A software vulnerability at a U.S. based Web hosting provider let hackers secretly add dozens of Web pages to military, educational, financial and government sites in a bid to promote rogue online pharmacies.
For four months in 2010, a customer of Hostmonster.com, a Provo, Utah based hosting provider, exploited a bug in CPanel — a Web site administration tool used by Hostmonster and a majority of other hosting providers. The customer used the vulnerability to create nearly four dozen subdomains on a number of other Web sites at the hosting facility, said Danny Ashworth, co-founder of Bluehost.com, the parent company of Hostmonster.
The subdomains were linked to dozens of pages created to hijack the sites’ search engine rankings, and to redirect visitors to fly-by-night online stores selling prescription drugs without a prescription. Among the compromised domains were:
Omaha, Neb. financial institution Accessbank.com;
Bankler.com, the sole investigative tax accountant for the U.S. Senate Whitewater Committee;
Ejercito.mil.do, the official site of the Army of the Dominican Republic;
Sacmetrofire.ca.gov, the Sacramento Metropolitan Fire District;
Wi.edu, The Wright Institute.
Ashworth said all of the bogus subdomains were created between April 2nd 2010 and July 1st 2010. But they remained there until the company was contacted by a reporter last week.
“We added and altered some security measures in July for another issue that we found which also fixed the CPanel bug that allowed this exploit to take place, [and] although it did not allow additional records to be created/altered, it did not remove the entries that existed,” Ashworth wrote in an e-mail.
Unfortunately, this kind of search engine gaming is quite common, and often goes undetected for months by site owners. Experts say those responsible tend to pick on .edu, .gov and .mil domains because those domains are typically given more authority by search engines.
This attack shows that Webmaster and Web hosting companies alike need to remain vigilant about keeping software up-to-date and keeping an eye out for unauthorized content. The blog Unmask Parasites has some great tips on both of these fronts in a post that highlights a recent and persistent variation of the Hostmonster attack.