Network Solutions Sites Hacked Again

CWmike writes "A week after Web hosting company Network Solutions dealt with a large-scale infection of WordPress-driven blogs, the company acknowledged that other sites it hosts have been compromised. 'We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,' said spokesman Shashi Bellamkonda in a blog post. 'At this time, since anything we say in public may help the perpetrators, we are unable to provide details.' Securi Security Labs said on Sunday that at least 50 sites hosted by Networks Solutions had been hacked, and that malicious JavaScript injected into those sites was redirecting unsuspecting users to a Ukrainian attack server. The same server was involved in the earlier attacks against Network Solutions-hosted blogs. According to the StopMalvertising blog, the attacks planted a rogue IFRAME on the hacked sites to shunt users to the attack server. That server then launches multiple exploits, including an attack kit of ActiveX exploits and three more leveraging Adobe Reader vulnerabilities, against visiting PCs. Several browsers, including IE8, Chrome and Firefox, display warnings when users are redirected to the attack site."

Broswers Display Warnings

[nurb432]

And users will still click on everything they see.

Re:Broswers Display Warnings

[MightyMartian]

And users will still click on everything they see.

Except banner ads.

Re:Broswers Display Warnings

[0123456]

And yet slashdotters continue to bitch about internet explorer

Does any browser other than IE support the 'attack kit of ActiveX exploits' used as the primary vector in this attack?

Re:Broswers Display Warnings

[iPhr0stByt3]

I don't agree with the grandparents reasoning: not ActiveX fault because it's the providers (or attackers) fault, but I still defend ActiveX. I fail (and therein lies the problem perhaps ;-) ) to understand how ActiveX is more dangerous than plug-ins.
On another note, it's widely known that Adobe Reader is the number one attack vector on the web, so I wonder what percent of successful attacks are due to Adobe Reader vs ActiveX & plug-ins combined?

Re:Broswers Display Warnings

[0123456]

I fail (and therein lies the problem perhaps ;-) ) to understand how ActiveX is more dangerous than plug-ins.

While that's true to some extent, there are three common Firefox plugins, all of which have had major security holes: Java, Flash and Adobe PDF. Most people don't need Java or PDF plugins, but Flash is harder to get rid of.

There are about a bazillion ActiveX things and most of them probably have major security holes.

Re:Broswers Display Warnings

[0123456]

Have fun: you don't need to click on anything to get owned by Flash malware served from an advertising site.

I have personally experienced this attack

One of my clients' servers has had this spread around his box a few times by now; it's not a Network Solutions box though. Oddly, the NetSol VPS that I do work with hasn't (yet) experienced this. It's definitely automated and not all that smart as it infects PHP pages where it isn't appropriate, breaking code. It seems to search for the head section of a page and insert its obfuscated JavaScript; I'd guess it's a worm of some kind, possibly using PHP to look for more vulnerable hosts to infect.

Posting anon for obvious reasons.

happened to a friend's blog

I helped a friend restore their database and correct the initial file permission problem. It seems that by leaving the file with the database credentials world-readable, a script running on the same shared server as the site was able to get the DB host, user and password. The hacker then connected to the database and injected the iframe code in the "site url" settings entry.

Perhaps Word Press could put a big red div on the top of the site until users correct the file permissions to prevent novice users from leaving their config files unsecured.

As a side note, I'm still a bit uncertain if I actually fixed the file permission problem. If you are on a shared host and the DB config file is readable by the apache user (which is a requirement for Word Press to function), wouldn't any script running on the same server be able to read it?

Re:happened to a friend's blog

[Jerome+H]

Longer answer: Yes unless your host is running suphp or other impersonating mechanism.

How to check? Just put var_dump(posix_getpwuid(posix_getuid())); in a php file, execute it and look if the user is the same as your ftp's user

Those lying dogs

[clifgriffin]

I personally experienced this as well.

Network Solutions assured me this was my fault, even though I took every reasonable (and unreasonable) step required to harden my installation. I had my client migrate to MediaTemple. Problem solved.

Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

Re:Those lying dogs

[TheSpoom]

Network Solutions is still living off of the goodwill they had when they were the only domain registrar available. Companies believe that translates into stability.

Re:Those lying dogs

[S77IM]

You'd think with their brand name, premium rates, and large customer base, they'd have the budget to architect and administer a superior hosting solution, rather than the substandard packages they offer now. Instead they are milking it, dwindling, and will eventually go tits-up.

"There is an old story, something about a golden goose; I can't remember the particulars." -- Tycho (Penny Arcade)

  -- 77IM

Re:Those lying dogs

[EXrider]

Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

We had an issue earlier this year with emails going to Network Solutions hosted domains being bounced because:

"205.178.149.7 failed after I sent the message. Remote host said: 550 5.6.0 Lone CR or LF in body (see RFC2822 section 2.3)"

Pretty self explanatory, except there WEREN'T any lone CRs or LFs in the message body! Some googling revealed that misconfigured Domino servers are prone to falsely reject certain "rich text" emails coming from Outlook with a legal disclaimer appended to them. The temporary workaround was to re-send the message in plaintext format since NS wasn't in any hurry to fix the problem. Our spam filtering provider argued with them for a while and it was eventually resolved, several freakin months later.

lol. fabulous architecture

[Colin+Smith]

I love the javascript client/server application concept.

 

Re:lol. fabulous architecture

[Nadaka]

There are reasons to hate it, this isn't really one in my opinion. If their service did sanity checking between the database and the web page on outbound data, no one would see these exploits. If they had closed the attack vector they wouldn't have been affected at all. I don't know what the specific attack vector is, but js by itself won't compromise a server.

Re:Why iframes?

[Nadaka]

It is the easiest way to include the content from multiple html files into a single document. They are a pretty easy way to get data to and from an AJAX request. They are the ONLY way to transmit a file from a file dialog to the server without refreshing the entire page.

The iframe isn't bad, it is the javascript exploiting the iframe that is bad.

This is no joke.. all of my NetSol sites hacked

[OctavianMH]

One client of mine had about 15 sites hosted on NetSol, every one was hacked.

The bot is:
1) Checking for any "index." file (index_ files were unaffected) with any extention
2) Searching for a tag
3) Inserting a pile of obfuscated javascript after the tag.

If you have any clients on netsol, DO check them, NOW.

@mbhnyc