[...] This post was mentioned on Twitter by Denis. Denis said: [blog] Network Solutions and WordPress Security Flaw http://bit.ly/b3qJzG – my take on the mass compromise of WP blogs on NetSol network [...]
I’m glad I found this. My client has this issue. The blog doesn’t work now and this is the second time he was hacked on NetSol (the first time he didn’t have a blog). It’s frustrating that such a big company as Network Solutions allows this, given the premium price they charge. I told him it’s time to get out of Dodge.
Thank you for explaining this. I am not a developer just a user of wordpress at Network Solutions. Would you know where I could find the remedy to fix my site at this point? To remove the bugs? Thanks, Nancy
I didn’t see any site on GoDaddy affected by this particular attack yet, but potentially more than half shared servers are vulnerable to this sort of attacks.
For some people dedicated and virtual dedicated servers are they way to go. Unfortunately, it’s more expensive and may require substantial server administering expertize (otherwise you can leave security holes wide open even on private servers)
On shared servers you have to be very carefull about file permissions (especially if suPHP is not used). On the other hand, suPHP servers are more vulnerable to script exploits.
P.S. You should always have good backup/restore strategy so that you can recover from any hack as soon as possible. And of course, you should be monitoring your site integrity.
I’ve had an engineer watching and fixing my site based on the NS instructions and updates provided and the site has crashed and uprighted no less than 7 times in the last 5 days.
I’m a small business owner and can’t afford another dime in engineering fees to repair this moving target of an issue. Today might site is still down. Network Solutions is killing my business and now I can’t even afford to pay for an engineer to fix the issue.
I’m held hostage and it sucks to be treated this way.
—- Edit by Denis. Chris, I removed your site link from the signature since the site hasn’t been fixed yet.
Very interesting! I salvaged a client blog this week when Network Solutions was unable to resolve the problem after 3 days.
My client was very unhappy with Network Solutios already. We decided to move their entire site to a new hosting account.
Before making nameserver changes, I installed the site in a temporary folder. When the database import showed the same error, I dug into the database and noticed this iframe code in the database site url column of the options table. The site came up fine and all that remained to do was to re-attach images to posts. That’s a whole ‘nuther story. :)
After everything was in place so my clients could check it out, I went back to the Network Solutions database and removed the malicious iframe code from that table to no avail. Your post possibly explains why this had no effect.
After the site was checked out in the temp folder and found to be whole, we initiated the nameserver changes and put it up on its own domain. As of this morning, the registration has been transferred to another registrar too.
I’m not at all impressed the ability of Network Solutions to handle wordpress after woring with their “Wordpress Hosting” package, which I couldn’t talk another of my clients out of buying. I couldn’t add plugins or different themes and called to ask why. I was told that “this was the way that it was setup.” With all due respect, one can get that for free at Wordpress.com.
The best part is this: A Network Solutions tech support person told me they wouldn’t use the package. Now, that’s a heck of a testimonial, isn’t it? :)
not sure if i found agreat solution or not. but works!
You have to change back in the DB > wp-options(table) > siteurl > hereinsteadof the iframe shit you put only your url (http ://…)
For me this sort of work i think.
After doing this change all the passwords you can even for the DB and CHMOD all files so they are secure.
Hope it works for you..
Add my site to the list of hacked sites. Also Network Solutions is down right now so I can’t even login to transfer to another registar (9:52 CST 4/15/2101). I’m not sure if Networksolutions being down is related to the site hacking. Regardless this pisses me off. Network solutions just lost my business.
My site which has only been up for a week was hacked. I do not host a WordPress blog, but rather, vBulletin 4.0.3 Publishing suite with CMS (articles, blogs, forums). Are we sure that these attacks only limited to WordPress???? Here are the details of my incident today.
In several php files, including index.php, the one in root and the one in an administrative folder were completely emptied. 0 bytes. Nada. There were at least 7-10 other php files between root and and my admin folder that were affected. I have not changed anything in the header includes and footer. I had not made any changes that should have caused this. I tried restoring my site and db. Within 45 minutes, the site was down again. The error on my home page was:
Parse error: syntax error, unexpected ‘<' in /data/21/2/91/95/2091747/user/2293542/htdocs/index.php on line 71
I opened index.php via filezilla and the following code was appended to the end of a perfectly fine file, just after the end of the last comment int he file. Also, my permissions on the file are 660.
Thanks for the update. This script injects a hidden iframe from corpadsinc .com/grep/.
This site has the same IP: 64.50.165 .169 as those networkads .net, binglbalts .com and mainnetsoll .com and the same URL structure /grep/ so it’s definitely the same attack.
So it must be not WordPress only.
However, the 660 file permissions may suggest that your site credentials have been stolen by hackers or the server is compromised at the root level.
