One of the world’s largest web hosting providers, Network Solutions, has contracted a computer virus which is directly affecting the servers hosting the files stored on behalf of web hosting customers.
** SEE THE TERRIFIC RESPONSE FROM NETWORK SOLUTIONS AT THE END **
Symptoms I have experienced:
— Files magically disappear, causing 403 Access Forbidden errors
— File access modes are changed so that the web servers cannot access the files, causing 403 Access Forbidden errors (you can check this in Network Solutions’ File Manager control panel)
— A munged Javascript block is inserted immediately after the opening BODY block in html files which causes a popup to a malware site to appear when someone visits the page
You may have recently received emails from Network Solutions saying that to enhance security they have changed your FTP passwords. I believe Network Solutions was acting in good faith and thought that their passwords file was compromised and that these things were happening from outside their network. So, they’ve been frantically changing passwords to keep the infection from spreading.
Yesterday, I uploaded a file to one of our customer’s websites and got the 403 Access Forbidden error in the web browser. I checked the file manager from Network Solutions’ website and saw that the access mode was RW- RW- — (meaning that the web server could not access the file). I changed the access mode and the problem was solved.
I thought this was really weird, but I went back to work.
Then yesterday I uploaded a page to one of our sites. I modified it all afternoon.
Then someone else in the office tried the site and said it was infected.
I didn’t see anything weird about the source file (I did not notice the Javascript block because it’s a page created by Adobe Flash and has lots of stuff in it which I skip through when scrolling down the page).
I thought perhaps I did have a virus on my machine. So, I started a scan and went home.
At home, I tried that page and found that it did have that Javascript block.
I logged into Network Solutions and changed the FTP password (again).
Then I took out the Javascript block and uploaded the file.
Everything was cool.
This morning the whole file was gone.
This couldn’t have been done by a virus on my machine at work… even if it had collected the FTP password, it could not have deleted the file after I changed that password last night from home.
This morning, the virus scan showed clean (using Panda Endpoint).
I also scanned the machine using MalwareBytes and it showed clean.
I used Dreamweaver to upload the file again. It appeared without the virus on Network Solutions’ server.
So, the virus is not on my machines. It’s inside Network Solutions’ systems.
If you have experienced problems with your Network Solutions hosted web site(s), please mention me @aBigHairySpider, @netsolcares, and #NetworkSolutions in a Tweet or comment on this posting.
Example: “I am also having trouble with my #NetworkSolutions web hosting, @aBigHairySpider (@netsolcares)
** UPDATE **
I spoke with a technical support representative at Network Solutions and was very impressed.
I described the issue and he immediately confirmed my suspicions and said they have been having a problem for a week.
He referred me to this website which will check to see if our sites are still infected:
Sucuri Wigs Scanner
He also emailed me a link to a blog posting Network Solutions has made addressing the issue:
** ADMISSION OF SELF PROMOTION **
Yes, I was hoping you’d tweet my name along with Network Solutions so people would find my blog and my Twitter account. So sue me. Wait, please don’t sue me.
Hugs!!
Leave a Reply