×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Network Solutions Sites Hacked Again

Soulskill posted about 4 years ago | from the at-least-they're-consistent dept.

Security 68

CWmike writes "A week after Web hosting company Network Solutions dealt with a large-scale infection of WordPress-driven blogs, the company acknowledged that other sites it hosts have been compromised. 'We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,' said spokesman Shashi Bellamkonda in a blog post. 'At this time, since anything we say in public may help the perpetrators, we are unable to provide details.' Securi Security Labs said on Sunday that at least 50 sites hosted by Networks Solutions had been hacked, and that malicious JavaScript injected into those sites was redirecting unsuspecting users to a Ukrainian attack server. The same server was involved in the earlier attacks against Network Solutions-hosted blogs. According to the StopMalvertising blog, the attacks planted a rogue IFRAME on the hacked sites to shunt users to the attack server. That server then launches multiple exploits, including an attack kit of ActiveX exploits and three more leveraging Adobe Reader vulnerabilities, against visiting PCs. Several browsers, including IE8, Chrome and Firefox, display warnings when users are redirected to the attack site."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

68 comments

Broswers Display Warnings (4, Insightful)

nurb432 (527695) | about 4 years ago | (#31901588)

And users will still click on everything they see.

Re:Broswers Display Warnings (0)

Anonymous Coward | about 4 years ago | (#31901638)

And yet slashdotters continue to bitch about internet explorer as if it isn't really the advent of the retard on our wonderful internet that has made things so awful for security.

Re:Broswers Display Warnings (0)

Anonymous Coward | about 4 years ago | (#31901870)

yeah, blame the messenger! I guess you are some sort of middle tier moron manager.

Re:Broswers Display Warnings (1, Informative)

Anonymous Coward | about 4 years ago | (#31901926)

What part of

including an attack kit of ActiveX exploits

did you misunderstand?

Re:Broswers Display Warnings (0)

Anonymous Coward | about 4 years ago | (#31902762)

It's more likely that YOU missed the fact that users are warned by IE8. In other words - "the attack doesn't work unless the users tells the browser to install the malicious software that the browser recommends against." Maybe you got it this time?

Re:Broswers Display Warnings (2, Insightful)

0123456 (636235) | about 4 years ago | (#31902036)

And yet slashdotters continue to bitch about internet explorer

Does any browser other than IE support the 'attack kit of ActiveX exploits' used as the primary vector in this attack?

Re:Broswers Display Warnings (2, Insightful)

iPhr0stByt3 (1278060) | about 4 years ago | (#31902338)

I don't agree with the grandparents reasoning: not ActiveX fault because it's the providers (or attackers) fault, but I still defend ActiveX. I fail (and therein lies the problem perhaps ;-) ) to understand how ActiveX is more dangerous than plug-ins.
On another note, it's widely known that Adobe Reader is the number one attack vector on the web, so I wonder what percent of successful attacks are due to Adobe Reader vs ActiveX & plug-ins combined?

Re:Broswers Display Warnings (0, Insightful)

Anonymous Coward | about 4 years ago | (#31902506)

Who cares? It all boils down to the majority of users are morons and will click on everything they see. That is how every single one of them has gotten infected.

I've only ever seen my anti-virus actively block something or Firefox or Chrome or something actively block something malicious when I've followed links I knew were to hacked sites to investigate them.

If I so desired, I could browse the internet on an old, unpatched version of Windows, with IE, old versions of Adobe Reader, no anti-virus, no anti-spyware, etc and I'd never get infected. Why? Because I know what the fuck I'm clicking on.

Re:Broswers Display Warnings (2, Informative)

0123456 (636235) | about 4 years ago | (#31902808)

Have fun: you don't need to click on anything to get owned by Flash malware served from an advertising site.

Re:Broswers Display Warnings (0)

Anonymous Coward | about 4 years ago | (#31903668)

Pride goes before a fall...

Just sayin'

Re:Broswers Display Warnings (2, Insightful)

0123456 (636235) | about 4 years ago | (#31902768)

I fail (and therein lies the problem perhaps ;-) ) to understand how ActiveX is more dangerous than plug-ins.

While that's true to some extent, there are three common Firefox plugins, all of which have had major security holes: Java, Flash and Adobe PDF. Most people don't need Java or PDF plugins, but Flash is harder to get rid of.

There are about a bazillion ActiveX things and most of them probably have major security holes.

