I have my own VPS on another host but right now having a very poor experience with Network Solutions. I'm doing a site for local non profit for free.
Not sure if this was related to the main issue but for starters there was four folders in htdocs that I was unable to delete, even using their file manager these folders didn't want to die. I could see they were owned by root but these were clearly user folders. In any event after talking on the phone with "tech support" I was told to have the account owner contact them <sigh> ...There is no one technically skilled in this organization. In any event for whatever reason I was able to get them delete the next day via FTP, didn't look to see if they changed the owner.
That solved and the site up and running under a new CMS installation that I developed locally I go to add the photo album and find that files I had backed up over FTP from the htdocs folder are not the full resolution images which makes sense for display on a web page. The problem is they had used Network Solutions proprietary site builder for this site over the years with different people so getting the original files from these various people would be impossible and THERE IS NO WAY TO DOWNLOAD THE ORIGINAL IMAGES IN BULK. They have a web based file browser and the only way to get the original images is to select
one thumbnail, click the edit button and then right click the full image to save as. Repeat for each image and with at least a thousand images....... not going to happen.
That is not the primary issue though, after uploading a few images I decided to check how it was rendering using browsershots.org and I get the error "the server did not send a content type header". Over to web-sniffer.net and this is the results:
Quote:
Status: HTTP/1.0 200 OK
Expires: Sat, 6 May 1995 12:00:00 GMT
P3P: CP=NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 144
Connection: Close
Content (0.14 KiB)
<html><body><script>document.cookie='yyyyyyy=c2dc5 27cyyyyyyy_c2dc527c; path=/';window.location.href=window.location.href;</script></body></html>
|
What's weird here is that this doesn't show up in the headers for a browser. I did find reference from 2001 for similar output being used to steal cookies and you only get whacked with it when there is external referrer. I can't replicate it clicking on link from Google though.
I upload a text file test.html that simply has the word test in it and get the same results from web-sniffer.net. Fetching as Googlebot and few other sites provide the same reuslt. I start a support ticket explaining the issue and the reply I get explains the difference between HTML and WYSIWYG editors and some other nonsense. They do have link to chat for further support so I try that.
This is the only tech that had any sense, after seeing the results from web-sniffer.net he recognized it as an issue. There was a binary file above the htdocs folder named htdocs that didn't belong there. He couldn't delete it and I couldn't delete it, I guess he had to get a higher level tech to delete it. He tells me to wait 24 hours so that the cache clears and the issue should go away which made no sense.
24 hours later this problem still exists so back to the tech chat.
Quote:
Chat InformationPlease wait for a specialist.
You are '1' in queue with an average wait of '0' minutes and '30' seconds.
Chat InformationYou are now chatting with 'Korey N' in Florida.
Korey N: Thank you for contacting Network Solutions service chat. Just a minute while I review your service request so that I can answer your questions.
Richard: This is still unresolved, see also ticket 1-XXXXXX2
Korey N: Ok how can I help?
Richard: Korey go to web-sniffer.net and type in the domain.
Richard: The content is
Richard: <html><body><script>document.cookie='yyyyyyy=eed9e 2beyyyyyyy_eed9e2be; path=/';window.location.href=window.location.href;</script></body></html>
Richard: That is being injected from somewhere.
Korey N: Is this a custom coded site?
Richard: Korey, any page on the domain returns that string.
Korey N: Im not understanding your issue. Can you please provide more details on the issues you are having?
Richard: Korey view this page:
Richard: example.com/test.html
Korey N: Can you please explain your issue so that I can assist
Richard: Korey go that url, it says:
Richard: test
Richard: correct?
Korey N: Yes I see that
Richard: It's just a text document
Richard: Now try it in web-sniffer.net
Richard: See the content output at the bottom?
Richard: <html><body><script>document.cookie='yyyyyyy=eed9e 2beyyyyyyy_eed9e2be; path=/';window.location.href=window.location.href;</script></body></html>
Richard: That's being injected somewhere.
Korey N: I apologize however this is not a network solutions website. I am not able to replicate this issue
Richard: Korey, give me higher level tech since you obviously don't understand what is going on here.
Korey N: If you feel as though your site has been compromised please review all of your content for any malicious files or scripts and update all your applications and credentials
Korey N: I am sorry however we cannot troubleshoot results from a third party site
Richard: Give me higher level tech please.
Korey N: I am level 2 support. We do not support troubleshooting custom code under our standard scope of support. And at this time I am not seeing this injected text in the raw text document. If there is a file injecting code as you said you will need to have your developer remove it or upload a clean copy and do as I said above to ensure security.
Richard: Korey, that code is being injected somewhere.
Korey N: At this time I am not seeing this injected text in the raw text document. If there is a file injecting code as you said you will need to have your developer remove it or upload a clean copy and do as I said above to ensure security.
Korey N: At this time there are no indications that the server itself is causing this issue. Again please have your developer research further to ensure there are no malicious scripts
Richard: You have to go to third party site like web-sniffer.net to see it.
Korey N: I
Korey N: I'm sorry however other than the third party site I am unable to replicate the issue
Richard: You can replicate this on numerous third party sites
Richard: browsershots.org
Korey N: I apologize however I am unable to replicate this issue. Please have your developer review the site to ensure there are no malicious contents and update all applications and passwords to ensure security. Did you have any other questions for me today?
Richard: See ticket 1-XXXXXX2
Richard: Give me a higher level tech Korey.
Korey N: This ticket was resolved. Are you still having an issue with an htdocs file above /htdocs?
Richard: Give me a higher level tech
Korey N: Was there anything else that I can assist you with?
Richard: Yes, give me a higher level tech
Korey N: If there is nothing more that I can assist you with I will go ahead and end this chat.
Richard: Korey I want a higher level tech.
Korey N: Thank you for contacting Network Solutions. Take care!
Chat InformationChat session has been terminated by the site operator.
|
A short time later I get an email from Korey telling me they are escalating it and it might be
24 to 48 hours before I hear anything. 48 hours later I still haven't heard anything. Back to the chat... Again they try and blame me but anticipating this I deleted every file in htdocs except test.html (no problem doing this as no one is going to miss it for a while
) and still the same problem. Reverse IP lookup and other domains on this same IP have the same issue so without a doubt this server is hacked. I even showed them other IP's of there's that don't have this issue so the guy tells me it will be another 24 hours....
Again this is a non profit and they have 6 months left on this plan, had that not been the case I would have immediately suggested they move to another host. This has been ongoing since the 3rd at 7 in the morning and still no resolution.
