Weekend Hack Infects Hosting Servers

The Internet Storm Center (ISC) tracked a large-scale hack over the weekend that infected site-hosting servers, which in turn transformed all the hosted sites into distributors of malicious code.

"We have received reports and evidence that a number of companies that provide shared hosting Web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked," said the Storm Center's Daniel Wesemann Sunday in an online posting.

It seems that the attack used both direct and indirect means to infect users, said the ISC. In some cases, a script was appended to all home pages of the sites hosted on the compromised servers; the script redirected visitors of those pages to a malicious site (which was offline as of mid-morning Monday), which actually distributed the malicious code.

But ICS also found some evidence that a DNS cache poisoning attack was part of the program. "We are not quite sure yet how this is being done, as the files that we've received so far do not seem to contain DNS/DHCP poisoning code."

The hackers, whoever they are (or he is), also used Dynamic DNS to try to stay one step ahead of ISPs, and organizations such as the ISC. The IP address for three different domains were all resolving to one address -- 217.16.26.148 -- according to the ICS."The parties behind this attack have quite skillfully 'shifted' the target whenever an ISP started to block traffic or to shut down one of their servers," said Wesemann.

This latest incident of DNS cache poisoning is unrelated to an earlier event this month, which was created by exploiting vulnerabilities in Symantec's gateway products.