Re:Broswers Display Warnings (0)

Anonymous Coward | about 4 years ago | (#31905740)

Aren't you forgetting AOL? :D Microsoft just figured out how to continue making money off it :D

I have personally experienced this attack (5, Interesting)

Anonymous Coward | about 4 years ago | (#31901620)

One of my clients' servers has had this spread around his box a few times by now; it's not a Network Solutions box though. Oddly, the NetSol VPS that I do work with hasn't (yet) experienced this. It's definitely automated and not all that smart as it infects PHP pages where it isn't appropriate, breaking code. It seems to search for the head section of a page and insert its obfuscated JavaScript; I'd guess it's a worm of some kind, possibly using PHP to look for more vulnerable hosts to infect.

Posting anon for obvious reasons.

Re:I have personally experienced this attack (0)

Anonymous Coward | about 4 years ago | (#31901688)

I'd like to check your security if only you'd tell me who your clients are.

Some Solution! (1, Funny)

WrongSizeGlass (838941) | about 4 years ago | (#31901668)

Here at Network Solutions we have a great solution to clear up all that annoying web traffic you're seeing. It's called "Redirecting Attack Technology Service". Our RATS service will keep those pesky customers away without you having to do anything but sit back and watch ...

Please Remove The Obamacare Ad (0)

Anonymous Coward | about 4 years ago | (#31901696)

on the right side of the page.

Why did I never see offensive ads about BushCo other than
the ones I redirected users to?

Yours In Petrograd,
Kilgore Trout

Re:Please Remove The Obamacare Ad (0)

Anonymous Coward | about 4 years ago | (#31901954)

Slashdot has ads?

happened to a friend's blog (4, Interesting)

Anonymous Coward | about 4 years ago | (#31901720)

I helped a friend restore their database and correct the initial file permission problem. It seems that by leaving the file with the database credentials world-readable, a script running on the same shared server as the site was able to get the DB host, user and password. The hacker then connected to the database and injected the iframe code in the "site url" settings entry.

Perhaps Word Press could put a big red div on the top of the site until users correct the file permissions to prevent novice users from leaving their config files unsecured.

As a side note, I'm still a bit uncertain if I actually fixed the file permission problem. If you are on a shared host and the DB config file is readable by the apache user (which is a requirement for Word Press to function), wouldn't any script running on the same server be able to read it?

Re:happened to a friend's blog (1, Informative)

Anonymous Coward | about 4 years ago | (#31901970)

Yes.

Re:happened to a friend's blog (4, Insightful)

Jerome H (990344) | about 4 years ago | (#31902332)

Longer answer: Yes unless your host is running suphp or other impersonating mechanism.

How to check? Just put var_dump(posix_getpwuid(posix_getuid())); in a php file, execute it and look if the user is the same as your ftp's user

Those lying dogs (5, Interesting)

clifgriffin (676199) | about 4 years ago | (#31901722)

I personally experienced this as well.

Network Solutions assured me this was my fault, even though I took every reasonable (and unreasonable) step required to harden my installation. I had my client migrate to MediaTemple. Problem solved.

Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

Re:Those lying dogs (2, Insightful)

TheSpoom (715771) | about 4 years ago | (#31902040)

Network Solutions is still living off of the goodwill they had when they were the only domain registrar available. Companies believe that translates into stability.

Re:Those lying dogs (2, Interesting)

S77IM (1371931) | about 4 years ago | (#31902678)

You'd think with their brand name, premium rates, and large customer base, they'd have the budget to architect and administer a superior hosting solution, rather than the substandard packages they offer now. Instead they are milking it, dwindling, and will eventually go tits-up.

"There is an old story, something about a golden goose; I can't remember the particulars." -- Tycho (Penny Arcade) [penny-arcade.com]

  -- 77IM

Re:Those lying dogs (1, Interesting)

Anonymous Coward | about 4 years ago | (#31903412)

They did. We were building it. They laid us off, as the last kick in the face after two years of constantly doing stuff we told them was a bad idea.

The entire office (~20 people) that had designed and architected their hosting and email from the beginning was laid off in October. I doubt they've done a security patch since.

Re:Those lying dogs (0)

Anonymous Coward | about 4 years ago | (#31906070)

But laying off the entire teams who built and maintained the system was a brilliant cost saving strategy!

Fortunately they finally fired their brilliant CTO who pushed them down this path.

