Hackers deface hundreds of ISP’s customers’ Web sites

Hackers have managed to deface several hundred Web sites hosted by Network Solutions, the company said Tuesday.

In a blog posting, the Internet service provider described the incident as a “limited attack on websites hosted on Network Solutions Unix servers.” Several servers were hit and “intruders were able to get through by using a file inclusion technique,” the blog post said.

A Network Solutions representative could add little to the blog’s description of the attack, but remote file inclusion attacks are a relatively common way of exploiting buggy Web server programming in order to run unauthorized content on the server.

Related Story: Google attack — a security wake up call for all companies

“Our preliminary investigation indicates that the source of entry was through a single site,” said spokeswoman Susan Wade in an e-mail.

Network Solutions customer Lucina Mastro learned Sunday that someone had crawled the folders on the Web site she maintains and replaced all of the index.html and main.html files with new files claiming that the defacement was “For Palestine.”

Mastro, a volunteer Web administrator with St Anne of the Sunset Catholic Church in San Francisco, replaced the files from backup. That seemed to fix the problem, she said.

Harry Brooks was not so lucky. He learned that one of his clients had been hacked with a similar defacement Monday, and restored the site from backup, only to learn that it had been defaced anew on Tuesday, apparently by someone else.

The second defacement made no mention of Palestine, but said simply “Server Is RooT!”

Brooks, president and CEO of Search First Internet Marketing in Gainesville, Virginia, was upset with the defacement.

“You can’t have 15 simple static HTML pages hosted in a shared hosting environment without some maniac getting in,” he said. “Clearly there is a vulnerability in their shared hosting environment otherwise this wouldn’t be happening.”

A couple of years ago, in October 2008, hacker gangs infiltrated the Web sites of thousands organizations – including the U.S. Postal Service – by acquiring their administrative log-in credentials.

The goal of that hacking blitz wasn’t just defacement, but could have ranged from espionage, to financial fraud – judging from the types of organizations affected.

Among 200,000 Web sites compromised were sites for governments and Fortune 500 companies, universities, and other businesses, including several unnamed weapons manufacturers.  More than half the affected sites belonged to European companies and organizations.

Ian Amit, director of security research at Aladdin Knowledge Systems Inc. found that hackers had modified around 80,000 sites with malicious content — and then these sites were used as attack launch pads: Each served up exploit code provided by Neosploit – a hacker toolkit — to any visitor running a Windows system that had not been fully patched.

By examining the server logs, Amit was able to identify the sites whose log-ins had been compromised. He began working with law enforcement agencies in both the U.S. and overseas, as well as with organizations like US-CERT , to tell site operators they need to change their administrative passwords, purge the malicious code and secure their sites.

The groups apparently pooled resources, with site log-in information contributed by multiple users.

Amit was not, however, able to determine how the criminals came to the site credentials in the first place. It’s possible, he said, that the log-ins were purchased from others, or harvested by a botnet dedicated to the job.

But even with such clues, Amit isn’t confident that authorities might be able to identify the hackers:

“As much as I’d like to optimistic, I’m not fooling myself. They’re using a software-as-a-service model, and it will be hard to track down all of them.” However, he acknowledged that authorities had “a few solid leads” on who’s responsible for the server, which may lead to the hackers. The server, for instance, was relocated since last week from Argentina, and is now being hosted in the U.S.

“We’ve exposed the back-end infrastructure of the organization,” Amit said. “We’ve been chasing bugs for a couple of decades now and we need a different approach.

That’s what we have here. Now we know more about their M.O. and their business model.

“I hope that this will help both law enforcement and security researchers stay ahead of the game,” he said.

Share on LinkedIn Share with Google+