-least-they're-consistent dept.
CWmike writes "A week after Web hosting company Network Solutions dealt with a large-scale infection of WordPress-driven blogs, the company acknowledged that other sites it hosts have been compromised. 'We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,' said spokesman Shashi Bellamkonda in a blog post. 'At this time, since anything we say in public may help the perpetrators, we are unable to provide details.' Securi Security Labs said on Sunday that at least 50 sites hosted by Networks Solutions had been hacked, and that malicious JavaScript injected into those sites was redirecting unsuspecting users to a Ukrainian attack server. The same server was involved in the earlier attacks against Network Solutions-hosted blogs. According to the StopMalvertising blog, the attacks planted a rogue IFRAME on the hacked sites to shunt users to the attack server. That server then launches multiple exploits, including an attack kit of ActiveX exploits and three more leveraging Adobe Reader vulnerabilities, against visiting PCs. Several browsers, including IE8, Chrome and Firefox, display warnings when users are redirected to the attack site."
This discussion has been archived. No new comments can be posted.

Network Solutions Sites Hacked Again

Comments Filter:
  • by nurb432 (527695) on Monday April 19, 2010 @04:23PM (#31901588) Homepage Journal

    And users will still click on everything they see.

    • by MightyMartian (840721) on Monday April 19, 2010 @04:53PM (#31901998) Journal

      And users will still click on everything they see.

      Except banner ads.

  • by Anonymous Coward on Monday April 19, 2010 @04:25PM (#31901620)

    One of my clients' servers has had this spread around his box a few times by now; it's not a Network Solutions box though. Oddly, the NetSol VPS that I do work with hasn't (yet) experienced this. It's definitely automated and not all that smart as it infects PHP pages where it isn't appropriate, breaking code. It seems to search for the head section of a page and insert its obfuscated JavaScript; I'd guess it's a worm of some kind, possibly using PHP to look for more vulnerable hosts to infect.

    Posting anon for obvious reasons.

  • Here at Network Solutions we have a great solution to clear up all that annoying web traffic you're seeing. It's called "Redirecting Attack Technology Service". Our RATS service will keep those pesky customers away without you having to do anything but sit back and watch ...
  • by Anonymous Coward on Monday April 19, 2010 @04:32PM (#31901720)
    I helped a friend restore their database and correct the initial file permission problem. It seems that by leaving the file with the database credentials world-readable, a script running on the same shared server as the site was able to get the DB host, user and password. The hacker then connected to the database and injected the iframe code in the "site url" settings entry.

    Perhaps Word Press could put a big red div on the top of the site until users correct the file permissions to prevent novice users from leaving their config files unsecured.

    As a side note, I'm still a bit uncertain if I actually fixed the file permission problem. If you are on a shared host and the DB config file is readable by the apache user (which is a requirement for Word Press to function), wouldn't any script running on the same server be able to read it?
  • Those lying dogs (Score:5, Interesting)

    by clifgriffin (676199) on Monday April 19, 2010 @04:32PM (#31901722) Homepage

    I personally experienced this as well.

    Network Solutions assured me this was my fault, even though I took every reasonable (and unreasonable) step required to harden my installation. I had my client migrate to MediaTemple. Problem solved.

    Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

    • Re: (Score:3, Insightful)

      by TheSpoom (715771)

      Network Solutions is still living off of the goodwill they had when they were the only domain registrar available. Companies believe that translates into stability.

      • Re: (Score:3, Interesting)

        by S77IM (1371931)

        You'd think with their brand name, premium rates, and large customer base, they'd have the budget to architect and administer a superior hosting solution, rather than the substandard packages they offer now. Instead they are milking it, dwindling, and will eventually go tits-up.

        "There is an old story, something about a golden goose; I can't remember the particulars." -- Tycho (Penny Arcade) [penny-arcade.com]

        -- 77IM

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          They did. We were building it. They laid us off, as the last kick in the face after two years of constantly doing stuff we told them was a bad idea.

          The entire office (~20 people) that had designed and architected their hosting and email from the beginning was laid off in October. I doubt they've done a security patch since.

    • Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

      They're the kind of admin that thinks "We didn't change anything, so its not our fault".

      It's probably some simple vulnerability that was fixed in a Windows Server patch, but they can't be damned to update it for fear of it not working afterwards.

    • by dAzED1 (33635)

      and it's sad that such an established web co like netsol can't do better than someplace like mediatemple. :/

    • Well technically it was your fault for not switching away from Network Solutions sooner! :)
    • Re: (Score:3, Informative)

      by EXrider (756168)

      Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

      We had an issue earlier this year with emails going to Network Solutions hosted domains being bounced because:

      "205.178.149.7 failed after I sent the message. Remote host said: 550 5.6.0 Lone CR or LF in body (see RFC2822 section 2.3)"

      Pretty self explanatory, except there WEREN'T any lone CRs or LFs in the message body! Some googling revealed that misconfigured Domino servers are pro

    • by Sleepy (4551)

      Why do you expect this from Network Solutions? Do thei even do their "own" Technical Support... if not, it'll take DAYS for them to spot a trend and notify the right folks... who are probably developers in an outsourcing firm, or were local employees laid off (when there wasn't any other way for NetSol to scrounge up management bonus checks).