Now mind you it took the business 7 months, a few major security breaches, some bad press, a few more security issues, more bad press, then.. ah hell who am I kidding. Good riddance.

Re:Those lying dogs (1)

Monkeedude1212 (1560403) | about 4 years ago | (#31902042)

Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

They're the kind of admin that thinks "We didn't change anything, so its not our fault".

It's probably some simple vulnerability that was fixed in a Windows Server patch, but they can't be damned to update it for fear of it not working afterwards.

Re:Those lying dogs (1)

dAzED1 (33635) | about 4 years ago | (#31902068)

and it's sad that such an established web co like netsol can't do better than someplace like mediatemple. :/

Re:Those lying dogs (2, Informative)

EXrider (756168) | about 4 years ago | (#31902832)

Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

We had an issue earlier this year with emails going to Network Solutions hosted domains being bounced because:

"205.178.149.7 failed after I sent the message. Remote host said: 550 5.6.0 Lone CR or LF in body (see RFC2822 section 2.3)"

Pretty self explanatory, except there WEREN'T any lone CRs or LFs in the message body! Some googling revealed that misconfigured Domino servers are prone to falsely reject certain "rich text" emails coming from Outlook with a legal disclaimer appended to them. The temporary workaround was to re-send the message in plaintext format since NS wasn't in any hurry to fix the problem. Our spam filtering provider argued with them for a while and it was eventually resolved, several freakin months later.

Re:Those lying dogs (0)

Anonymous Coward | about 4 years ago | (#31907430)

I don't know. Sounds like their server is configured correctly. Mails with legal disclaimers deserve no less.

Re:Those lying dogs (0)

Anonymous Coward | about 4 years ago | (#31903124)

same experience here - they were NO HELP at all - even after i had been attacked 5 times in a 2 week period. I finally up and moved, i wish i had done it sooner.

Re:Those lying dogs (0)

Anonymous Coward | about 4 years ago | (#31903738)

Same experience here, except it was a good 6 months ago, and my site has been clean for the last 5 months. I originally blamed this on a virus on the computer of the guy who updates the site, but it wasn't him.

Re:Those lying dogs (0)

Anonymous Coward | about 4 years ago | (#31906180)

I originally blamed this on a virus on the computer of the guy who updates the site

You usually do, you usually do

Re:Those lying dogs (1)

Sleepy (4551) | about 4 years ago | (#31904676)

Why do you expect this from Network Solutions? Do thei even do their "own" Technical Support... if not, it'll take DAYS for them to spot a trend and notify the right folks... who are probably developers in an outsourcing firm, or were local employees laid off (when there wasn't any other way for NetSol to scrounge up management bonus checks).

Folks, there's PLENTY of mid-sized indie shops. They treat you like gold, and they stay on top of their systems.

Re:Those lying dogs (1)

hesaigo999ca (786966) | about 4 years ago | (#31908480)

>It's ridiculous that weeks later they can't figure out what's going on.
Or that the management cant realize the problem could also be from the inside...

Re:Those lying dogs (0)

Anonymous Coward | about 4 years ago | (#31936192)

I personally experienced this as well.

Network Solutions assured me this was my fault, even though I took every reasonable (and unreasonable) step required to harden my installation. I had my client migrate to MediaTemple. Problem solved.

Their admins must be completely incompetent. It's ridiculous that weeks later they can't figure out what's going on.

The hackers may be criminal but NetSol should be liable. These are simple issues that they neglected. I know at least 15 people with WP sites not hosted by Network Solutions, no problems. Our site has been hacked three times this week, we went from page one in google to page 'no where' and my new best friends in the south pacific are so awesome at hooking us up... 'I'm sorry for the inconvenience sir, i can have a ticket escalated for you and hopefully someone will get back to you in about three days' sound familiar? it's MADNESS! Funny though, their site is fine, I wounder who hosts it?

lol. fabulous architecture (2, Insightful)

Colin Smith (2679) | about 4 years ago | (#31901748)

I love the javascript client/server application concept.

 

Re:lol. fabulous architecture (3, Insightful)

Nadaka (224565) | about 4 years ago | (#31902192)

There are reasons to hate it, this isn't really one in my opinion. If their service did sanity checking between the database and the web page on outbound data, no one would see these exploits. If they had closed the attack vector they wouldn't have been affected at all. I don't know what the specific attack vector is, but js by itself won't compromise a server.

