January 19, 2010

Web site domain registrar and hosting provider Network Solutions acknowledged Tuesday that hackers had broken into its servers and defaced hundreds of customer Web sites.

The hackers appear to have replaced each site’s home page with anti-Israeli sentiments and pictures of masked militants armed with rocket launchers and rifles, alongside the message “HaCKed by CWkomando.”

According to results for that search term entered into Microsoft’s Bing search engine, there may in fact be thousands of sites affected by this mass defacement.

One of the defaced pages belonged to Minnesota’s 8th District GOP, according to a story in The Minnesota Independent, which said the Arabic writing that accompanies the defaced pages contains the dedication “For Palestine,” and the repeated phrase “Allahu Akbar” [God is great].

Network Solutions said the hackers were able to get in by exploiting a “file-inclusion” weakness in the company’s Unix servers. So-called remote file inclusion attacks are quite common, and can let attackers insert code that gives them backdoor access to and control over the affected server. Network Solutions said it is in the process of helping customers restore their sites.

“These incidents are regrettable and we apologize for the inconvenience,” the company said in its statement.  “Due to the nature of the web, the race between technology and the bad elements is a challenge that companies face continually.”

Network Solutions said there was no danger to customers’ “personally identifiable or secure information” as a result of the incident. Other recent break-ins at NetSol have not been so benign: Last summer, hackers broke into a number of Network Solutions Web servers and planted rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts.

Let this be a helpful reminder to all of us who run a Web site that no matter how much you have done to lock down your Web site, a hiccup, server crash or break-in at your hosting provider can deep-six your site in a heartbeat. If you don’t already know how to do so, take some time before it is too late to learn how to backup and restore your site (look for a future blog post for a primer or two on this very topic).


31 thoughts on “Hundreds of Network Solutions Sites Hacked

  1. Shashi Bellamkonda

    Hi Brian,

    As you know I work for Network Solutions. Just to clarify the search term entered into search engines will bring up web sites that maybe hosted anywhere and this is a problem all companies battle. Your advice to users to” learn how to backup ” is spot on.

    Thanks,

    Shashi Bellamkonda

    1. what

      A company the size of NetSol should do a better job of not only auditing code, but also investing in technologies like Web Application Firewalls to prevent these types of attacks.

    2. james

      Yes Shashi, backing up would be a good idea. It’s too bad that Network Solutions customers were not able to use any of the backup solutions you offer all day and FTP access was also down. Our site has been hacked three times this week and besides for the countless hours lost rebuilding what we lost our site went from page one (7) in the most relevant search query on Google (for us) to never never land. Thanks for nothing, nothing but trouble that is!

  2. Mari Lynch

    My sites is among those hundreds/thousands that have been hacked, then restored, then hacked again repeatedly since 1/16/10. Finally had Network Solutions put up an “under construction” page. Still awaiting restoration.

    I chose NetSols, though costlier than other Web hosts, because of its longevity and good reputation. Still hopeful of a positive outcome!

    1. HM

      This hack either replaced any default index file (e.g., index.html, index.php, etc.) in all existing directories of a web site affected by the Netsol hack. If a directory/subdirectory did not have a default index file, the felon uploaded an “index.html” to that directory to make it appear hacked as well. At least that’s what happened on my client’s website and NetSol web presence.

  3. Joe

    Remote file inclusion has been happening for years. It was one of the top web application attacks in 2007. It’s now 2010. If network solutions isn’t validating user input, what else are they vulnerable to?

  4. Shashi Bellamkonda

    Hi Brian,

    I see a lot of folks tweeting “ALERT: Hundreds of Network Solutions sites hacked, 573k credit cards compromised http://bit.ly/5UAbD6 ” and and just wanted to clarify to your readers that no credit card info was involved here. We have been proactively fixing the affected customers that had their sites defaced.

    Thanks,

    Shashi

  5. chr1x

    I agree with the Rick’s comment. User where uses 3rd party hosting and services are not a good idea. We should keep in mind that doesn’t matter that you paid a shared (or not shared) hosting. The risk is there. Sometimes is a better idea to have your own server/services running by your own. As we know “If you want the things works as expected, you should do it by yourself”. NetSol definitively has learned about it.

