Virus Information News

 Title   Date   Author   Host 

Apache Project Servers Infiltrated Via XSS Bug, Passwords Compromised
WHIR Web Hosting Industry News
April 14, 2010

Hackers gained access to a server used by the Apache Software Foundation ( to keep track of software bugs in an attack that exploited a cross-site scripting bug.

According to an incident report from, hackers using a compromised Slicehost server opened a new issue, containing a URL that redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting attack crafted to steal the session cookie from the user logged-in to JIRA. Several administators clicked on the link, compromising their sessions. Meanwhile, the attackers started a brute force attack against the JIRA login.jsp running thorough hundreds of thousands of password combinations. A day later, one of these attempts was successful, giving the hacker administrator privileges on a JIRA account. They used this account to disable notifications for a project, and to change the path used to upload attachments. They created several new issues and uploaded attachments to them -- including JSP files that gave them backdoor access to the system, and a JSP file that was used to browse and copy the file system, creating copies of many users' home directories and various files. On the morning of April 9, the attackers had installed a JAR file that would collect and save all passwords upon login. The attacker then sent password reset mails from JIRA to members of the Apache Infrastructure team, who, thinking that JIRA had encountered an innocent bug, logged in using the temporary password sent in the mail, then changed the passwords on their accounts back to their usual passwords. Because one of the recovered passwords had been the same as a local user account on, which the attacker used to gain full root access to the machine that hosted the Apache installs of JIRA, Confluence, and Bugzilla. With root access to the attackers found several users that had cached subversion authentication credentials, using them to log into the main shell server,

Hundreds of WordPress Blogs and Sites Recover From Attack
WHIR Web Hosting Industry News
April 12, 2010

As users prepare for version three of the popular open-source blogging platform WordPress, many of those using WordPress had their site or blog hacked, redirecting visitors to a page that attempts to install malicious software.

According to a Friday report from security expert Brian Krebs, after surveying multiple postings on WordPress forums and blogs, the attack appears not to modify or create files, but instead inject the web address "" directly into the target site's database, redirecting visitors to Also, due to this attack method, site owners locked out of the WordPress interface for their blogs. If the forum posts were any indication, nearly WordPress user affected reported Network Solutions as their current hosting provider, although the company claims not only Network Solutions customers were affected. Shashi Bellamkonda, Network Solutions' head of social media, noted in a Sunday blog entry that the WordPress issue has been fixed. Though he doesn't identify the root cause the issue, he writes that it has been addressed, and most sites have been fixed. In solving the problem, we have had to change database passwords for WordPress. Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes. It remains unclear whether the point of compromise is a WordPress vulnerability, a malicious WordPress plugin, or if it has to do with a common service provider. As a precaution, Network Solutions is urging customers using WordPress to log into their account and change their administrative passwords, and delete all administrative access accounts they do not recognize.

US Wins Dirtiest Web Hosting Country Title: Sophos Report
WHIR Web Hosting Industry News
by David Hamilton
February 3, 2010

According to Sophos' Security Threat Report, more than a third of the world's infected sites are hosted in the US, placing it ahead of Russia's 12.8 percent share and China's 11.2 percent.

Sophos warns US hosts to clean up their act by taking better care to weed out malicious websites in their care. Also, webmasters should ensure that their sites are securely coded and properly patched against hackers who try to inject malicious software into their pages.

CIA, PayPal Among Organizations Hit by SSL Assault
WHIR Web Hosting Industry News
by David Hamilton
February 1, 2010

According to multiple reports by online researchers, including Internet watchdog group Shadow Server and SecureWorks malware research director Joe Stewart, these sites experienced an unexpected rise in traffic by several million hits spread out across sev

"This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth," Shadow Server notes in a blog post. Shadow Server went on to suggest that the Pushdo botnet, which recently underwent changes to its core code, was likely the perpetrator, causing infected nodes to create junk SSL connections to approximately 315 different websites. This attack, Shadow Server notes, is not the typical distributed denial of service operation, and it seems that knocking sites offline wasn't the end goal. "The bots seem to start to initiate an SSL connection and a bit of junk to the websites and then disconnect," they stated. "They do not actually request an resources from the website or do anything else other than repeat the cycle periodically. They are doing this to hundreds of sites all day long. We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn't quite look like a DDoS either." Given the nature of the attack, it remains unclear why Pushdo unleashed the torrent.

Leaders Call for Review After 49 House Websites Defaced
WHIR Web Hosting Industry News
by David Hamilton
January 29, 2010

Following the president's State of the Union address, a hacker infiltrated 49 House of Representatives websites of both political stripes to post an obscene message insulting President Barack Obama.

House chief administrative officer spokesman Jeff Ventura told the press that while most House websites are managed totally by House technicians, individual offices are permitted to contract with a third party to manage new features and updates. The sites that succumbed to the online attack were managed by GovTrends, a private vendor based in Alexandria, Virginia. Ventura told the AP that, while performing an update, GovTrends left itself vulnerable, letting the hacker penetrate individual member sites and committees overnight. This let the attacker leave a message insulting the president, who spoke at the House Wednesday night. The message read that it was "from Brasil," however, the true origins of the attack are unclear, as well as any specific political motivations.

