I've been hacked. Happened around 2:40 PM on my NS Shared.

They are hitting WordPress index.php files.

WP index.html deleted (640 permissions), ftp access changed.

I can't log in with SFTP even with the new password.

Update — a file named default.html also was affected on my site. Anybody have any other file names affected?

man… this has been going on for weeks. The solution? Ditch Network Solutions… their security sucks and they are always getting hacked.

-pissed developer.

It is not a WordPress problem. NS security was compromised. They also restored malware from backups in some cases.

A fresh install is always good but wont work if the main security is compromised.

Upgrading WP is usually easy since 2.7 something. However that doesnot touch wp-content folder in theme or uploads which are likely malware locations.

My vanilla html site has now had malicious code inserted 6 times in the last 24 hours. Their tech support has nothing helpful to say. I have now pulled my site down altogether as I can't otherwise prevent my (largely un-tech-savvy) visitors from the threat posed by this code.

Another vanilla html site was hit. I removed the malicious code and waiting for the following attack i suppose. Some weeks ago our ftp passwords were also compromised. It is not the first time NS was attacked. And apparently all kind of sites are attacked. I will advice my clients to change provider. It seems to be the only real solution.

We use Network Solutions as our hosting and email provider but unlike the rest of you, our website was unaffected. Our problem is that our email stopped working last friday and I am wondering if this had anything to do with the hack. It took me 15 phone calls for them to explain that we had violated their TOS agreement for spamming. It's funny that we don't advertise via email but through direct mail. So WITHOUT ANY NOTIFICATION, they shut down our pop serivces and have crippled our business. They also have not provided any proof to these accusations which makes me incredibly irate. We have been using Network Solutions for around 60 days now, and in 15 years of using our last provider, we have never experienced any issues whatsoever. We needed to switch because we needed a Windows platform. I also find out that we can send mail but cannot recieve it. I would think that due a spamming violation, the opposite would happen. Cannot send but can recieve. What do you guys think about this? I think it should be passed on to legal.

This is the form email I received when I notified Network Solutions on 4/11 that I thought something fishy was going on with one of my sites: Thank you for contacting Network Solutions Customer Service Department. We are committed to creating the best Customer experience possible. One of the first ways we can demonstrate our commitment to this goal is to quickly and efficiently handle your recent request. We apologize for any inconvenience this may have caused you. Based on your concern, proponents of malware commonly look for websites with vulnerabilities. These include weak passwords, third party applications that are not up to date or sometimes weakness could emanate from lack of updated anti-virus software on PCs. A large part of preventing these events comes from users taking preventive steps such as: ? Routinely change passwords including FTP/ blog/content management software ? Update your blog/content management software to the latest version. ? Update any plug-ins or 3rd party scripts or code you may have for your website ? Update firewalls & anti-virus on your local PCs. ? Make sure your file permissions are set correctly correct and do not allow unauthorized access. This is not an exhaustive list and these incidents can happen for a number of reasons. Just cleaning it once is not enough to resolve this. You should always take precautions.

What irritates me the most is the shield of secrecy that NS operates under. Why don't they come out and own the fact that they've been hacked. I host more than 15 sites on NS and have been with them for over 10 years. But have always found their service below par. They try to blame YOU for all their own shortcoming (as I read above in the 'email-not-working' case and the security 'advisory' mail sent to another helpless complainant).

Hey, Shashi Bellamkonda… are you reading this? We're all eagerly awaiting your response on all this… Mr. netsolcares!!!

Shit happens… at least be honest about it!

Shame on NS!

The last of my three sites NJN Network went down tonight. NetSol are not getting close to cleaning up their servers.

web-search.com hacked again at 7:58am server time 4/22
I took most stuff down for now.
All cgi removed 2 weeks ago just in case.

The worst part of all this is NS tried to tell me I had a problem with my content when I first told them about it 17 days ago.
All the while knowing that many others had the same problem.
I spend hours going through everything and kept getting hacked.
If NS had been honest, I'd have saved countless hours trying to fix something I had no control over.
Just a comment: Why is it when I do searches for hacks, there are references all over over the place to fileman.cgi which NS uses?

Not a happy camper.
Bob

#Anonymus: in my case, Google responded within a few hours after my report in Webmaster tool.

It also works for crawlers… so search engines won't see the malicious code and knock you down the ratings board

My html web site has been hit too. It seems to be a new exploit they are using. It's some sort of PDF vulnerability.

I called tech support and they said it could be 24 to 48 hours. My response was "why the hell have you not unplugged the server???" They are spreading virus all over the place while they attempt to fix it. Unplug the dam servers until the problem is fixed!!!

My sites attacked again during the night (early am 4/23)
But now I'm unable to use ftp on ANY of my servers (3)
Before it was just one effected.

This is far from over.
Oh btw, form letter from NS saying they found no bad code on the example I sent them.
Is anyone even checking?

Bob

I caught the issue on my client's site. Unfortunately since we take very sensitive information from their customers I couldn't just change the code and be happy, so unfortunately I have been up all night (caught the issue at midnight and after 6 hours getting it all fixed, transferring all files, database, and DNS records over to a dedicated server), and I finally get to go to bed!

This seems like class action material

I don't know what to do. I'm two months into a NS shared hosting one year package. In production (a start up), not even public yet. I take security seriously, do scans daily, firewall, backups nightly, don't store info in my SFTP program, log in manually each time when I use SFTP, etc., etc. It's full time work. I am getting killed by these hacks.

Still happening as of 1430 CST. Hit a bait index.html file. New script being used I think, it starts out as "Xvar gID=new Date();var kK=false;var dKA;var cNM;if(cNM!='xYN' && cNM != ''){cNM=nulX" but without the X's

@Steve, what is your site name? I would like to try this…

@Anonymous: Did the scanner pick it up?

Still paralyzed. Even a database restore from last Tues is messed up.

Has anyone had their site blacklisted by google?? i ran sucuri scanner and came up negative, changed password, and deleted old files in server. i then uploaded new clean files. what is the turn around time for google to de-blacklist you and get your site up again in search results?? this is killing us!!

Details of above:

http://www.networksolutions.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate has expired.
The certificate will not be valid until 1/21/2009 7:00 PM.

(Error code: sec_error_expired_issuer_certificate)

Would someone from Sucuri contact them and find out if this is going to be fixed or is some new process now in place?
I notice that to use file manager now there are now two layers to go through to get to files. Perhaps this is a solution they've decided to implement?

Bob

I'm on shared hosting. I was hit last Sunday. And again yesterday. I'm wondering if poorly maintained blogs (or even abandoned) on this setup might be part of the problem. NS should check all shared hosting blogs with some kind of automated checking system and notify these owners that "we've noticed you haven't logged in to your account for 30 days.
We have sent you important security notifications please check your in box." If these blogs are infected and launching these attacks, those of us who are on top of things pay the price.

There should be some kind requirement that shared hosting blog owners have to maintain proper security with no exceptions. That's not to much to ask. If they can not they should get a free blog setup where they don't have to deal with maintenance.

No clue Bob.

I can't even set my proper file permissions and make them stick for my own installs either.

Apparently the only winning move at this point is not to play.

PS I tried using file manager to set permissions but like you, it isn't changing.
WS-FTP works "some" of the time but you almost have to sit on it to get anywhere.
Very unproductive to say the least.

Don't even think about calling. lol

Bob

Now I can't even upgrade and remove plugin's or change permissions via file manager.

If you are interested in learning more about network management my client Cisco is hosting Cisco Live at The Mandalay Bay Resort in Las Vegas…June 27th – July 1st.