Slashdot Mirror


Network Solutions Sites Hacked Again

CWmike writes "A week after Web hosting company Network Solutions dealt with a large-scale infection of WordPress-driven blogs, the company acknowledged that other sites it hosts have been compromised. 'We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,' said spokesman Shashi Bellamkonda in a blog post. 'At this time, since anything we say in public may help the perpetrators, we are unable to provide details.' Securi Security Labs said on Sunday that at least 50 sites hosted by Networks Solutions had been hacked, and that malicious JavaScript injected into those sites was redirecting unsuspecting users to a Ukrainian attack server. The same server was involved in the earlier attacks against Network Solutions-hosted blogs. According to the StopMalvertising blog, the attacks planted a rogue IFRAME on the hacked sites to shunt users to the attack server. That server then launches multiple exploits, including an attack kit of ActiveX exploits and three more leveraging Adobe Reader vulnerabilities, against visiting PCs. Several browsers, including IE8, Chrome and Firefox, display warnings when users are redirected to the attack site."

3 of 68 comments (clear)

  1. Broswers Display Warnings by nurb432 · · Score: 4, Insightful

    And users will still click on everything they see.

    --
    ---- Booth was a patriot ----
  2. Re:lol. fabulous architecture by Nadaka · · Score: 3, Insightful

    There are reasons to hate it, this isn't really one in my opinion. If their service did sanity checking between the database and the web page on outbound data, no one would see these exploits. If they had closed the attack vector they wouldn't have been affected at all. I don't know what the specific attack vector is, but js by itself won't compromise a server.

  3. Re:happened to a friend's blog by Jerome+H · · Score: 4, Insightful

    Longer answer: Yes unless your host is running suphp or other impersonating mechanism.

    How to check? Just put var_dump(posix_getpwuid(posix_getuid())); in a php file, execute it and look if the user is the same as your ftp's user

    --
    int main() { while(1) fork(); }