Latest news of the domain name industry

Recent Posts

Go Daddy plays down “massive” attack claim

Kevin Murphy, April 26, 2010, Domain Registrars

Malicious hackers have compromised a number of WordPress installations running on Go Daddy hosting, but the company claims very few customers were affected.

Slashdot carried a story a few hours ago, linking to a blog claiming a “massive” breach of security at the domain name registrar.

(EDIT: as noted in the comments, this blog may itself have been hacked, so I’ve removed the link. You can find it in the comments if you want to take the risk.)

But Go Daddy says the problem is not as widespread as it sounds.

“We received reports from a handful of Go Daddy customers using WordPress their websites were impacted by the script in question,” Go Daddy security chief Todd Redfoot said in a statement.

“We immediately opened an investigation into what happened, how it was done and how many sites were affected,” he said. “The investigation is currently ongoing.”

The attack is certainly not ubiquitous. I host a number of WordPress sites with Go Daddy, including this one, and they all appear to be working fine today.

And a Twitter search reveals no references to an attack today prior to the Slashdot post, apart from the blog it was based on.

That doesn’t prove anything, but when Network Solutions’ WordPress hosting was breached last week there was a lot more tweet noise. That attack had thousands of victims.

For those interested in the details of the attack, this WordPress security blog appears to be the best place to get the nitty-gritty.

Network Solutions under attack again

Kevin Murphy, April 18, 2010, Domain Registrars

Network Solutions’ hosting operation is under attack for the second time in a week, and this time it’s definitely not a WordPress problem.

The company has acknowledged that it has “received reports that Network Solutions customers are seeing malicious code added to their websites”, but has not yet released further details.

Sucuri.net, which was intimately involved in the news of the hack against NSI’s WordPress installations last week, blogged that this time the attacks appear to have compromised not only WordPress, but also Joomla-based and plain HTML sites.

Last week’s attacks were eventually blamed on insecure file permissions, which enabled shared-server hosting customers to look at each other’s WordPress database passwords.

But today NSI, one of the top-five domain name registrars, said: “It may not be accurate to categorize this as a single issue such as ‘file permissions’.”

Sucuri said that malicious JavaScript is being injected into the sites, creating an IFrame that sends visitors to drive-by download sites.

It’s a developing story, and not all the facts are out yet.

But it’s clear that NSI has a public relations problem on its hands. Some customers are already using Twitter to declare that they will switch hosts as a result.

And if it’s true, as Sucuri reports, that Google is already blocking some of the affected sites, who can blame them?

WordPress founder criticizes NSI’s security

Kevin Murphy, April 13, 2010, Domain Registrars

WordPress founder Matt Mullenweg had a few harsh words for top-five domain registrar Network Solutions today, after a whole bunch of NSI-hosted blogs were hacked over the weekend.

It appears that NSI’s web hosting operation, which includes a one-click WordPress installation service, was failing to adequately secure database passwords on shared servers.

Or, as Mullenweg blogged: “A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files.”

WordPress, by necessity, stores its database passwords as plaintext in a script called wp-config.php, which is supposed to be readable only by the web server.

If the contents of that file are viewable by others, a malicious user could inject whatever content they like into the database – anything from correcting a typo in a blog post to deleting the entire site.

That appears to be what happened here: for some reason, the config files of WordPress blogs hosted at NSI gave read permissions to unauthorized people.

The cracker(s) who noticed this vulnerability chose to inject an HTML IFrame into the URL field of the WordPress database. This meant visitors to affected blogs were bounced to a malware site.

Mullenweg is evidently pissed that some news reports characterized the incident as a WordPress vulnerability, rather than an NSI vulnerability.

NSI appears to have corrected the problem, resetting its users’ database passwords as a precaution. Anybody making database calls in custom PHP, outside of the wp-config.php file, is going to have to go into their code to update their passwords manually.

Beckstrom: DNS is under attack

Kevin Murphy, March 11, 2010, Domain Policy

ICANN chief Rod Beckstrom has come in for a bit of criticism over “inflammatory” comments he made at the Government Advisory Committee meeting on Tuesday.

The headline quote: “The domain name system is more fragile and vulnerable today than it has ever been. It could stop at any given point in time, literally.”

Beckstrom described a DNS on its knees, then pointed the finger at unspecified nations for DNS abuses allegedly happening within their virtual borders, and said he would be writing to GAC members for more information and advice.

It was part call to arms, part Chicken Little.

If you missed it, here’s a full transcript. (continue reading)