Herself's Webtools

TimesToCome is my personal website. It has been online since 1997. Not once has it been hacked or compromised in over ten years. Not a single website of dozens I’ve put up has been compromised in ten years.

Today TimesToCome was totally taken down and compromised by the evil robot Cuill Twiceler Bot. A quick Google search will show you I’m not the only webmaster who’s had problems with Cuill.

It totally hammered TimesToCome, rapidly downloading over 1600 files before crashing the website. ( It’s a small website, I don’t know how they found that many combinations of pages to download. ) And when all was said and done four directories, two Coppermine and two WordPress were totally compromised with all *php files converted to 0777 permissions.

I strongly recommend you block this robot in your .htaccess file.

I was lucky and discovered the problem less than an hour after it was compromised. Cuill Twiceler answered my email stating they will not hit my website’s IP again. I don’t trust anyone who doesn’t know what his robot has been up to. So I will be blocking them anyhow using .htaccess files.

*** Follow up ***
More details emerge.
Some unknown ( except for ip number ) entity uploaded some php files hidden in a *.jpg file to the albums/userpics directories in Coppermine.

When Cuill-Twiceler stomped all over my site like Godzilla does to Toyko it tripped that file. Even though the exploit did not work as planned it converted the image file extension to a *zip file extension, then ran a function int that file that converted all the php, htm and html files to 777 permissions in all directories on the website. It failed to create an iframe in the Coppermine files directing it to some porn site because the wonderful people at my hosting company don’t let their servers run files with world permissions.

Since there were not links to the compromised file the robot never should have found them and triggered them. The robot is badly broken.

I strongly urge anyone using Coppermine to upgrade. The upgrade was painless.

As always keep an eye on any image directories you have on a website. Those seem to be where most exploits park themselves. Any program that allows the general public to upload an image or zip file to your server without verifying what’s in it makes you vulnerable. The person who uploaded the file or a crazy robot can then trigger the script that is inside the file.

See also:
I don’t like spiders and bots
What everyone ought to know about bots

More information:
Cuill banned from over 10,000 websites
Digital Point: Several webmasters banning Cuill for bad behavior
Twiceler banned across server farm
Twiceler sucking up bandwidth
Twiceler needs to be reined in
Guards out for Twiceler
Evil entity Twiceler
How to stop Twiceler

If you have anything left, domains, hosting, etc at Network Solutions I strongly urge you to move it elsewhere.

This week they’ve been caught using your subdomains as spam sites.

Earlier this week, a man named Win Betteridge told TechCrunch that Network Solutions pulled this clever little trick with his “social gaming” site, GotGame.com. Betteridge hosts GotGame with “NetSol,” and somewhere along the way, he realized that his unused GotGame sub-domains resolved to ad-infested “parking” pages.

“For instance, app.gotgame.com resolves to a Network Solutions page with text links, including ‘Poker Tournaments’ and ‘Texas Holdem Games,’” he said.

As pointed out by ArsTechnica, the Virginia-based Network Solutions reserves the right to do this with every site it hosts. The company’s terms of service include this:

You also agree that any domain name directory, sub-directory, file name or path (e.g.) that does not resolve to an active web page on your Web site being hosted by Network Solutions, may be used by Network Solutions to place a “parking” page, “under construction” page, or other temporary page that may include promotions and advertisements for, and links to, Network Solutions’ Web site, Network Solutions product and service offerings, third-party Web sites, third-party product and service offerings, and/or Internet search engines. You agree that Network Solutions may change the content and/or appearance of, or disable any of these temporary pages at any time, in its sole discretion, and without prior notice.

Yes, you can opt out this questionable program. But first you have to know about it. The EULA housing the above paragraph is 59,000 words long. [ read more The Register: Network Solutions hijacks customer sub-domains for ad fest]

Not so long ago Network Solutions made the tech news about domain front running:

Domain registrar Network Solutions has come under fire this week for what some believe is “domain name frontrunning.” The practice resulted in Network Solutions registering a previously-unregistered domain to itself immediately after someone searched for it, then holding the domain for four days before it could be purchased by someone else or at another registrar. But the company claims that it’s merely trying to protect customers from others doing exactly that. Until there is more regulation over frontrunning from ICANN, this is the best it can come up with.

News circulated about Network Solutions’ controversial practice over the weekend and built momentum throughout the week, as the company gained more and more bad press. Critics said that Network Solutions was holding domains hostage—the policy forced people to become Network Solutions customers instead of being able to go to another registrar after searching for domain availability. [ read more ArsTechnica - Network Solutions defends frontrunning ]

Until ICANN grows a backbone the only protection webmasters have against this type of behavior is to publish it far and wide and take our business elsewhere.