Remote file inclusion weakness served as point of entry

Jan 20, 2010 15:49 GMT  ·  By

Network Solutions announced that several hundred websites hosted on its infrastructure fell victim in a mass defacement attack during the past several days. Preliminary findings suggest that a remote file inclusion technique was used to compromise several of the company's Unix servers.

Network Solutions is one of the top five Internet domain name registrars, managing around 6,5 million domains as of January 2009. Apart from its successful domain registration business, the company also offers other services such as Web hosting, ecommerce or online marketing solutions.

The problems began for Network Solutions last weekend when several customers reported their websites being defaced by hacktivists. Most of the attacked websites had anti-Israel messages posted on their home page and displayed violent images.

At first, the Internet firm thought a vulnerability in a Web application shared by these websites might be the culprit. "We are running a scan to see if we can proactively determine if any hosting accounts are impacted. Proponents of malware and hacking commonly look for websites with vulnerabilities. These include weak passwords, third party applications that aren’t up to date or sometimes weakness could emanate from lack of updated anti-virus software on PCs," Shashi Bellamkonda, the company's director for social/new media strategy, wrote on Sunday.

However, it appears that these attacks instrumented by a group called "cwkomando" were made possible by the configuration of the hosting servers themselves, which opened a remote file inclusion (RFI) weakness. Such vulnerabilities stem from improper validation of values being passed to the $_GET of $_POST variables under certain PHP configurations.

"Hackers were able to add a file displaying illegitimate content on top of the customer website content. This was an issue on multiple servers and unknown intruders were able to get through by using a file inclusion technique. There was no danger to any personally identifiable or secure information," Mr. Bellamkonda announced yesterday in an update on the company's blog.

Network Solutions is working with affected customers to restore their websites and is closely monitoring the threat. It has yet to decide if the best course of action is to make permanent changes to the configuration of its servers, a decision that might affect the functionality of existent websites.