Network Solutions Sucks

Network Solutions Sucks

PostBy: Richard S. On: Fri Apr 05, 2013 9:01 am

I'm working on a site hosted there and apparently the server is compromised. If you view any page in a web browser it works. However using third party tool like web-sniffer.net I get this result for the header and content:

Status: HTTP/1.0 200 OK
Expires: Sat, 6 May 1995 12:00:00 GMT
P3P: CP=NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 144
Connection: Close

Content (0.14 KiB)

<html><body><script>document.cookie='yyyyyyy=e5930a2fyyyyyyy_e5930a2f; path=/';window.location.href=window.location.href;</script></body></html>



I opened a request ticket:

If I view this page in web browser:
http://www.example.com/test.html
This link is broken, either the page no longer exists or there is some other issue like a typo.
The content displays correctly.

Using any third party site I get this: <html><body><script>document.cookie='kkkkkkk=8b167cb2kkkkkkk_8b167cb2; path=/';window.location.href=window.location.href;</script></body></html>


test.html is just a simple text document that contains the word test. The email I get back is just a bunch of crap telling me stuff I knew 15 years ago. That email did have link to chat window so I tried that. That person actually understood there was an issue. There was a binary file above the htdocs folder called htdocs and he had to get an engineer (his words, not mine) to delete it. 3 days later this is still unresolved so I try the chat window again, note they had me input the original ticket number, ticket XXXXX2 is a ticket the chat support had me create to delete the htdocs file.




Chat InformationPlease wait for a specialist.

You are '1' in queue with an average wait of '0' minutes and '30' seconds.

Chat InformationYou are now chatting with 'Korey N' in Florida.
Korey N: Thank you for contacting Network Solutions service chat. Just a minute while I review your service request so that I can answer your questions.
Richard: This is still unresolved, see also ticket 1-XXXXXX2
Korey N: Ok how can I help?
Richard: Korey go to web-sniffer.net and type in the domain.
Richard: The content is
Richard: <html><body><script>document.cookie='yyyyyyy=eed9e2beyyyyyyy_eed9e2be; path=/';window.location.href=window.location.href;</script></body></html>
Richard: That is being injected from somewhere.
Korey N: Is this a custom coded site?
Richard: Korey, any page on the domain returns that string.
Korey N: Im not understanding your issue. Can you please provide more details on the issues you are having?
Richard: Korey view this page:
Richard: example.com/test.html
Korey N: Can you please explain your issue so that I can assist
Richard: Korey go that url, it says:
Richard: test
Richard: correct?
Korey N: Yes I see that
Richard: It's just a text document
Richard: Now try it in web-sniffer.net
Richard: See the content output at the bottom?
Richard: <html><body><script>document.cookie='yyyyyyy=eed9e2beyyyyyyy_eed9e2be; path=/';window.location.href=window.location.href;</script></body></html>
Richard: That's being injected somewhere.
Korey N: I apologize however this is not a network solutions website. I am not able to replicate this issue
Richard: Korey, give me higher level tech since you obviously don't understand what is going on here.
Korey N: If you feel as though your site has been compromised please review all of your content for any malicious files or scripts and update all your applications and credentials
Korey N: I am sorry however we cannot troubleshoot results from a third party site
Richard: Give me higher level tech please.
Korey N: I am level 2 support. We do not support troubleshooting custom code under our standard scope of support. And at this time I am not seeing this injected text in the raw text document. If there is a file injecting code as you said you will need to have your developer remove it or upload a clean copy and do as I said above to ensure security.
Richard: Korey, that code is being injected somewhere.
Korey N: At this time I am not seeing this injected text in the raw text document. If there is a file injecting code as you said you will need to have your developer remove it or upload a clean copy and do as I said above to ensure security.
Korey N: At this time there are no indications that the server itself is causing this issue. Again please have your developer research further to ensure there are no malicious scripts
Richard: You have to go to third party site like web-sniffer.net to see it.
Korey N: I
Korey N: I'm sorry however other than the third party site I am unable to replicate the issue
Richard: You can replicate this on numerous third party sites
Richard: browsershots.org
Korey N: I apologize however I am unable to replicate this issue. Please have your developer review the site to ensure there are no malicious contents and update all applications and passwords to ensure security. Did you have any other questions for me today?
Richard: See ticket 1-XXXXXX2
Richard: Give me a higher level tech Korey.
Korey N: This ticket was resolved. Are you still having an issue with an htdocs file above /htdocs?
Richard: Give me a higher level tech
Korey N: Was there anything else that I can assist you with?
Richard: Yes, give me a higher level tech
Korey N: If there is nothing more that I can assist you with I will go ahead and end this chat.
Richard: Korey I want a higher level tech.
Korey N: Thank you for contacting Network Solutions. Take care!
Chat InformationChat session has been terminated by the site operator.
Richard S.
 
