Hacked HostGator Sites Distribute IE Exploit

Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages.

UPDATE: HostGator says its servers were attacked through a previously unknown security hole in cPanel. See our update for the latest details.

HostGator general manager Jason Muni told Security Fix that attackers had "reconfigured an unknown number of Web sites hosted on the company's servers to redirect visitors to a third-party Web site that tried to load the IE exploit." Muni said the company reconfigured all of its 200 servers to address the problem. But as of 5:30 pm EST Friday, some HostGator customers were continuing to report that their sites were compromised and redirecting visitors, indicating the problems were ongoing.

A subsequent forum posting by a HostGator staffer confirmed that the company has not yet come up with an effective defense against the attack. "We have everyone working on the situation, even a few CTO's from other companies we know personally," said the post from GatorBrent. "We can make the problem disappear for a little while but it keeps coming back on a majority of our servers. We believe this is a 0-day exploit with HostGator being the target. We are being completely overwhelmed currently with chat, phones, tickets, etc. We are working on finding the root of the problem so we can put a stop to it."

Microsoft's security team said Friday afternoon that it may release a patch for the VML exploit before its next scheduled update on Oct. 10. "Attacks remain limited," Microsoft's Scott Deacon wrote on the Security Response blog. "There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.

"Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability," Deacon added. "We’ve made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment."

An unofficial patch has been released by the Zeroday Emergency Response Team (ZERT), a group of veteran security researchers. "We think it’s great that there are people out there working to help protect our customers," Microsoft's Deacon wrote. "But as we’ve always said, we cannot endorse third party updates."