      Folks, there's PLENTY of mid-sized indie shops. They treat you like gold, and they stay on top of their systems.

    • >It's ridiculous that weeks later they can't figure out what's going on.
      Or that the management cant realize the problem could also be from the inside...

    • by jansontt (1794426)
      I always find some tips on the internet. http://www.bestregsoftware.com/article/How-To-Clean-Windows-Registry-To-Boost-Up-Your-Pc.html [bestregsoftware.com]
  • by Colin Smith (2679) on Monday April 19, 2010 @04:34PM (#31901748)

    I love the javascript client/server application concept.

     

    • by Nadaka (224565) on Monday April 19, 2010 @05:07PM (#31902192)

      There are reasons to hate it, this isn't really one in my opinion. If their service did sanity checking between the database and the web page on outbound data, no one would see these exploits. If they had closed the attack vector they wouldn't have been affected at all. I don't know what the specific attack vector is, but js by itself won't compromise a server.

    • by Sleepy (4551)

      The rich client model has flaws (including making it too easy to shoot yourself in the foot), but that's not what's to blame here.

      Netsol's application platform does not appear to sanitize tainted input... this was something we all learned to do back in the Perl 4 CGI days... years before the XSS and iframes appeared.

      NetSol should hire back the people who were responsible for maintaining their applications, instead of coasting along without them.

  • No news here. Anyone purchasing services from Network Solutions simply hasn't done their homework. The rest of us left this disreputable vendor years ago.

  • by Anonymous Coward

    Seriously, NS charges more than twice the same amount for a personal domain per year than most other companies do (at least most major ones). I don't think any expects the mentality to be "I'm paying a premium for a perfect company", but some may say "I'm paying a premium for a company that's different or better than the other companies." So tell me, exactly, what are you paying a premium for?

  • Hosting services to use custom software that has NO means of modifying web content
    that's visible or accessible to users of the web site or those who would infect it.

    (Of course, they'd have to provide OTHER means for Developers to upload / chance
    their web site contents, but ones that are much more secure than what got hit here.)

    Perhaps the only way (other than with physical access to web hosting servers) to
    add/modify content would be via a "call-back" system:

    1. Developers lodges callback URL when setting-up

    • I guess you don't like being able to upload images/files to a web application.

      This (or another in a litany of ) WP vulnerability usually involves uploading a php script which exposes a bunch of extra server-side functionality (download any file, list users, access MySQL dbs...) through WP's file upload manager, which WP seems slow to fix on occasion.

      That said, there's no reason a developer couldn't do the useful part of your suggestion —run a checksum of their application files when the upload to

  • by OctavianMH (61823) <matthewhensrud&gmail,com> on Monday April 19, 2010 @05:41PM (#31902606)

    One client of mine had about 15 sites hosted on NetSol, every one was hacked.

    The bot is:
    1) Checking for any "index." file (index_ files were unaffected) with any extention
    2) Searching for a tag
    3) Inserting a pile of obfuscated javascript after the tag.

    If you have any clients on netsol, DO check them, NOW.

    @mbhnyc

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Yep, this is exactly what happened to me (I'm the anon from earlier). I couldn't find how it was actually scanning the files and inserting itself though as I didn't see any strange processes in ps as root. Any idea?

    • by SloWave (52801)

      I can confirm this too. On Network Solutions hosting. It hit the index.html in the root directory and index.shtml in my awstats directory. I replaced the index.html and it hit it again within 30 minutes. I then disabled all the .htpasswd's, and moved the awstats and vti_pvr dirs. It hasn't come back yet. It was easy to detect, viewing source with firefox showed the problem. It would insert a long script after the <body> tag that started like this...

      • by OctavianMH (61823)

        The script keeps reappearing on my installation - anyone know why this is, and how I could fix it? I guess it must be some sort of CRON job?

        Super irritating.

  • A client I dealt with 1-2 years ago is still on NetSol. I told him to switch over hosting and registrar companies, but he thought I was out to nickel and dime him (I offered him a 15$/month hosting plan...). Poor sob, all his sites are now down.

  • I used to be a sysadmin for a hosting company, and we had these problems very much all the time. It's part of the job. When you provide a customer with web space, it's up to them to verify that the code they put ther is secure. Fortunately these attacks only affect a particular customer's site, and almost never compromises other sites on the server.
  • Why. Does. Network Solutions. Host. A. Blog.

    Sorry, the mind just boggles. If you are the overactive twentyfive year working for Network Solutions and you want to host a blog and you're reading this - go do it somewhere else !

  • 20 minutes on hold with the helpless desk so far. No pop or smtp flowing through.

There are worse things in life than death. Have you ever spent an evening with an insurance salesman? -- Woody Allen

Working...