Re:lol. fabulous architecture (1)

Sleepy (4551) | about 4 years ago | (#31904720)

The rich client model has flaws (including making it too easy to shoot yourself in the foot), but that's not what's to blame here.

Netsol's application platform does not appear to sanitize tainted input... this was something we all learned to do back in the Perl 4 CGI days... years before the XSS and iframes appeared.

NetSol should hire back the people who were responsible for maintaining their applications, instead of coasting along without them.

Why iframes? (0)

Anonymous Coward | about 4 years ago | (#31901826)

It seems like it is a continual chain of iframe exploits. I'm not a web developer, can anyone more knowledgeable on the subject explain the amazing upsides to iframes that make them worth the extreme security issues they present?

Re:Why iframes? (3, Interesting)

Nadaka (224565) | about 4 years ago | (#31902094)

It is the easiest way to include the content from multiple html files into a single document. They are a pretty easy way to get data to and from an AJAX request. They are the ONLY way to transmit a file from a file dialog to the server without refreshing the entire page.

The iframe isn't bad, it is the javascript exploiting the iframe that is bad.

NSI isn't the only one with issues (0)

Anonymous Coward | about 4 years ago | (#31901834)

Recently, another registrar's hosting service was compromised as well. Liberty Names of America, and the accompanying Prohostservers.com hosting packages, have been down for two weeks now without an ETA on when it'll be back up. Apparently, they were the target of a mass defacement a few weeks before this outage occurred.

Re:NSI isn't the only one with issues (0)

Anonymous Coward | about 4 years ago | (#31902052)

Media Temple had recent problems as well, though I'm not sure if they were related.

Homework FAIL (1)

r7 (409657) | about 4 years ago | (#31902184)

No news here. Anyone purchasing services from Network Solutions simply hasn't done their homework. The rest of us left this disreputable vendor years ago.

Re:Homework FAIL (0)

Anonymous Coward | about 4 years ago | (#31902630)

No news here. Anyone purchasing services from Network Solutions simply hasn't done their homework. The rest of us left this disreputable vendor years ago.

I use Network Solutions for my web-based email and domain registration plus forwarding references to my web site to the actual web hosting service.

not China? (0)

Anonymous Coward | about 4 years ago | (#31902224)

But the server is connected to a Taiwan server, which is in turn connected a server on mainland China controlled by the government.

So what are you paying for? (1, Interesting)

Anonymous Coward | about 4 years ago | (#31902330)

Seriously, NS charges more than twice the same amount for a personal domain per year than most other companies do (at least most major ones). I don't think any expects the mentality to be "I'm paying a premium for a perfect company", but some may say "I'm paying a premium for a company that's different or better than the other companies." So tell me, exactly, what are you paying a premium for?

A -SOLUTION- exists to web page/site hacking... (1)

ivi (126837) | about 4 years ago | (#31902452)

Hosting services to use custom software that has NO means of modifying web content
that's visible or accessible to users of the web site or those who would infect it.

(Of course, they'd have to provide OTHER means for Developers to upload / chance
their web site contents, but ones that are much more secure than what got hit here.)

Perhaps the only way (other than with physical access to web hosting servers) to
add/modify content would be via a "call-back" system:

1. Developers lodges callback URL when setting-up a hosting service account

2. When a change to content is needed, Developer lodges a Change Request

3. Hosting service uses lodged callback URL to set up a VNP to Developer

4. Developer makes changes via VPN

5. Change process produces a Content Checksum (CC)

6. Developer saves CC & can later use it to check a site's content for hacks

Q.E.D.

Re:A -SOLUTION- exists to web page/site hacking... (1)

Ajaxamander (646536) | about 4 years ago | (#31902824)

I guess you don't like being able to upload images/files to a web application.

This (or another in a litany of ) WP vulnerability usually involves uploading a php script which exposes a bunch of extra server-side functionality (download any file, list users, access MySQL dbs...) through WP's file upload manager, which WP seems slow to fix on occasion.

That said, there's no reason a developer couldn't do the useful part of your suggestion —run a checksum of their application files when the upload to the server, then use that to identify anything that's been monkeyed with. I might start doing that, actually.

But there's no way I'm spending a dime with YourHostingCompany(TM), which requires I make simple code changes via VPN. Will you give me SSH access, even?