Stoker Coal Boiler: Van Wert VA1200
Coal Size/Type: Buckwheat/Anthracite

Re: Network Solutions Sucks

PostBy: SMITTY On: Fri Apr 05, 2013 9:42 am

Sort of like going to the autoparts store ... except that's in person. :lol:
SMITTY
 
Stoker Coal Boiler: Patriot Coal - custom built by Jim Dorsey
Hand Fed Coal Stove: Harman Mark III (not currently in use)
Coal Size/Type: Rice / Blaschak anthracite
Other Heating: Oil fired Burnham boiler

Re: Network Solutions Sucks

PostBy: anthony7812 On: Fri Apr 05, 2013 9:52 am

Sounds like Korey has a small chip on his shoulder. My lead programmer I work with is one arrogant dickface. Has an attitude that a child has, I know something you dont know. Love to punch him in the snout. :box:
anthony7812
 
Stoker Coal Boiler: VanWert VA 400
Hand Fed Coal Stove: Harman Mark III
Coal Size/Type: Buck/Nut/Anthracite


Re: Network Solutions Sucks

PostBy: Richard S. On: Fri Apr 05, 2013 1:16 pm

Looked up the IP this domain is on, they had a sample of 4 of the 699 domains on that IP.

All 4 have the same result, that server is compromised....
Richard S.
 
Stoker Coal Boiler: Van Wert VA1200
Coal Size/Type: Buckwheat/Anthracite

Re: Network Solutions Sucks

PostBy: Yanche On: Fri Apr 05, 2013 1:28 pm

Clearly they don't understand the threat and the potential seriousness of the issue. More technically knowledgeable persons are needed.

I happen to live near (25 miles) to the United States Cyber Command at Ft. Meade, MD. It's co-located with NSA. Lots of my friends and former co-workers are now some how involved with the cyber threat, either directly or at contractor facilities. It's a big factor in Maryland's low unemployment numbers. I'm a member of Maryland's InfraGuard. I suggest you join PA's equivalent organization. They will not help you with your specific problem, but you will make contacts and have access to information that can help you.

Here's the national link to InfraGuard:

https://www.infragard.org/

If you join, be advised the FBI will run your name against their databases. Once you are approved for membership you will have access to restricted information that might help you better understand your specific problem.

A more general overview of InfraGuard and lots of additional links are here:

http://en.wikipedia.org/wiki/InfraGard
Yanche
 
Stoker Coal Boiler: Alternate Heating Systems S-130
Coal Size/Type: Anthracite Pea

Re: Network Solutions Sucks

PostBy: 009to090 On: Fri Apr 05, 2013 2:25 pm

All canned answers...
Not allowed to escalate...
009to090
 
Stoker Coal Boiler: EFM 520 HighBoy
Hot Air Coal Stoker Stove: DVC-500 x 2
Coal Size/Type: Anthracite Rice

Re: Network Solutions Sucks

PostBy: Richard S. On: Fri Apr 05, 2013 11:21 pm

The weird thing is that it works in a browser, it's only other sites doing this. I registered under my Webmaster tools account and fetch as Googlebot returns the same result.

Somebody did something, they renamed test.html to test.html.old :lol: I'm not sure what that is supposed to do because it's just a text file that contains the letters "test"

009to090 wrote:All canned answers...


I'm sure all day long they field questions that are lame like "How do I configure email" and then when a legitimate problem is presented to them they assume it's user error. The first email I got back was a canned message about the difference between HTML markup and what is displayed in browser. I'm sure incompetence plays a role here too becsue after seeing the results from web-sniffer.net that should have sent up the red flag. The same problem exists at my host however I've come to know a few of the better techs and request them for non urgent matters.


-edit----

Forgot to mention, Korey sent me an email after our chat. He's escalating it but it could be and I quote "24 to 48 hours".
Richard S.
 
