Tuesday, July 22, 2008

Removing the alenaprosti worm From your Infected Files on Network Solution's Host

I suppose giving light on how one needs to clean their files of the infection is in order.

First, check your .htaccess for a rewrite rule directing requests of "alenaprosti" to a folder on your virtual host. Mine was a folder labeled "29". Delete this folder and all contents, and remove the rewrite rule from your .htaccess file.

Next, check all index.html[php][cgi][shtml][etc...] files for code matching the regular expression <ul style=\"display:none;\">.*</ul> and delete it from each file.

Now, do a Google site search for "alenaprosti" on your domain. For example, search the following: "alenaprosti site:mydomain.com". Using each of the entries, visit the Google Webmasters site at www.google.com/webmasters/ and submit URL removals for each of the results. It wouldn't hurt to add a disallow for "alenaprosti" in your robots.txt file, either.

This should work in most instances, but until Network Solutions fixes their security leak, be prepared to do it all over again in a month.

Network Solutions Hosting Server has a Worm

After many recent back-and-forth emails with Network Solution's Customer no-Service Department, it became clear to me that one of their main hosting servers is infected with a worm and HUNDREDS of sites are now infected as a result.

Go ahead, do the search in Google for "alenaprosti". You'll be surprised at the number of infected sites.

Network Solutions still has the nerve to tell me my "permissions settings are incorrect" when in fact it is their server that is infected. I sent them a list of about the first 70 sites from the Google results, of which 99% were on the server with IP

Are you one of the hundreds affected. I hope so - then we can revolt! I smell a lawsuit cooking already.

Digg It!Digg It!