Even if it’s a problem with your compromised credentials, why does this attack only affects sites on Network Solutions? I wonder if hackers managed to steal those credentials directly from some Net Sol database?
I’ve restored my site and am changing my passwords now.
Directories with 755
Files with 644
Is there anyplace in the DB itselelf I need to check? I do not have a stored proc to find a specific string searching every column of every table. I could get one if necessary. I’m not sure what table would be affected as this is not a wordpress site. It’s a vBulletin 4.0.3 site.
This time it doesn’t have to do with database credentials. Hackers inject the malicious code directly into files on disk. And it looks like the server configuration (suExec) and file permissions (644) are strict enough to prevent neighbor hacks.
Gee I wish I’d found this a few weeks ago! On April 4th I lost half my database and I really thought I’d messed something up until I found the redirect iframe in the site url (thanks to a search on wordpress hacks). I restored my database from back up and checked it was clean and everything was fine.
A few days later I found my site was completely locked out from the public. I couldn’t get in to do anything or check it out … nor could I log in to network solutions. Eventually when NS came back up for me (my site was still down) I found my database password changed (no explanation as to why) … I rewote my config file with the new password and reset all my permissions …they seem to have been rewritten all over the place with php files readable and executable publically.
I reset all the permissions including 640 on the config file and everything was fine (mind you it took a few hours to work this out). A week later NS emailed me to let me know they’d changed my password and I should check my file permissions etc. Gee thanks for the speedy info guys!
Today the same hack happened again and you need to remember my permissions were correct when this happened (although the restore from back up is wrong on permissions, I change it manually each time I restore). Today all my FTP passwords were changed for me with no notification … I’m sure they’ll tell me in a weeks time however.
Given I had the correct permissions in place to begin with, I’m not sure how it can be a wordpress problem … especially as this specific hack seems to affect network solutions blogs only. I’d also like to point out that my initial wordpress install was done by NS itself and I had to change permission on the config file manually as the NS install set it at 644!!!
If you want any other info you can write to my email. I’ve cleaned the site again, but who knows how long that will last. Any recommendations for a safer host?
Edit by Denis: I removed your site link from your signature since it’s still not guaranteed to be safe…
Yesterday morning I discovered that same script inserted into every page on my site named either ‘default.*’ or ‘index.*’ — about 20 instances. I removed them all, only to have them put back repeatedly over the last two days.
Noob question: It’s a vanilla html site. Everybody talks about making sure that the file permissions are accurate — would that be 755 for directories and 644 for files, or should I be locking it down further than that?
Just removed a maliciuous script that was just behind the body tag on a very basic html site. Now I also remember that we had some trouble with our ftp passwords and logins. ‘Someone’ had changed them. We tried to contact NS. But they never bothered to answer.
I have two blogs on my site and both got hit in the hacking earlier in the month.
I upload clean copies of the files and they come back in less than an hour or two and replace them with infected versions.
I’ve logged in and tried changing my FTP password using the Network Solutions site administration panel and the change won’t go through.
When they changed the passwords on my databases (for the earlier blog hack), they disabled the automatic database back-up and I can’t re-enable it because the control panel keeps giving me a warning about the database user name. Which I tried changing back when the blogs were being hacked (along with the passwords) but that change wouldn’t go through, either.
They reset the permissions on all the PHP scripts on my site to 640 or the like, so every time one was accessed, the server threw a “mod_mime_magic can’t read file blahblah.php” error. So I was getting error logs running anywhere from one third to half the size of my access logs.
I filed a service request and they emailed me back saying it had been resolved.
It hadn’t. Eventually I bitched enough that they left the file permissions at 644 when I reset them. (I’d set them to 644 to stop the errors and they’d reset them to 640.) They’ve also done something to my log directory so that I can’t delete the old logs now.
This is ENTIRELY an internal security matter, I’m convinced of it.
Can you suggest a better provider? I’m just about ready to move.
I guess they are trying to fix things in a hurry and introduce new bugs (one fix may break other things). It may take weeks before they test the changes and the things settle down.
At this time, moving to some other service provider is a wise step. While shared servers cannot guarantee high level of security, you can try to find at least a more stable service, which won’t reset your settings several times a week.
I have several sites that have been attacked as part of this whole WordPress/Network Solutions debacle. And I do want to move. It’ll have to be shared hosting. I realize you don’t want to recommend one service over another (I guess they all have problems), but can you at least tell us what you think of BlueHost (recommended by WordPress.org) and if you know how they handle security?
Remove or rename the following files in cgi-bin if present:
Check the contents before you do it!
In my case they were all part of the malicious code.
For the moment my site is clean and working without troubles.
Add me to the list… This is a total nightmare. I designed my company’s website, and set up the wordpress plugin. I really don’t know that much about websites, and we are a small 10 person engineering company, who really can’t dedicate time/money to this…