This is no joke.. all of my NetSol sites hacked (4, Informative)

OctavianMH (61823) | about 4 years ago | (#31902606)

One client of mine had about 15 sites hosted on NetSol, every one was hacked.

The bot is:
1) Checking for any "index." file (index_ files were unaffected) with any extention
2) Searching for a tag
3) Inserting a pile of obfuscated javascript after the tag.

If you have any clients on netsol, DO check them, NOW.

@mbhnyc

Re:This is no joke.. all of my NetSol sites hacked (1, Interesting)

Anonymous Coward | about 4 years ago | (#31905834)

Yep, this is exactly what happened to me (I'm the anon from earlier). I couldn't find how it was actually scanning the files and inserting itself though as I didn't see any strange processes in ps as root. Any idea?

Re:This is no joke.. all of my NetSol sites hacked (1)

SloWave (52801) | about 4 years ago | (#31911344)

I can confirm this too. On Network Solutions hosting. It hit the index.html in the root directory and index.shtml in my awstats directory. I replaced the index.html and it hit it again within 30 minutes. I then disabled all the .htpasswd's, and moved the awstats and vti_pvr dirs. It hasn't come back yet. It was easy to detect, viewing source with firefox showed the problem. It would insert a long script after the <body> tag that started like this...

              var EP="476f4365785d43595a08496d697a667

Re:This is no joke.. all of my NetSol sites hacked (1)

OctavianMH (61823) | about 4 years ago | (#31916252)

The script keeps reappearing on my installation - anyone know why this is, and how I could fix it? I guess it must be some sort of CRON job?

Super irritating.

This is a well-known problem (0)

Anonymous Coward | about 4 years ago | (#31902732)

I own a hosting company. This type of problem has been around for a long time now - the causes being either insecure software, compromised account logins or, in the worst case, incompetent server administration - oudated/insecure PHP configurations, usage of mod_php (shared general PHP user) over suPHP (all scripts run under your own username - so set chmod 400/600 and you're fine). The first two are a constant pain for all hosting companies, but the latter is firmly and solely the fault of the hosting company.

My ex-client should have listened (1)

Anonymous Showered (1443719) | about 4 years ago | (#31903408)

A client I dealt with 1-2 years ago is still on NetSol. I told him to switch over hosting and registrar companies, but he thought I was out to nickel and dime him (I offered him a 15$/month hosting plan...). Poor sob, all his sites are now down.

frist 5top (-1, Redundant)

Anonymous Coward | about 4 years ago | (#31904248)

may be hurting the *BSD has steadily population as well goal here? How can Would mar BSD's with the laundry posts on Usenet are TO FIGHT WHAT HAS niggerness? And

hasn't this happened before (0)

Anonymous Coward | about 4 years ago | (#31904902)

Wasn't there a similar case of hacking at NetSol a year or two ago.

Can anyone find any references ?

It's the active content, stupid (0)

Anonymous Coward | about 4 years ago | (#31906438)

In the meantime, people still surf with full Javascript on, with all forms of active content execution open in their browsers -- congratulations for the "rich web experience". You get what you pray for.

I always cringe when I see some stupid web designers using a Javascript snippet where a simple link would do.

Here's a plea to web designers: make your sites usable _without any active content_. Add active content for the shiny effects -- for whoever cares. I don't.

Hosting vulnerabilities (1)

jprupp (697660) | about 4 years ago | (#31907258)

I used to be a sysadmin for a hosting company, and we had these problems very much all the time. It's part of the job. When you provide a customer with web space, it's up to them to verify that the code they put ther is secure. Fortunately these attacks only affect a particular customer's site, and almost never compromises other sites on the server.

Seriously (1)

bytesex (112972) | about 4 years ago | (#31907390)

Why. Does. Network Solutions. Host. A. Blog.

Sorry, the mind just boggles. If you are the overactive twentyfive year working for Network Solutions and you want to host a blog and you're reading this - go do it somewhere else !

Net Sol mail servers seem to be on the fritz today (1)

opusbuddy (164089) | about 4 years ago | (#31913536)

20 minutes on hold with the helpless desk so far. No pop or smtp flowing through.

Hostingliste (0)

Anonymous Coward | about 4 years ago | (#31953146)

Hmm, Security on Webhosting is a difficult thing.
Here is a list of Swiss Webhosting Companies [hostingliste.ch].
They hava good security there.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...