Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Solutions Sites Hacked Again

Posted by Soulskill on from the at-least-they're-consistent dept.

CWmike writes "A week after Web hosting company Network Solutions dealt with a large-scale infection of WordPress-driven blogs, the company acknowledged that other sites it hosts have been compromised. 'We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,' said spokesman Shashi Bellamkonda in a blog post. 'At this time, since anything we say in public may help the perpetrators, we are unable to provide details.' Securi Security Labs said on Sunday that at least 50 sites hosted by Networks Solutions had been hacked, and that malicious JavaScript injected into those sites was redirecting unsuspecting users to a Ukrainian attack server. The same server was involved in the earlier attacks against Network Solutions-hosted blogs. According to the StopMalvertising blog, the attacks planted a rogue IFRAME on the hacked sites to shunt users to the attack server. That server then launches multiple exploits, including an attack kit of ActiveX exploits and three more leveraging Adobe Reader vulnerabilities, against visiting PCs. Several browsers, including IE8, Chrome and Firefox, display warnings when users are redirected to the attack site."

9 of 68 comments (clear)

  1. Broswers Display Warnings by nurb432 · · Score: 4, Insightful

    And users will still click on everything they see.

    --
    ---- Booth was a patriot ----
    1. Re:Broswers Display Warnings by 0123456 · · Score: 2, Insightful

      And yet slashdotters continue to bitch about internet explorer

      Does any browser other than IE support the 'attack kit of ActiveX exploits' used as the primary vector in this attack?

    2. Re:Broswers Display Warnings by iPhr0stByt3 · · Score: 2, Insightful

      I don't agree with the grandparents reasoning: not ActiveX fault because it's the providers (or attackers) fault, but I still defend ActiveX. I fail (and therein lies the problem perhaps ;-) ) to understand how ActiveX is more dangerous than plug-ins.
      On another note, it's widely known that Adobe Reader is the number one attack vector on the web, so I wonder what percent of successful attacks are due to Adobe Reader vs ActiveX & plug-ins combined?

    3. Re:Broswers Display Warnings by Anonymous Coward · · Score: 0, Insightful

      Who cares? It all boils down to the majority of users are morons and will click on everything they see. That is how every single one of them has gotten infected.

      I've only ever seen my anti-virus actively block something or Firefox or Chrome or something actively block something malicious when I've followed links I knew were to hacked sites to investigate them.

      If I so desired, I could browse the internet on an old, unpatched version of Windows, with IE, old versions of Adobe Reader, no anti-virus, no anti-spyware, etc and I'd never get infected. Why? Because I know what the fuck I'm clicking on.

    4. Re:Broswers Display Warnings by 0123456 · · Score: 2, Insightful

      I fail (and therein lies the problem perhaps ;-) ) to understand how ActiveX is more dangerous than plug-ins.

      While that's true to some extent, there are three common Firefox plugins, all of which have had major security holes: Java, Flash and Adobe PDF. Most people don't need Java or PDF plugins, but Flash is harder to get rid of.

      There are about a bazillion ActiveX things and most of them probably have major security holes.

  2. lol. fabulous architecture by Colin+Smith · · Score: 2, Insightful

    I love the javascript client/server application concept.

     

    --
    Deleted
    1. Re:lol. fabulous architecture by Nadaka · · Score: 3, Insightful

      There are reasons to hate it, this isn't really one in my opinion. If their service did sanity checking between the database and the web page on outbound data, no one would see these exploits. If they had closed the attack vector they wouldn't have been affected at all. I don't know what the specific attack vector is, but js by itself won't compromise a server.

  3. Re:Those lying dogs by TheSpoom · · Score: 2, Insightful

    Network Solutions is still living off of the goodwill they had when they were the only domain registrar available. Companies believe that translates into stability.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  4. Re:happened to a friend's blog by Jerome+H · · Score: 4, Insightful

    Longer answer: Yes unless your host is running suphp or other impersonating mechanism.

    How to check? Just put var_dump(posix_getpwuid(posix_getuid())); in a php file, execute it and look if the user is the same as your ftp's user

    --
    int main() { while(1) fork(); }