UKHost4U Colo10 cPanel hacked

My friends site was hacked by allah asking for money (link is PDF screenshot)

In the html file is a link to an audio track on the domain
http://www.anashed.net

This domain is serviced by
http://www.networksolutions.com

I emailed Network Solutions with details of the hack but rather than taking action they're passing the blame onto a "hosting company" without releasing details of who they are.

I would have thought any illegal activity would be enough for the host, networksolutions to shut down service to the criminals but apparently not:

Although the domain name is registered through Network Solutions, we have determined that another hosting company is currently handling the Web site and e-mail services for the domain name. Please contact the Internet Service Provider or the Web Hosting Company directly for information regarding those services.

edit:
I've tracked the hosting company to Saudi Arabia - surely networksolutions in the USA would want to get involved?

inetnum: 194.105.148.0 - 194.105.149.255
netname: NASHIRNET-SA
descr: Nashirnet IPv4 Network
country: SA
org: ORG-NA167-RIPE
admin-c: KA1364-RIPE
tech-c: KA1364-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: EUROACCESS-MNT
mnt-routes: EUROACCESS-MNT
mnt-domains: EUROACCESS-MNT
source: RIPE # Filtered

organisation: ORG-NA167-RIPE
org-name: NASHIRNET-SA
org-type: NON-REGISTRY
address: National Computer Systems
P.O Box 540
Riyadh, Riyadh 11372
Saudi Arabia
e-mail: [email protected]
phone: +96614657070
mnt-ref: EUROACCESS-MNT
mnt-by: EUROACCESS-MNT
source: RIPE # Filtered

person: Khalid Alhalwan
address: National Computer Systems
Khalid Alhalwan (ID00003212)
P.O Box 540
Riyadh, Riyadh 11372
Saudi Arabia
phone: +96614657070
e-mail: [email protected]
nic-hdl: KA1364-RIPE
mnt-by: EUROACCESS-MNT
source: RIPE # Filtered

% Information related to '194.105.148.0/23AS34305'

route: 194.105.148.0/23
descr: EuroAccess Route
origin: AS34305
mnt-by: EUROACCESS-MNT
source: RIPE # Filtered

Edited by deleted (Tue 25-Jul-06 13:34:21)

i hope there are off server back ups?

what usually happens is the script kiddies, that's what they are, find security flaws in installed applications, forums, galleries etc. there maybe folders where users can upload files, images mainly. they then upload scripts disguised as images.

they then execute these scripts, usually they gain access files that are owned by all the users. i'd say they're lying about having a copy the most they can do is delete stuff. this is certainly what happened in my experience.

10 minutes later i had the backup restored.

just hope the host has a recent full back up.

Edited by deleted (Tue 25-Jul-06 15:21:59)

The host doesn't keep server back ups allegedly but fortunately only the index.html and index.css files were replaced by the hack. Allegedly it was done through a PHP exploit in a cPanel users file.

Thanks for your thoughts.

Network Solutions say they're protected by law not to act against domains registered by it, here's the text

On November 1, 1999, a three-judge panel of the U. S. Court of Appeals for the Ninth-Circuit ruled that Network Solutions has no
responsibility or duty to police the rights of trademark owners concerning domain names.

If the domain owner in question is conducting criminal activity we would ask you to defer to either the police or the proper authorities

I've given up trying to get the hosts to take action, no one cares. Essentially the hacker is licensed to continue. I guess we'll have an internet police one day to report to, clearly the industry can't regulate itself.

NetworkSolutions.com
"Not our problem"

Nashirnet.net
"UKHost4U should have better security"

Platinumhost.net (DNS servers)
no response

Edited by deleted (Thu 27-Jul-06 14:32:26)

Is it the website or cpanel that is showing this page?

If it is the page It is vulnerable script or a bad bot rather than to do with the host

According to Zone-H.org they do mass defacements of the home page. I wouldn't say they've set out to go after bosie's mate. They've done over 900 defacements mostly shared servers and like Linux servers.

Proberly just a bug they've found or heard of and written or found a script to do the sites. It could be one person or it could be several, more than likely the script would have been launched from a hacked computer or an open wifi connection, which would make it nigh on impossible to find them.

At the end of the day it's up the hosting company to keep it's servers up to date or if bosie's mate has his own server colocated then for him to keep his server upto date.

If it's the former then i'd be finding another hosting company.

it is the former.

My friends site was hacked again, this time by Jesus. Also the RIPE info has been changed and his domain now belongs to someone else.

well that's a new one