  6. Beeker

    I think about a year ago, I have seen a website(female athlete) hijacked with a Arabic face page that has nothing do to with the content which I click on to go to the real page. I even emailed the person only to find a undeliverable address.
    About several months later I found the defaced page gone and of course, this website intact so I am assuming the person realized what had happened and fixed it.

    Overall it’s a learning curve at the things people will do, especially those who have their own website. (I would check periodically just to make sure.

  7. Marc Harmon

    I work on a Netsol hosted site that was discovered to be hacked on Sunday Jan. 17.

    The owner of the site had a difficult time dealing with Network Solutions. At first their tech support (halfway around the world from the East coast of the USA where we are) asked what software was used to maintain the website. When told “Dreamweaver” they replied that they dont support Dreamweaver. See ya.

    Fortunately a later phone call to tech support went better and Netsol restored the site from a backup they had made.

    The first blog posting about this from Netsol tells you a lot about the company. It blamed everything on their customers and offered a laundry list of things their customers need to do to keep sites from getting hacked. The idea that Netsol might be at fault never came up at all.

    The site that I work on is totally hosted at and by Network Solutions. It involves no software installed or provided by the owner of the site or myself. Yet, their first reaction, both in the blog and on the phone, was not to help.

    1. Philip

      My site is also hosted at Network Solutions; I discovered the defacement on Sunday the 17th. I sent a complaint to Network Solutions, but didn’t wait for them to fix the site. It took about an hour to change all my passwords, delete my whole site, and upload a whole new copy from my home PC.

      I initially thought one of my passwords had been compromised… I was relieved that it was NetSol’s fault.

      Some info about my situation:

      1) I hosted with the Unix option, and got one of the nicer packages that includes tools for managing the site myself. I don’t have to wait for anyone else to fix my site, I can log on and take care of it on my own.

      2) I try to keep my site as simple as possible, basically hand-coded HTML with no backend database or server-side software. This lets me restore from backup in 2 minutes via FTP. I know this doesn’t help people who run blog software and such, but if you’ve got a simple enough site it might be an option. Note that NetSol doesn’t update its blogging software often enough! You’ve got to do your own updates manually or you’ll fall behind.

      3) I’ve noticed that all of the ways NetSol lets you update your site involve FTP in one form or another (even their File Manager uses the main FTP account for the site). This means my login is getting sent in plaintext, which isn’t so hot. So what I do is, I upload all my changes, log out of FTP, then get into their (ssl-protected) management console and change my FTP password as a final step. I keep the FTP passwords in a diary near my desk; I cross out the old one and make up a new one. This way it doesn’t matter if anyone managed to sniff my FTP password in transit. Probably paranoid, but what the Heck…

      1. james

        All that shouldn’t be necessary… there are several apps available that NetSol could allow that would deal with all these common problems. As for the WP customers there’s a free plug-in that’s very effective from Apache. Too bad the server can’t handle it. It works fine at Go Daddy! There’s no excuse for whats going on over there…

  8. Mel

    When I realised I’d been hacked my host (1and1) blamed me for having a virus on my computer (I’m totally up to date in this area). So, I’m reassured to find as I’ve been trawling through my hacked sites finding it was a hack on index files that this was a backdoor invasion. So glad I do auto backups! Thanks for restoring my sanity.

  9. Hacker Truth

    My website and connected blog was one of thousands of websites hacked. At no time did Network Solutions ever inform me of the crime. Visitors to my site informed me. After repeatedly requesting that my website be restored, NetSol provided 2 links they claimed was info about the hacking. It was a bad joke because NetSol claimed that the problem was weak security on the part of the web owners. A lie of course because the weakness was theirs. Their instructions on restoring ther website were useless because only NetSol could remove the hacker pages. I had to badger Netsol to redirect the hacker pages to a benign generic NetSol page. All 350 of my web pages and blog were affected. Make no mistake that this wasn’t just a hacker. This was a terrorist attack with a terrorist message. Homeland Security and the FBI should be involved, catching the hacker, and prosecuting. NetSol refused to say whether they yhad involved these agencies, nor whether they had plugged their own server weakness. The attack wasn’t harmless to website victims. Besides being the victim of a terrorist attack it could hundreds of hours and thousands of dollars to properly restore the site with no NetSol assurance it won’t repeat. Since a server breach has happened before to NetSol this latest one shows that NetSol has done little of value to protect their clients. Does anyone know the true identity of the hacker CWKomando? Is he so hard to find? I googled him and it seems he can be traced through a hacker site and even has a profile on Facebook.

