Last week attacks – Some comments and updates

Last week as a busy one.

First, thousands of GoDaddy sites got hacked with that kdjkfjskdfjlskdjf.com malware.

A few days later, hundreds of Network Solutions sites got hacked by using the php.ini/cgi-bin malware (including the US Treasury site).

The next day, more thousands of sites at different providers (GoDaddy, Dreamhost, hostgator, etc) got hacked with the MW:MROBH:1 malware.

So, what was going on?

Network Solutions attack

The problem at Network Solutions was caused by an internal application used on their hosting platform that allowed the exploit to happen. They fixed it already, so the problem should not reoccur. The number of infected sites was around 500.

GoDaddy

GoDaddy blamed the users (saying they were using old WordPress versions) and didn’t provide us with information regarding what happened. We know that WordPress wasn’t the problem (we saw sites using the latest version getting hacked), so no one knows what happened. Probably thousands of sites got hacked.

DreamHost

DreamHost contacted us and explained that in their platform the issue was caused by a “specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.”. Around 500 sites got hacked. Their statement:

We’ve seen a dozen or so examples of this passed to us via support and have researched it ourselves . It seems to be related to a specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.

A scan across all our server files for known shells was done across customer HTTP servers and they were deleted . 550 account owners were contacted with notification of the finding of this backdoor shell file and the changing of their related FTP passwords. They were also provided directions for removing some of the common derivative hacks that have been associated with it, including a link to your web site and further directions to make use of SFTP exclusively due to FTP’s inherent security constraints. The great majority of these shells were added (as indicated by file date) in late November and December .

How are they getting in?

The Network Solutions issue was explained and fixed. At Dreamhost, it was a PHP shell. But how about the others? How were the attackers able to inject content on all these sites?

Skyphire (and others), in our comments, mentioned that the infected files had a PHPMyAdmin cookie added, which would indicate a bug (maybe 0-day) on PHPMyAdmin. That would be a possible cause since all those shared hosts are using PHPMyadmin. This is the cookie added:

getCookie("pma_visited_theme1");

We can’t prove it, but we will keep an eye to find out exactly what is going on. Have more info? Let us know.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.