ICANN Announces DNSSEC Deployment in Root Zone of DNS
WHIR Web Hosting Industry News
by David Hamilton
January 28, 2010

In an important milestone, the three organizations spanning business, government and non-profit sectors have enabled DNSSEC information to now be served by L-Root, one of the Internet's 13 root servers, operated by ICANN.

According to the announcement this week, ICANN collaborated with the Commerce Department's National Telecommunications and Information Administration and VeriSign, Inc. in an effort to bolster the deployment of DNSSEC in the root zone of the Domain Name System, which is vitally important to the proper operation of almost all services on the Internet. DNSSEC deployment in the root zone is the biggest structural improvement to the DNS to happen in two decades according to ICANN. The Internet's technical community has been widely involved in the rollout of DNSSEC to make sure that any unintended consequences of the deployment can be identified and mitigated promptly. ICANN engineers executed a maintenance procedure to introduce DNSSEC data into L-Root between 1800-2000 UTC on Wednesday. The maintenance was completed as planned. The reaction of the root server system as a whole to the change is being closely monitored, with root server operators performing extensive data collection and analysis coordinated by DNS-OARC, the Domain Name System Operations Analysis and Research Center.

New Zero-Day Threats and High Spam Levels: MessageLabs Report
WHIR Web Hosting Industry News
January 22, 2010

According to a report released last week by Symantec, 83.4 percent of spam at the end of 2009 originated from botnets. Around 900 million spam emails, originated from free webmail accounts, and more than 79 percent of webmail spam came from three well-kno

"Despite the best efforts of the webmail providers to prevent this abuse of their services, there is still a viable market in the underground economy for buying and selling legitimate and usable webmail accounts," Symantec Hosted Services MessageLabs Intelligence senior analyst Paul Wood said in a statement. Last month, a new zero-day vulnerability in a popular version of a .PDF viewer was found to target high-level individuals in the public sector, education, financial services and large international corporations. It arrives as a .PDF file containing embedded malicious Javascript code. The attack also had a social engineering aspect -- the attack varied according to the individual and organization being targeted, making it seem legitimate. MessageLabs Intelligence actually blocked the first versions in November 2009, protecting Symantec Hosted Services customers from the attack before it began.

Chinese Search Engine Baidu Sues Its US Web Host Over Hacking Incident
WHIR Web Hosting Industry News
January 20, 2010

Following a January 12 attack that left Baidu's main search engine inaccessible for several hours, Baidu announced on Wednesday that it had filed a lawsuit against and that it was actively seeking a new hosting provider for its search engine.

"The fault of led to the malicious and unlawful altering of the domain name of Baidu, which made thousands of people unable to visit and brought serious losses to Baidu," the company stated. Last week, Baidu searches were reportedly redirected, and its homepage carried the message, "This site has been hacked by Iranian Cyber Army." This suggests that it was the same group that hacked social networking site, Twitter, last month.

Network Solutions Responds to Site Defacements
WHIR Web Hosting Industry News
January 20, 2010

After hackers defaced hundreds of websites hosted by Network Solutions, the company said Tuesday that it is monitoring this threat and working with law enforcement organizations as it works to restore the impacted sites. "We have discovered the cause of a

"Hackers were able to add a file displaying illegitimate content on top of the customer website content. This was an issue on multiple servers and unknown intruders were able to get through by using a file inclusion technique. There was no danger to any personally identifiable or secure information." Bellamkonda noted that after this issue is sorted out, Network Solutions will be undertaking precautionary actions that may include some server configuration modifications.

Spammers Exploit Free Web Hosting Services
WHIR Web Hosting Industry News
by David Hamilton
January 11, 2010

Temporarily benefiting from a host's legitimate reputation, spammers are taking advantage of "free-hosting" services for their nefarious purposes.

In its January 2010 Spam Report, McAfee made note of the growing trend of spammers signing up for free subdomains and complimentary hosting. Oftentimes they are allowed to use a unique third-level domain, giving them the appearance of a legitimate site. "Using a free hosting service is a good tactic for spammers because it is easier to automatically block a new infected website than to block a site that has been around for a longer period and has possibly had legitimate traffic associated with it," wrote the McAfee report's authors. "This edge can provide spammers a few precious additional hours before the spam-blocking services of the world blacklist that host. In the course of a few hours a botnet can generate billions of messages." With long-time free hosting site Geocities shutting its doors just months ago, dozens of similar free hosting sites have sprung up to provide free web space to anyone who requests it. Unfortunately, spammers have requested a lot of it.


Help keep this page up-to-date. Submit a Virus Information News link for inclusion on this page.

Shawn K. Hall © 2003-2022 Powered by 12 Point Design
Professional Web Hosting and Design Services: 12 Point DesignAt Summit Chiropractic our mission is to improve your quality of life - We know that health is much more than just not feeling painReliable Answers - developer information, current news, human interest and legislative newsLocal Homeschool provides the most up-to-date support group listings in a geographical and searchable indexTwain Harte, CA - The closest you can get to Heaven on EarthSaferPC dispels security misunderstandings and provides you with a solid understanding of viruses and computer security

AddThis Social Bookmark Button