Comments on: Network Solutions and WordPress Security Flaw

By: Leonardo Musumeci » Blog Archive » Network Solutions e la vulnerabilità di Wordpress

Tue, 11 May 2010 17:47:31 +0000

[...] Fonte: Network Solutions and WordPress Security Flaw [...]

By: Todd

Todd — Mon, 03 May 2010 23:31:59 +0000

Add me to the list… This is a total nightmare. I designed my company’s website, and set up the wordpress plugin. I really don’t know that much about websites, and we are a small 10 person engineering company, who really can’t dedicate time/money to this…

By: Kim

Kim — Sat, 24 Apr 2010 00:05:33 +0000

Remove or rename the following files in cgi-bin if present:
counter.cgi
monthdir.pl
php.ini
Check the contents before you do it!
In my case they were all part of the malicious code.
For the moment my site is clean and working without troubles.

By: Jean

Jean — Wed, 21 Apr 2010 23:20:37 +0000

I have several sites that have been attacked as part of this whole WordPress/Network Solutions debacle. And I do want to move. It’ll have to be shared hosting. I realize you don’t want to recommend one service over another (I guess they all have problems), but can you at least tell us what you think of BlueHost (recommended by WordPress.org) and if you know how they handle security?

By: Steve

Steve — Wed, 21 Apr 2010 16:35:00 +0000

We shared-hosting customers are screwed. For now anyway. Isn’t that basically the bottom line?

I mean we’re supposed to be responsible for application-layer security now?

By: Denis

Denis — Wed, 21 Apr 2010 13:56:11 +0000

I guess they are trying to fix things in a hurry and introduce new bugs (one fix may break other things). It may take weeks before they test the changes and the things settle down.

At this time, moving to some other service provider is a wise step. While shared servers cannot guarantee high level of security, you can try to find at least a more stable service, which won’t reset your settings several times a week.

By: Ron Craig (SandChigger)

Ron Craig (SandChigger) — Wed, 21 Apr 2010 11:21:24 +0000

In the time it took me to type my comment here, they hacked in and inserted the script again.

This is ridiculous.

By: Ron Craig (SandChigger)

Ron Craig (SandChigger) — Wed, 21 Apr 2010 10:55:24 +0000

This is bullsh*t.

I have two blogs on my site and both got hit in the hacking earlier in the month.

Now today I’ve been hit three times with the new javascript hack.

I upload clean copies of the files and they come back in less than an hour or two and replace them with infected versions.

I’ve logged in and tried changing my FTP password using the Network Solutions site administration panel and the change won’t go through.

When they changed the passwords on my databases (for the earlier blog hack), they disabled the automatic database back-up and I can’t re-enable it because the control panel keeps giving me a warning about the database user name. Which I tried changing back when the blogs were being hacked (along with the passwords) but that change wouldn’t go through, either.

They reset the permissions on all the PHP scripts on my site to 640 or the like, so every time one was accessed, the server threw a “mod_mime_magic can’t read file blahblah.php” error. So I was getting error logs running anywhere from one third to half the size of my access logs.

I filed a service request and they emailed me back saying it had been resolved.

It hadn’t. Eventually I bitched enough that they left the file permissions at 644 when I reset them. (I’d set them to 644 to stop the errors and they’d reset them to 640.) They’ve also done something to my log directory so that I can’t delete the old logs now.

And just when I thought things were going to be OK, this javascript hack pops up.

This is ENTIRELY an internal security matter, I’m convinced of it.

Can you suggest a better provider? I’m just about ready to move.

By: Stephen Pate

Stephen Pate — Wed, 21 Apr 2010 10:36:21 +0000

The attack continued on Tuesday night with two more sites I know taken down.

NetSol hasn’t found the source yet.

By: Jed

Jed — Tue, 20 Apr 2010 23:17:40 +0000

Yesterday morning I discovered that same script inserted into every page on my site named either ‘default.*’ or ‘index.*’ — about 20 instances. I removed them all, only to have them put back repeatedly over the last two days.

Noob question: It’s a vanilla html site. Everybody talks about making sure that the file permissions are accurate — would that be 755 for directories and 644 for files, or should I be locking it down further than that?