, SecurityFocus 2006-09-25
Friday's a good day for most companies. For hosting provider HostGator, however, the day kicked off a nightmare that lasted more than 24 hours.
A trickle of complaints that started the day before turned into a flood by Friday. Companies and clients complained that visitors to their Web sites were being infected with a virus. To those visitors, the Web sites appeared to be corrupted when viewed with Internet Explorer and caused antivirus software to warn of Trojan horse attacks, affected people told SecurityFocus.
For HostGator, the issue seemed to defy defensive measures. The company found rogue code on its servers and removed the programs, only to have the attack code resurface. Near midnight, Brent Oxley, owner of HostGator, opened up a forum posting titled Virus'/Redirects/Sites not Working-Read Me.
"We have everyone working on the situation, even a few CTO's from other companies we know personally," Oxley said in the forum message. "We can make the problem disappear for a little while but it keeps coming back on a majority of our servers. We believe this a 0-day exploit with HostGator being the target. We are being completely overwhelmed currently chat, phones, ticket, etc."
HostGator was apparently not alone. At least two other companies had reportedly also been hit with the attack, an exploit for a previously unknown--or "zero-day"--vulnerability in a popular Web-site management application known as cPanel. In a forum posting, Oxley did not name the companies, but said that one had more than 100,000 clients, and the other had 80 servers hit with the attack.
The victims extended far beyond those sites, however. The ultimate goal of the attack was to load in a collection of adware and spyware onto the computers of anyone who visited the affected sites. The attackers used the illicit access to redirect all the visitors to malicious Web pages containing code to exploit the latest--and still unpatched--flaw in Microsoft's Internet Explorer. The tag-team attacks compromised as many servers as possible to ultimately infect as many Internet Explorer users as possible.
Chris Banescu, the owner of model train seller NewhallStation.com, faced double the indignity when both his site and his computer got compromised by the attacks. The online retailer suffer an attack on Thursday, after he made changes to his site. When he visited the site with Internet Explorer to view the changes, the site seemed corrupted and security software installed on his system complained that a program had attempted to make registry changes. A spyware scan revealed a mix of seven different programs newly installed, he said.
"It not just rooting stuff to take information," Banescu said, referring to the collection of adware and spyware detected on his system. "It seems to be money motivated."