Printable Version of Topic

Posted by: narrowgate Apr 15 2009, 11:45 AM

I have a number of website/hosting packages that have a script/worm being injected into the first line of the web page since early this morning. The first level support can provide no eta on when this will be resolved.

I now have a huge concern over what vulnerabilities were exploited and the stability of my hosting packages going forward.

Right now this is only affecting my nine windows hosting packages

Any information about this would be greatly appreciated.

Charles Self
Narrow Gate Solutions
http://www.narrowgatesolutions.com
http://dotnetnuke.narrowgatesolutions.com - DNN Related Resources

Posted by: narrowgate Apr 15 2009, 03:11 PM

I wanted to update this thread with a current status. My websites finally came back up early afternoon and the good news is the script has been removed from the pages (no more JavaScript from Thailand running anymore).

I would really like to know how this came about from a NetSol perspective (hopefully I will get a real update). Truly a wakeup call for me.

Charles Self
Narrow Gate Solutions
http://www.narrowgatesolutions.com
http://dotnetnuke.narrowgatesolutions.com - DNN Related Resources

Posted by: pkuprionas Apr 16 2009, 08:10 AM

Here is the information provided by our product and engineering teams yesterday. I apologize for not getting this up sooner.

April 15, 2009
Network Solutions Windows Server Update


This morning our Network Operations engineers discovered malware on a single Windows server. This server has been taken offline and is currently being analyzed. We will be sharing the data with other network security organizations like Symantec. Prior to the isolation of the server, this issue caused problems with resolving of the impacted sites.


We estimate that fewer than 10% of our hosted customers were impacted by this issue for approximately 3 hours or less. At this time, all but 1% of the total sites are resolving. We expect to have these sites back online in the next 3 to 4 hours. We believe that there are no impacts to site content or database contents, and we have not detected any data loss or compromise.


The impacted sites were all Windows-based sites. If you are a Unix-based hosting customer, this issue should not have impacted you in a significant way, except to the extent that there may have been minor intermittent interruptions as we were triaging the situation and investigating the problem.


When we have more details we will update this post.

Posted by: Tigger Apr 16 2009, 11:50 AM

Does this have any affect on your Ecommerce sites?

Posted by: ddavisNS Apr 16 2009, 12:00 PM

This was a hosting only problem. Ecommerce not impacted.

Posted by: sykchris May 25 2009, 10:20 PM

I would like to add that all of my aspx and html files have been modified by some kind of worm or script injection twice now in the last two months. I have corrected the files but am having concerns about the reliability of Network Solutions. What is the deal? I have changed passwords multiple times thinking maybe my password had been obtained somehow. Is this issue being further investigated? Is there a known issue?

Posted by: Duane May 26 2009, 07:31 AM

On April 15th, a server was infected as noted in the post by pkuprionas. That issue was resolved at that time and there are no current issues of server-malware infection.

Most likely, if your site files are being modified, there is a localized security threat such as malware on a computer that connects to your FTP, or the site files themselves are insecure and a hacker is able to inject malware code onto your package through your website.

Here are some steps you can take to prevent this from reoccurring:

• Scan all computers for malware including viruses and spyware.
• Update all FTP logins.
• Remove unnecessary files that may have been placed in your account by the hackers.
• Do a full republish of the website, overwriting all old content, or if that is not possible, have someone clean the files manually.
• Check your scripts to confirm they are secure, including custom applications and third-party scripts and add-ons.

Also, if your site is being hacked, you may be able to determine how if your raw logs are enabled. If you monitor these daily, any unusual activity should stand out and you may be able to learn how your site is being hacked.

Posted by: sykchris May 26 2009, 03:44 PM

Thank you for your response. I have replaced the infected files with clean ones. I am trying to look over the raw log files...kind of hard to read. Is there anything specific I should look for? Is there a secure/recommended ftp method for uploading my site? I typically use the ftp in windows because it is the most convenient.

Thanks,

Chris

Posted by: FatNoah Jun 11 2009, 04:43 PM

Anyone else have any more info on this? I have a similar problem now where every .js and .asp file on my account get a script tag added to the end. I have logging enabled for my site, but whatever is changing my files doens't appear to cause any log entries to be created. I only see the typical search engine spider roaming but the files get this junk inserted every single day. That would lead me to believe that malware is still running on the server or the hacks are coming in via FTP (I changed my FTP password today, so we'll see if anything happens tonight).

I also just called support, so if I get any more information I'll post here.

Posted by: Easy Nov 10 2009, 07:57 PM

My Network Solutions®®®® site was hacked a couple of months ago. I couldn't see anything wrong on my browser or by looking at the browser page source, but the hack was feeding viagra, cialis, casino and poker player spam to any bot that visited my site. I could only see the spam when I used http://web-sniffer.net. I imagine "http://www.googlelabs.com/show_details?app_key=agtnbGFiczIwLXd3d3IUCxIMTGFic0FwcE1vZGVsGJukUgw" would also work.

If I remember correctly, my robots.txt file was changed; the guilty script code was hidden there. My Wordpress blog software was so out of date it was vulnerable. I changed my FTP passwords, fixed robots.txt, updated Wordpress and the WP theme, checked my .htaccess file, reviewed my other server files and then submitted a Reconsideration Request to Google since my SERP dropped out of sight. After a few weeks things were back to normal, but Google still lists viagra nd cialis as my top site keywords. Eventually they will fade away.