Hosting providers bear a heavy responsibility. They provide website services to many companies and need to keep them all secure. If intruders can break in at the server level, they can compromise huge numbers of sites at once. The attack can affect thousands or millions of users. The individual sites aren’t infected as such, so malware protection and detection on their sites may see nothing wrong. All that they know is that something is wrong with their traffic. This was the case with a problem we recently investigated.
Hosting providers sometimes become complacent because their infrastructure isn't open to the public the way the individual websites are. That's a mistake. Any service which is connected to the Internet is a target for criminals and hackers. A hosted website that gets infected is a jumping-off point for attacks on the infrastructure.
Server-side cybersecurity is vitally important. A provider that fails to protect its hosted sites will suffer serious damage to its reputation and lose business.
Discovering the problem
A website owner saw a sudden drop in visitors. The number of page views coming from search engine results and the number of new sales had decreased alarmingly. Often this will happen if search engines detect malicious activity on a site; they'll stop listing the site in their results till the problem is fixed. That didn't seem to be happening in this case, though. Search results were good, but they weren't being reflected in site visits.
By using the free ThreatSign online malware scanner, the site owner discovered that traffic from search engines was being redirected to another site. Redirection attacks are a sneaky way to bring traffic to a site containing scams or malware. It's common for them just to redirect visits from search engines since those users are often unfamiliar with the site and are easier to fool.
The owner of the site then signed up for the ThreatSign service, and we began investigating. There wasn't any problem with the website itself. We suspected the problem was at the server level, so we contacted the host's support team and asked for access to the server configuration, which they gave us.
The plot thickens
All we knew at this point was that traffic to the site was being redirected. Something less obvious than a website infection was going on. The site was running on a Windows server that belonged to a hosting company, running Active Server Pages on IIS. Could the source of the trouble be in the hosting infrastructure rather than our client's Web directory? If so, the problem was much bigger than just one site.
Theft on a massive scale
Further investigation showed that this was the case. All the sites on the server shared an IP address, so the host needed to use the URL to direct HTTP requests to the proper site. It used a default.asp file to route all incoming traffic.
This file had been modified to steal traffic. If certain conditions were met, such as having a referrer from a search engine, incoming requests would be redirected to an external site. We realized that this affected not just our client, but all of the thousands of site hosted on this server. The others may not have been aware of the problem, or they may have noticed a drop in new visitors but not had any idea why. A massive amount of redirected traffic was going from these sites to an outside site claiming to offer cheap shoes.
Solving the mystery
Our investigation turned up an unpatched security vulnerability that had been exploited, allowing unauthorized modification of the default.asp file. However, just patching the vulnerability and fixing the configuration file didn't solve the problem. The file soon reverted to its hacked state. It took a deeper investigation to find out just what was going on. What we discovered was devious.
The key piece of the problem, ironically, was the hackers' use of legitimate security software to protect their malware from removal. Easy File Locker protects files from deletion or alteration by keeping a hidden copy and using it to restore the file after any change or removal. It's normally used to protect critical files, but in this case, it was protecting files that shouldn't have been there.
This complicated the task of cleaning up the infection, but once we knew what was going on, we were able to remove the unauthorized Easy File Locker and make the redirection go away for good. Problem solved, traffic restored to all the hosted websites. The prompt cooperation of the hosting company was extremely valuable in finding and resolving the issue. Their many other customers shared in the benefit of the repair.
Malicious action: Black SEO technique
Below you can find the screenshots of code from the default.asp file.
The code responsible for the referrer identification:
The code responsible for the actual malicious redirection:
The traffic theft racket
Large-scale, server-level traffic theft is a danger that doesn't get as much publicity as breaches of big-name websites. It siphons off requests from large numbers of sites, most of them familiar to no more than a few thousand people each. If they keep a low profile on each site, the redirection can go on for quite a while before anyone notices.
Sooner or later, though, the issue will become obvious. Site owners will realize their hosting company didn't protect them successfully, and they won't be happy. The host could be liable under the SLA.
Users of the sites are likely to encounter offensive ads, phishing pages, and malware downloads. Anyone who runs into them by clicking on a search result isn't likely to visit the site again. Site owners will lose business and may give up on their hosting.
Protecting hosting services
When it comes to server-side cybersecurity, Web hosting providers need to be constantly on guard. Malware infections at the server level can cost them a large chunk of business if they aren't stopped promptly. A multi-layered approach to protection, detection, and mitigation is a basic business necessity.
Quttera's tools for threat monitoring, detection, and removal help hosting providers secure their customers' websites. Get in touch with us today to learn more.