Network Solutions vulnerability allows Mass infection of WordPress websites
On approximately April 9, 2010, improperly configured web hosting servers at Network Solutions allowed virtually all of the WordPress websites hosted with Network Solutions to be infected by a massive, server-wide malicious attack. This is another example of why Razworks recommends against using budget quality website hosting from vendors such as Network Solutions, Godaddy, and the hundreds of other budget hosting clones.
“A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files”, wrote Matt Mullenweg, founding developer or WordPress. “A properly configured web server will not allow users to access the files of another user, regardless of file permissions”, Matt explains. “The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years”.
Godaddy and Network Solutions are primarily domain registrar companies, where a consumer can register a website domain name, often called a website address, for a minimal fee. These companies also offer low cost budget website hosting services to compliment the domain name registrations. Uninformed consumers often see only one difference between this budget website hosting and standard high quality website hosting: budget website hosting has an extremely low cost. However, as this mass breach of Network Solutions hosted websites demonstrates, the cost of using budget hosting can be huge.
“Some of our clients spoke with Network Solutions and they confirmed that all their WordPress sites are having issues”, states a blog post at Sucuri Security.
The culprit of this attack was improperly secured database connection credentials, which almost all web applications store in the same way, a plain text file secured by a decryption key. Numerous blogs, from ZDNet to the Washington Post, pointed out that this was not a WordPress-specific problem, as the attacker could have targeted any website CMS such as Joomla, Drupal, Magento, etc., in the same way it affected WordPress. It just happens that WordPress is the most popular website CMS in the industry, so once the attacker discovered the security hole on Network Solutions’ servers, WordPress was obviously the best target for a mass malicious attack.
A Forbes.com blog post stated, “Network Solutions…blamed the WordPress community. But it turned out not to be….The security problem was simple: Files that weren’t locked down with the proper permissions were visible by other users on the same server. In subsequent blog posts,…the company didn’t say outrightly what the problem was and whether the company had a role in it. Instead, they euphemistically described the incident and didn’t mention previous, wild recommendations…” the Forbes.com post clarified.
On April 9, 2010, Network Solutions issued this statement:
Network Solutions Customers:
Although this issue is not with our hosting servers, we can help you clean this issue up and restore your site to a previous backup. However, this may not guarantee that the issue will not occur again. We are working with the WordPress community and affected Network Solutions customers to help determine which WordPress theme or plugin that may be causing this issue and we will update this post as we learn more.We continue to look out for our customers and our security team is reviewing logs to determine which WordPress instance or plugin may need to be fixed. We have also been working with experts in the WordPress community on this issue.
Network Solutions updated it’s blog on April 12, 2010, admitting responsibility for the breach by simply stating, “the root cause for this issue has been addressed.”
The lesson to be learned from this incident? Don’t use budget hosting!
