January 14, 2011

A software vulnerability at a U.S. based Web hosting provider let hackers secretly add dozens of Web pages to military, educational, financial and government sites in a bid to promote rogue online pharmacies.

For four months in 2010, a customer of Hostmonster.com, a Provo, Utah based hosting provider, exploited a bug in CPanel — a Web site administration tool used by Hostmonster and a majority of other hosting providers. The customer used the vulnerability to create nearly four dozen subdomains on a number of other Web sites at the hosting facility, said Danny Ashworth, co-founder of Bluehost.com, the parent company of Hostmonster.

The subdomains were linked to dozens of pages created to hijack the sites’ search engine rankings, and to redirect visitors to fly-by-night online stores selling prescription drugs without a prescription. Among the compromised domains were:

Omaha, Neb. financial institution Accessbank.com;
Bankler.com, the sole investigative tax accountant for the U.S. Senate Whitewater Committee;
Ejercito.mil.do, the official site of the Army of the Dominican Republic;
Sacmetrofire.ca.gov, the Sacramento Metropolitan Fire District;
Wi.edu, The Wright Institute.

Ashworth said all of the bogus subdomains were created between April 2nd 2010 and July 1st 2010. But they remained there until the company was contacted by a reporter last week.

“We added and altered some security measures in July for another issue that we found which also fixed the CPanel bug that allowed this exploit to take place, [and] although it did not allow additional records to be created/altered, it did not remove the entries that existed,” Ashworth wrote in an e-mail.

Unfortunately, this kind of search engine gaming is quite common, and often goes undetected for months by site owners. Experts say those responsible tend to pick on .edu, .gov and .mil domains because those domains are typically given more authority by search engines.

This attack shows that Webmaster and Web hosting companies alike need to remain vigilant about keeping software up-to-date and keeping an eye out for unauthorized content. The blog Unmask Parasites has some great tips on both of these fronts in a post that highlights a recent and persistent variation of the Hostmonster attack.

7 thoughts on “Pill Pushers Pop Military, Government, Education Sites

  1. Omer Bauer

    Brian, I am a relatively new computer user and I want to take the time to tell you to keep up the good work. I really appreciate your
    input on security.

  2. Bruce Haupt


    Do these rogue pharmacies usually actually ship what one orders, or are they like the bogus crack man who provides anything from nothing to peanuts, to small white stones?

    1. hhhobbit

      White sugar pills at best, your credit card stolen and money out of it at worst. Go to a legitimate pharmacy. AFAIK, if you are in the US the only *sure* way you might get Canadian Pharmacy deals is to live next to the border and go across.

      1. Brian Krebs

        Unfortunately, that’s a myth that’s been perpetuated about these rogue pharmacies. The reality is that most people get something that closely approximates what they ordered. As for the credit card theft, another myth: The pharma programs at least do not want to do anything bad that could be traced back to them and indeed if buyers are unhappy they will gladly refund their money. Most will go out of their way to avoid a charteback or dispute that would call undue attention to their processing setup.

  3. MannyMoy

    This is really scary!
    I wonder who stands more chance of detecting this sort of attack – the hosting company, or the affected Organisations. The latter can be forgiven for focusing on their core businesses, but I think the hosting provider should begin to take full responsibilities for the domains the host even if it mean charging their clients extra money.

  4. hhhobbit

    BlueHost is actively recruiting more expertise to handle this issue. It really is a shared responsibility unless the bad stuff is on an alternate port or if it actually isn’t in the customer’s pages but stuck some place else in the web server. Having said that, it really is your responsibility to look for suspicious activity within your own web pages. Don’t expect an WSP (Web Service Provider) to do what you can do yourself. I always do a wget and and a diff every time I change the pages to make sure they were uploaded correctly. That includes a “head -n -1” to excise the tracker they tack onto the HTML pages as they go out the door on web server. Here are some things people can do:

    1. Have only what you need and no more. The more complicated something is the more likely there are to be problems. Constantly prune stuff that isn’t used any more. Which would you rather clean up – 5000 or 500 HTML pages?
    2. Don’t depend too much on all of these fancy automated tools. I use less automatition so most of this stuff would stand out like a sore thumb when I look at it. I can remember cleaning up one web-site’s index.html and gave it back to them, of course with the “html” changed to a “txt”. They didn’t even know what they were looking at. I recommend that they used something like NotePad++ or gvim if they are on Windows. Most of these automated build tools hide the stuff. If they don’t want to do that, a quick run through with a browser and having it show all of the code for pages will help show something amiss.
    3. If you can, audit all your content to make sure nothing is amiss. BlueHost provides sftp so you can use that to cd and dir your way around for a quck check. If you see files or dirs you didn’t put there that indicates something is amiss. Don’t expect the WSP to know what is legitimate and what isn’t. How can they know that? I even have a phish host on the same IP webserver that one of my hosts is on. The URL is in their pages rather than being a server problem because the URL doesn’t work when I substitute my host name in place of theirs.

    1. Keep your software up to date. That is more difficult than you think. I had not booted to Windows for about two weeks and when I did, Symantec NAV downloaded 100 MB! I just did an upgrade on Ubuntu yesterday where I had to reboot. I see that I need to do another one today where I suspect I will have to reboot. WSPs need to updates like that to a bare minimum and conditions are making it impossible.
    2. Do no more than you need to. By that I mean resist the pull to provide more services than you can handle or the customer needs. SSL for POP and sftp are high priorities on my list.
    3. If you can, don’t allow the creation of hidden folders, and limit what content can be served.
    4. It doesn’t sound like they used alternate ports like 8080 in this case but firewalls can help guard against unknown exploits if the hackers use alternate ports. If your firewall doesn’t allow 8080 lots of bad stuff can be stopped. Software is always having new flaws discovered and keeping things patched and working properly is getting harder all of the time.

    I will see if BlueHost needs somebody like me on a part-time basis. I am available. But there are a lot of talented people in their area. I haven’t noticed that BlueHost is any worse and they may be even better than other WSPs. I am still considering moving at least some of my host names and one email account to them. I make Internet filters that can be used to tame the end user connection (available under the GPLv2 license).

Comments are closed.