  10. Social Media Commando

    Yikes…

    I’ve experienced two hacks on one of my websites this past month, which got me serious enough to work one-on-one with a database security professional to keep the hackers out.

    Hack-free since, but I’m still haunted by the idea of my content getting corrupted. Good advice to perform regular backups, I’m certainly glad I did!

  11. Steve

    Brian, be aware that when clicking on your “results” link a Bing page is brought up. Clicking on the first link shown on that page puts me into some kind of loop that keeps trying to get me to install software.

    1. BrianKrebs Post author

      Ah, sorry about that. You’re right, I probably should have warned people that the resulting list of sites were — by definition — hacked, and therefore potentially hostile.

  12. Henry Markus

    Most web hosting companies do not emphasize security.
    We just finished doing research on low-cost shared web hosting with better than average security features. Our site is not affiliated with any of them. To see the list with summary of security features and links, go to:

    http://www.firewallguide.com/hosting.htm

  13. Hank Roberts

    PLEASE HELP.

    UPDATE on the NetSol hacker problem with MORE PROBLEMS caused by NetSol’s negligence to keep customer websites free of website ending problems.

    Here is the problem. I want the truth, which I have not been able to get from NetSol or any search engine company.

    My site is with Network Solutions and was also one of the thousands that was hacked by CWKomando. It’s now three months later and the frustrating nightmare continues. My pages were initially restored but the search engines no longer list my site. Instead only the lead page is listed with this message:

    Warning: file_get_contents() [function.file-get-contents]: URL file-access is disabled in the server configuration …

    Copy paste the above message and put it in a number of search engines like Google, Yahoo, and Bing. You’ll see the 1000s of websites affected and 99% are on Network Solution servers.

    Not only have years of business building on the net been destroyed, but people who put my company name in any search engine get warned away from the site. Most people don’t know that they can click the link and get to my unaffected webpages.

    Just like NetSol’s company wide instructions to blame the customer, when the original hacking happened, they are also blaming the 1,000s of their customers who can no longer get picked up by search engines other than the above warning.

    What is going on? I have a lot of money tied up with NetSol, including advanced webhosting through 2012. I’m losing my business because of this latest search engine problem. Is there a reliable web hosting package not physically connected to NetSol? If so then what, and how do I get a refund from NetSol for the future already made payments?

  14. Liz

    Mari Lynch, i suggest you move to a new host as soon as you can – because Network Solutions is not going to get any better. My site on their server was hacked 9 times in the last 6 months (3 times in the last 5 days) and this past thursday one of their Executive Customer Care Specialists called me to talk again about the complaint i sent when it happened AGAIN… and informed me that while they saw the log of many many complaints, the server had NEVER been examined for security issues.

    Since this convesation (and him promising to fix the problem) it happened 2 more times, so yesterday I moved and i wish i had done it sooner!

  15. Juan Torres

    I use Bing and Google whenever i want to find something on the internet. I think that both search engines are very good. *

  16. Dr K Chaudhry

    Network Solutions ia an unholy den of spammers. NS client aweber.com claims to be sending ads to 40,000,000+ email boxes each month with no worry about receiving a spam complaint. The statement is presumably based upon malafide aweber-NS relationship. NS has no abuse report information on homepage and refuses to accept spam complaints against its domains hosted elsewhere. I solicit a worldwide bycott of Network Solutions.

  17. William

    Nework Solution again Hack, my email was cleaning up this morning. My 2 email are blocked for 2 days.

  18. Andy Carloff

    “Last Tuesday.” Uh, yeah, that’s a great date. So, this could be last tuesday 3 million years ago, or last tuesday today. Great.

Comments are closed.