Three weeks of “grep” attacks are over for now but their customers are nervous and leaving Network Solutions
"Grep" virus hacked inside Network Solutions servers
Network Solutions hosting service mis-handled its customer service for weeks with the “grep” iFrame redirect virus. The same virus was also reported to be attacking GoDaddy hosted websites. Due to the lack of security at Network Solutions, we did the prudent thing and moved NJN Network to a more secure site.
The attacks started three weeks ago with more than 5% of Network Solutions’ customers infected with the Trojan. While site owners are responsible for their own security, Network Solutions did not provide reasonable care in protecting their customers. We asked them months ago if the site was protected by a virus checker. Yes they said. We subscribed to their nsProtect Safe service which was a useless piece of junk.
The Hack
The virus created an iFrame re-direct. When someone visited an infected site, they were redirected to a site that said their browser or operating system needed to update.
Anyone with an up-to-date anti-virus program would have received a warning not to proceed. The number of end-user computers without virus protection has been estimated at 20% which is shocking since Avast and Avira are free.
The “update” was a Trojan that would infect the users computer and point them to various sites all seemingly ending in Algeria. A hosting company in Los Angeles, Lunarbreeze.com, was the collector for the re-directs.
As the illustration from Dancho Danchev shows, the hackers used a variety of re-direct names ( binglbalts, corpadsinc, mail.networkads, networkads, etc.) all pointing to one hosting service. After that the link goes off-shore to Algeria.
Illustration from Dancho Danchev
Customers cleaned up their sites only to have them taken down from another attack. NJN Network went down four times. Last week we moved NJN Network to a new hosting site since we had lost all confidence in Network Solutions.
Many customers had to hire external security consultants like Dave Dede at Sucuri Security Labs to remove the Trojan from the code and data files. David was one of the few consultants who understood the problem. He was both solving issues for clients and blogging the problems he found. Later he developed a user tool to scan sites for the malware infections.
Since the security holes at Network Solutions continued, Dede went back again and again to clean and harden the sites.
Securi became a Network Solutions consultant some time after April 18th. Securi worked with Network Solutions to find the Trojan and clean what ended up being thousands of websites.
The infection targeted WordPress sites on shared host computers at Network Solutions in the first week but later infected sites indiscriminately.
First attack wave April 10th
During the early grep attack on the weekend of April 10th, 2010, Network Solutions was blaming customers and WordPress. The true cause was more insidious. Their servers had been hacked by a rogue account that had access to many hosted accounts.
“Just today we were notified of more than 50 sites hacked with the following malware javascript […] If we decode this javascript, we see that it is injecting this iframe from http://corpadsinc.com/grep/ [do not visit],” explained David Dede, a researcher with the company.”
“The /grep/ ending URL looks consistent with the ones used during the dirty attack that recently crippled hundreds of WordPress blogs hosted at Network Solutions. However, according to the stopmalvertising.com outfit, the new attack affects all kinds of websites, including those built using the Joomla! content management solution, or plain HTML one”
Second attack wave April 17th
Despite assurances by Network Solutions that they had found and contained the virus it attacked again on the weekend of April 17th. Website owners were becoming increasingly frustrated with Network Solutions who put up a wall of non-response on the 17th. The company either didn’t respond or blamed users again.
The Trojan appeared on sites hosted by GoDaddy although the contagion didn’t seem to be as widespread. Some of the re-direct names changed making it hard for users to search for the infection. The “grep” virus was just showing it could mutate.
Network Solutions hacked again wrote David Dede in his blog, one of the few sources of accurate information at the time.
By now Google was blacklisting the sites with the virus which meant you could not get to the page without extra effort.
On Sunday Network Solutions admitted they were in trouble and begged for patience. We feel your pain and are working hard to fix this. Beyond the mea culpa, most of the suggestions were a waste of time. Trying to clean up sites when the host servers would re-infect them was useless. However, many users struggled and got their sites cleaned by Monday and off the Google black list by Tuesday.
Third Wave Attack Wednesday April 21st
The grep virus jumped back and started taking down it’s previous victims and new sites. Two other small websites that were not affected by the first two waves went down before midnight on Wednesday.
Google reported the damage was widespread.
What happened when Google visited sites hosted on this network?
Of the 117080 site(s) we tested on this network over the past 90 days, 2991 site(s), including, for example…(omitted names) served content that resulted in malicious software being downloaded and installed without user consent.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 106 site(s) on this network, including, for example (omitted names) , that appeared to function as intermediaries for the infection of 349 other site(s)
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 50 site(s)… that infected 465 other site(s)…
Rumors of people leaving Network Solutions were rampant in the chat rooms and message boards. Dede posted an update on April 24th along with a free tool to scan sites for the infection. Network Solutions update and some numbers
NJN Network moved
NJN Network never went live again on Network Solutions. We researched dozens of other hosting companies, talked to friends and experts and read the hosting reviews. Our new site is secure with a side benefit that it’s faster than Network Solutions.
No website can be 100% sure of defenses against attack. Google was hacked by the Chinese after all. However, we are taking every precaution to ensure our site is not infected again.
Regular use of Securi’s malware detection tool plus hardening your website are things to consider these days.
Related Stories
Update on the Network Solutions hack
Reasons why people leave Network Solutions
Hackers access Network Solutions mail accounts
Grep hack attacks Network Solutions GoDaddy
Steve
Looks to me like no matter how much effort we put into hardening our sites we are still defenseless against a serious breach, attack, ambush of this nature from the inside. Shared Hosting setups in particular are helplessly vulnerable when something like this happens. To many installs-sites not being properly maintained and secured by their owners.
It looks like things are under control for the moment. Having worked non stop round the clock in real time since April 18 just to protect my work the best I could from further damage I have to admit I am fairly dazed at the moment. I suppose I should consider myself lucky I do not have to contact service and tell them to “reprovision” my account. To recreate it as though it is brand new. And have to build the site up from nothing.
One thing is certain I am going to have to totally rethink security strategy all across the board. At every level.