A trickle of complaints that started the day before turned into a flood by Friday. Companies and clients complained that visitors to their Web sites were being infected with a virus. To those visitors, the Web sites appeared to be corrupted when viewed with Internet Explorer and caused antivirus software to warn of Trojan horse attacks, affected people told SecurityFocus.

For HostGator, the issue seemed to defy defensive measures. The company found rogue code on its servers and removed the programs, only to have the attack code resurface. Near midnight, Brent Oxley, owner of HostGator, opened up a forum posting titled Virus'/Redirects/Sites not Working-Read Me.

"We have everyone working on the situation, even a few CTO's from other companies we know personally," Oxley said in the forum message. "We can make the problem disappear for a little while but it keeps coming back on a majority of our servers. We believe this a 0-day exploit with HostGator being the target. We are being completely overwhelmed currently chat, phones, ticket, etc."

HostGator was apparently not alone. At least two other companies had reportedly also been hit with the attack, an exploit for a previously unknown--or "zero-day"--vulnerability in a popular Web-site management application known as cPanel. In a forum posting, Oxley did not name the companies, but said that one had more than 100,000 clients, and the other had 80 servers hit with the attack.

The victims extended far beyond those sites, however. The ultimate goal of the attack was to load in a collection of adware and spyware onto the computers of anyone who visited the affected sites. The attackers used the illicit access to redirect all the visitors to malicious Web pages containing code to exploit the latest--and still unpatched--flaw in Microsoft's Internet Explorer. The tag-team attacks compromised as many servers as possible to ultimately infect as many Internet Explorer users as possible.

Chris Banescu, the owner of model train seller NewhallStation.com, faced double the indignity when both his site and his computer got compromised by the attacks. The online retailer suffer an attack on Thursday, after he made changes to his site. When he visited the site with Internet Explorer to view the changes, the site seemed corrupted and security software installed on his system complained that a program had attempted to make registry changes. A spyware scan revealed a mix of seven different programs newly installed, he said.

"It not just rooting stuff to take information," Banescu said, referring to the collection of adware and spyware detected on his system. "It seems to be money motivated."

The attackers appear to have been using the cPanel flaw for at least a month, Banescu said. On August 14, a similar attack happened, but the payload was detected as a generic Javascript Trojan horse by his antivirus software. Banescu refreshed cPanel on his site and the issue went away. On August 19, his site got compromised again, and a Trojan horse was again detected by his antivirus software, when he visited his site with Internet Explorer. An attack on September 4 failed, and after reinstalling cPanel, everything seemed fine until the attack last Thursday, he said.

A glaring error caused the privilege-escalation vulnerability in cPanel. Because of the order in which the program searched for a specific database script, an attacker with access to the home directory of any user or Web site on the server could place a special file in the directory and the program would execute that file first. The commands would be run at the highest level of privilege, or root.

"They (the attackers) have to have a regular user account on the server," said Dan Muey, one of cPanel's core developers. "There is a module--it goes through a list of directories looking for the module. They would put a module in the home directory, and it would run the module first."

The attack basically turns access to a single Web site on a server into a beachhead from which all the other Web sites can be compromised. Mass attacks are typically a tactic used by Web-site defacers to exponentially increase the number of sites they tag with their digital version of graffiti. There typically has not been a significant upside for hitting a large number of Web sites with a known exploit. Yet, the focus on exploits that attack vulnerabilities in Web browsers, and in particular Internet Explorer, has made mass attacks much more valuable as a way to infect a greater number of Web surfers.

The attacks escalated an already serious issue for Microsoft Windows users. Last week, the software giant confirmed reports that attacks were exploiting an unpatched flaw in its flagship browser, Internet Explorer. While the company is rushing to test a patch for the problem, a group of third-party researchers have already released a fix for the issue. Microsoft does not advise its customers to install the unsupported patch, however.

The software giant declined to comment for this article, but it public relations firm pointed to an entry on the company's security response blog as its latest statement on the issue. The message, posted on Friday, stated that it hadn't seen any attacks widely trying to exploit the issue.

"Attacks remain limited," Scott Deacon, operations manager for Microsoft's security response center, said on the company's response blog. "There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either. Of course, that could change at any moment."

Indeed, it may already have changed.

HostGator's Oxley points to the latest Internet Explorer flaw, which occurs in a component which handle the Vector Markup Language (VML), as the security hole through which the malicious sites attempted to attack visitors. Oxley responded to a request for comment from SecurityFocus, asking for the interview to be conducted through e-mail, but then did not respond by Monday evening.

"We believe whoever did this was perfecting what they were about to launch and waiting for the right moment," Oxley said in a Sunday forum posting announcing that HostGator had resolved the security issue. "They chose a few days ago to launch it in full force to exploit Microsoft's newly announced VML exploit."

By early Sunday morning, the company had cleaned off its customers' servers and Oxley warned other hosting providers to do the same.

"All other hosting companies that haven't applied this patch are going to get it installed automatically tonight--many of them will remain exploited until they clean their boxes as we did," he said, adding that other companies need to look to their security as well.

"The person or group that did this is very intelligent, and obviously knows how to plan a big attack. While we are protected from this threat, we cannot predict what's to come for HostGator and the industry. Nobody can."