We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

On Network Solutions hosting and being "hacked"

March 19, 2008 10:44pm

Subscribe [5]

  • #1 / Mar 19, 2008 10:44pm

    ctrlaltdel

    119 posts

    First, this site exploit does not appear to be due to an ExpressionEngine vulnerability.  I wanted to get that out of the way, and I also want to say that if this thread isn’t in the appropriate forum, then please move it.  I just wanted to alert folks who host with Network Solutions.  This problem appears to be related only to Network Solutions (or at least Google tells me so).  Here’s a thread talking about the same exploit that I found: http://www.yabbforum.com/community/YaBB.pl?num=1204295319/11

    I put hacked in quotes because I guess that’s what is happening here.

    One of my clients’ hosting accounts is through Network Solutions, and tonight while trying to access the EE control panel, my browser (Firefox 2.0.0.12) displayed a javascript alert and also fired up the Java platform.  Java then wanted me to run a weird applet, which I immediately exited and I also closed the javascript alert popup.

    I noticed that the browser status bar was transferring information to “lunahodiki.com”, which I Googled for info, but didn’t come up with any worthwhile results.

    I took a look at the source code on the control panel index page and noticed an included iframe at the bottom of the page.  The iframe’s source was pointing to x-traffic.info which apparently is where the original javascript alert was trying to redirect me to and also caused the Java platform to launch.

    I tried to access the Network Solutions FTP account, but found that I was locked out (not really a surprise), so I had to configure another ftp account through Network Solutions’ control panel.  When I was finally able to access the site via FTP, I noticed quite a few new files that had been created on March 16, and all of EE’s index.html and index.php files had been modified to include the iframe snippet.

    Being super paranoid, I backed everything up and pretty much wiped everything (that I could) clean by deleting and re-installing.  Luckily, I don’t think the site’s “normal” visitors were ever at risk because I had created all its templates via the EE control panel and there weren’t any “actual” index files that the public sees which this hack seems to have exploited.

    So, to summarize, folks who host with Network Solutions, check your sites for files that have recently been changed (not by you)!

    I hope this is helpful and I hope that no one else has to go through the trouble that I had to tonight!  Good luck!

  • #2 / Mar 19, 2008 11:45pm

    PXLated

    1800 posts

    Hmmmm. This sounds awfully familiar. Within the last week or two I read something very similar (including something like x-traffic.info) and didn’t pay too much attention as it was a Wordpress exploit and not related to Network Solutions.

  • #3 / Mar 20, 2008 11:19am

    ctrlaltdel

    119 posts

    I think this may be related to this: http://it.slashdot.org/article.pl?sid=08/03/17/2358207

  • #4 / Mar 29, 2008 8:52pm

    ctrlaltdel

    119 posts

    So, this has happened AGAIN.

    The response I got from Network Solutions last week was, of course, claiming that it was my “insecure” code that was compromised and that this wasn’t an automated server attack.

    It’s really frustrating that this has happened again.  The client has already paid for the full year of hosting on Network Solutions and is sort of reluctant to change hosts (he doesn’t really run a huge business or anything, so he has to watch expenses).

    So if this really was a vulnerability in the EE code, basically everyone would be experiencing this, right?  I’m not running anything else on this site except EE.  There aren’t any forms on the site at all, and I’m not using search forms either.

    I guess this is now being called an SEO iframe injection attack.

    I’m going to clean the files and put everything back up again, but this is getting tiresome.

  • #5 / Jul 11, 2008 9:24pm

    Lunchbox Collective

    75 posts

    We just experienced the exact same thing with a new client who has prepaid Network Solutions for 2 years of hosting and Network Solutions is claiming its our problem because of directory permissions, thus making us look silly when we launched their site 4 weeks ago and now it has been down for a week.

    Has anyone seen this vulnerability elsewhere and do we need to prepare to lock down all of our other EE sites?

  • #6 / Jul 11, 2008 11:17pm

    Derek Jones

    7561 posts

    In interest of keeping all conversations cohesive and complete, lunchboxcollective, let’s keep it to this thread, please.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register