First, this site exploit does not appear to be due to an ExpressionEngine vulnerability.  I wanted to get that out of the way, and I also want to say that if this thread isn’t in the appropriate forum, then please move it.  I just wanted to alert folks who host with Network Solutions.  This problem appears to be related only to Network Solutions (or at least Google tells me so).  Here’s a thread talking about the same exploit that I found: http://www.yabbforum.com/community/YaBB.pl?num=1204295319/11

I put hacked in quotes because I guess that’s what is happening here.

One of my clients’ hosting accounts is through Network Solutions, and tonight while trying to access the EE control panel, my browser (Firefox 2.0.0.12) displayed a javascript alert and also fired up the Java platform.  Java then wanted me to run a weird applet, which I immediately exited and I also closed the javascript alert popup.

I noticed that the browser status bar was transferring information to “lunahodiki.com”, which I Googled for info, but didn’t come up with any worthwhile results.

I took a look at the source code on the control panel index page and noticed an included iframe at the bottom of the page.  The iframe’s source was pointing to x-traffic.info which apparently is where the original javascript alert was trying to redirect me to and also caused the Java platform to launch.

I tried to access the Network Solutions FTP account, but found that I was locked out (not really a surprise), so I had to configure another ftp account through Network Solutions’ control panel.  When I was finally able to access the site via FTP, I noticed quite a few new files that had been created on March 16, and all of EE’s index.html and index.php files had been modified to include the iframe snippet.

Being super paranoid, I backed everything up and pretty much wiped everything (that I could) clean by deleting and re-installing.  Luckily, I don’t think the site’s “normal” visitors were ever at risk because I had created all its templates via the EE control panel and there weren’t any “actual” index files that the public sees which this hack seems to have exploited.

So, to summarize, folks who host with Network Solutions, check your sites for files that have recently been changed (not by you)!

I hope this is helpful and I hope that no one else has to go through the trouble that I had to tonight!  Good luck!

Hmmmm. This sounds awfully familiar. Within the last week or two I read something very similar (including something like x-traffic.info) and didn’t pay too much attention as it was a Wordpress exploit and not related to Network Solutions.

I think this may be related to this: http://it.slashdot.org/article.pl?sid=08/03/17/2358207

So, this has happened AGAIN.

The response I got from Network Solutions last week was, of course, claiming that it was my “insecure” code that was compromised and that this wasn’t an automated server attack.

It’s really frustrating that this has happened again.  The client has already paid for the full year of hosting on Network Solutions and is sort of reluctant to change hosts (he doesn’t really run a huge business or anything, so he has to watch expenses).

So if this really was a vulnerability in the EE code, basically everyone would be experiencing this, right?  I’m not running anything else on this site except EE.  There aren’t any forms on the site at all, and I’m not using search forms either.

I guess this is now being called an SEO iframe injection attack.

I’m going to clean the files and put everything back up again, but this is getting tiresome.

We just experienced the exact same thing with a new client who has prepaid Network Solutions for 2 years of hosting and Network Solutions is claiming its our problem because of directory permissions, thus making us look silly when we launched their site 4 weeks ago and now it has been down for a week.

Has anyone seen this vulnerability elsewhere and do we need to prepare to lock down all of our other EE sites?

In interest of keeping all conversations cohesive and complete, lunchboxcollective, let’s keep it to this thread, please.