Stoker Coal Boiler: Van Wert VA1200
Coal Size/Type: Buckwheat/Anthracite

Re: Network Solutions Sucks

PostBy: dcrane On: Sat Apr 06, 2013 4:50 am

That's hilarious :lol: Its sounds like that's an x Verizon or Comcast Employee ya got there! The scary part is that guy was a level 2 tech support :shock: Imagine if you had a level 1... You would have had to teach him how to open his browser :lol:
dcrane
 
Hand Fed Coal Stove: Crane 404

Re: Network Solutions Sucks

PostBy: dcrane On: Sat Apr 06, 2013 4:55 am

dcrane wrote:That's hilarious :lol: Its sounds like that's an x Verizon or Comcast Employee ya got there! The scary part is that guy was a level 2 tech support :shock: Imagine if you had a level 1... You would have had to teach him how to open his browser :lol:


OR worst yet
"Rich, We cannot replicate this injection issue but it not a problem, we inject simple script that only send your data base to mainland China for our review at later date, you no worry about that" :eek2:
dcrane
 
Hand Fed Coal Stove: Crane 404

Re: Network Solutions Sucks

PostBy: Richard S. On: Sat Apr 06, 2013 1:59 pm

Richard S. wrote:The weird thing is that it works in a browser, it's only other sites doing this. I registered under my Webmaster tools account and fetch as Googlebot returns the same result.


Doing some research I came across a reference for a hack with similar output that only worked with an external referrer which could explain why direct input from the browser doesn't cause it. Actually be pretty damn smart since only people using a search engine or coming from another site would get whacked with it. However I'm still unable to replicate it clicking from a search engine.
Richard S.
 
Stoker Coal Boiler: Van Wert VA1200
Coal Size/Type: Buckwheat/Anthracite

Re: Network Solutions Sucks

PostBy: dcrane On: Sat Apr 06, 2013 3:52 pm

Richard S. wrote:
Richard S. wrote:The weird thing is that it works in a browser, it's only other sites doing this. I registered under my Webmaster tools account and fetch as Googlebot returns the same result.


Doing some research I came across a reference for a hack with similar output that only worked with an external referrer which could explain why direct input from the browser doesn't cause it. Actually be pretty damn smart since only people using a search engine or coming from another site would get whacked with it. However I'm still unable to replicate it clicking from a search engine.


yea... some crazy stuff those Asian kids can conger up sometimes :cry: I swear someday they will be able to load a program that literally makes our laptops burst into flames right in front of our eyes :mad:
dcrane
 
Hand Fed Coal Stove: Crane 404

Re: Network Solutions Sucks

PostBy: NoSmoke On: Sun Apr 07, 2013 8:44 am

I heard this was actually done by Israel in response to Iran's Nuclear Strategy. They sent a computer worm into the country that went through and wiped out their nuclear program. It took them 2 years for them to recover from the worm that was sent, which is why they are just now starting to pony up to the bar like North Korea and talk smack about the USA again. For 2 years they were shut down by Israel which supposedly had USA help in developing the computer worm.
NoSmoke
 
Hand Fed Coal Boiler: New Yoker WC90
Hand Fed Coal Stove: Vogelzang Pot Bellied Stove
Coal Size/Type: Stove/Nut/Pea Anthracite
Other Heating: Munchkin LP Boiler (Back-up)

Re: Network Solutions Sucks

PostBy: Richard S. On: Tue Apr 09, 2013 5:00 pm

Originally reported on the 3rd, finally solved today.

Next issue, the default folder and file permissions are wrong.

If you know unix permissions folders are set at 765 and files at 664, I'm waiting now for the email that is going to explain to me how to set file permissions because the tech didn't read the ticket.
Richard S.
 
Stoker Coal Boiler: Van Wert VA1200
Coal Size/Type: Buckwheat/Anthracite

Re: Network Solutions Sucks

PostBy: Richard S. On: Tue Apr 09, 2013 5:17 pm

oops, I spoke too soon. It was fixed this morning, it's back....
Richard S.
 
Stoker Coal Boiler: Van Wert VA1200
Coal Size/Type: Buckwheat/Anthracite

Re: Network Solutions Sucks

PostBy: SMITTY On: Tue Apr 09, 2013 11:59 pm

This sounds like the GMC Jimmy of the computer world .... :D
SMITTY
 
Stoker Coal Boiler: Patriot Coal - custom built by Jim Dorsey
Hand Fed Coal Stove: Harman Mark III (not currently in use)
Coal Size/Type: Rice / Blaschak anthracite
Other Heating: Oil fired Burnham boiler