Hacked? Network Solutions Security Issues

[PhilD]

Disclaimer. This is not a wall of shame post, but relevant security information.

Think your having a bad day because your site was hacked? It may not be your fault. You can be part of the solution though by following the "safe route to disaster relief" in checklist 7 http://docs.joomla.org/Security_Checklist_7 and also making sure everything is updated properly.
Do not rely on restoring from backups made by your hosting service and do not rely on backups made recently by your own backup methods.

Network Solutions is a very large data center located in Texas. Many hosts have servers located there and may be subject to these attacks. So just because your hosted with "xyz hosting" does not mean you will not be affected.
Below is some information and links on the Network Solutions issues.

Network Solutions has acknowledged (second time in 2 weeks) that their servers have security issues (April, 19) and are working to fix them. The latest issues affect all sites including static sites not just Wordpress like the previous network solutions exploit did. Network Solutions initially blamed poor default permission settings in Wordpress installs for that attack. Network Solutions is now indicating the latest attack on their servers is at a deeper level and their attempts to restore hacked sites has on occasion resulted in restoring malicious code that was backed up.
http://blog.networksolutions.com/2010/w ... -fix-this/

http://blog.sucuri.net/2010/04/network- ... again.html

All types of sites are being affected, Wordpress, Joomla, and simple html sites with iframe injections and encoded javascript. Also seen are .pdf exploits being installed on sites. http://stopmalvertising.com/malvertisem ... mers-again

The latest issues with Network Solutions servers are reported to be much harder to track and analyze as the hackers are deploying better methods to hide.

Disclaimer. This is not a wall of shame post, but relevant security information.

[mandville]

attempted WOS posts such as "NS are pile of fused circuits" will be dealt with under forum rules

[tk42i]

I host my Joomla portals at NS in their shared hosting environment and have been affected by this attack. I've been lucky that I've only had to rewrite several index.php files.

Certain things I've noticed that I'd like to share:

1) If you are using their easy Joomla install tool. It is not deploying the latest and greatest version. So update!

2) The default permissions in your directory system can be strengthened.

3) You can mitigate (not solve) some of the symptoms by removing write access to your Joomla index.php file.

Hope this helps a little.

[PhilD]

Those are certainly valid points and should always be considered no matter the host. Especially any one click install tool. Those tools usually do not have the latest versions of the software available resulting in an immediate security risk.

Everyone reading this post needs to understand that the attacks are/were being performed system wide at the server level. It was apparently determined that permission levels are not the root cause of the current attack against the NS servers as they appeared to be when hundreds of Wordpress sites were attacked. Since most default server file/directory permissions are 644/755 and since the issues at NS are also affecting static html sites, I'm inclined to agree with that assessment. The attacks can affect ANY domain hosted there, not just Joomla, Wordpress, but including those with strong/proper permissions, recent up to date secure Joomla installs etc.

The information I posted is not a "panic, the sky is falling" issue, and in no way an attack on any data center or host, but rather the post is an informational post that may explain why an otherwise secure up to date site with no vulnerable extensions or templates is suddenly hacked. NS is working on updating server software, cleaning servers, and assisting where possible, in cleaning and restoring customers domains.

I suggest that if you have been or think you may have been a victim or affected, you do not trust the server backups performed by NS, nor should you trust your own backups made in the last few weeks as your backups could have picked up some dormant backdoors. You should instead to ensure your site is clean, follow the "Safe route to disaster relief" and replace the Joomla core fileshttp://docs.joomla.org/Security_Checklist_7

As a reminder, there are many hosts that have servers in the NS data center and resell servers/space under their own brand (branding), making it sometimes difficult to determine if a site resides on a NS server. If you are not sure if your site resides in the NS data center, do some research on your own (sometimes a hosts about us will mention where servers are located) or ask your host what data center they are using to host your site.

The exact nature of the issue identified at NS and how many servers are actually affected is being withheld at this time by NS and may not ever be published.

I was afraid that this post would result in some bashing and discussed this with mandville before posting it. Though we do not normally make postings like this, we felt in this case it was in the best interest of Joomla users to make the post. Any non constructive posts or NS bashing ( read the forum rules ) that are posted besides being dealt with like mandville mentioned will result in this post being locked sooner rather than later and the poster being banned.