Saturday, January 26, 2008

Apollo Hosting Shared Server Customers Appear To Be Hacked

One of my websites is a directory and when I last ran my link checker about 10 days ago, to validate that the sites were all still valid, several of them triggered a test that I installed to check for hacked sites. After doing a little bit of research they all turned out the be hosted on Apollo Hosting.

What I found were very large blocks of ads embedded in the home page of each compromised site for every kind of pharma product you've ever seen spammed with their links pointing to landing pages on multiple compromised servers including several universities. Some of the landing pages are also hosted on Apollo Hosting so they are being used to host both the hackers pharma links and pharma landing pages.

Took a quick look in Google and found a lot of references in Google about individual sites on Apollo being hacked but I don't think they know the extent of the problem.

Please note that these types of hackers don't seem infect every account on the server, they just infect a chunk of them based on some unknown criteria, so it's hit and miss which domains are infected. Perhaps individual accounts were hacked but I don't think so as I've seen this same type of thing on iPowerWeb (which now appears cleaned up), random sites, some servers had more sites infected, others just a few, who knows why.

Here's a few examples, view the HTML source to see all the embedded pharma ads typically at the bottom of the page:

Caution: disable javascript before you go to any domain

Server: secure1.apollohosting.com
Domains: http://whois.webhosting.info/206.125.215.251?pi=4&ob=SLD&oo=ASC
Sample 1: view-source:http://oceancyclery.com/
Sample 2: view-source:http://oldpeking.com/

Server: secure2.apollohosting.com
Domains: http://whois.webhosting.info/206.125.215.252
Sample 1: view-source:http://armandmercury.com/
Sample 2: view-source:http://altonaequipment.com/

Server: secure4.apollohosting.com
Domains: http://whois.webhosting.info/206.125.215.254
View the source on any domain in the list, not all are infected but it's a more
heavily server wide infestation...

So on and so forth, you get the idea.

I spot checked a handful of servers, but based on what I've run across in the past with other similar shared server infestations it's probably on all shared servers.

DISCLAIMER: The sites and servers referenced still contained the pharma ads at the time of this writing and may be cleaned up in the future. Follow the links to check the domains hosted to see if the problem still exists in the future.

13 comments:

Anonymous said...

Don't know if it's related, but the timing and action suggests that it could be.

In early February, Apollo Hosting installed outbound "anti-spam" filters on their customers' smtp mail servers. Unfortunately, being this is Apollo Hosting and rather infamous for tech incompetence, the screwed up filter settings are blocking attachments and HTML formatting of their legit customers outbound mail. When contacted about this, one of their tech support clowns insinuated that the customer must be spamming or sending porn. Well, anybody in IT worth their salt knows spammers don't send out 1 or 2 or 3 messages, they blast out 1,000. The blocked messages were neither spam nor porn or UCE of any sort. To make matters worse, after repeated complaints about this situation, somebody at Apollo rather clumsily altered the bounce script in an attempt to make it appear as if the messages were being bounced by the recipient's server. Tests from off-site addresses proved this to be false.

Something's afoot at Apollo Hosting and it ain't good, but that's pretty much always been the case. They refuse to correct this latest clusterflop, much less acknowledge they screwed up. We have already switched hosts because of this and are in process of transferring.

Anonymous said...

I have been with apollo since 2001. I currently have business websites hosted with them. In January all index.html pages were hacked with pharma links embedded. In March severe cases of Internal Server Error 500 started for php pages - The only response from Tech Service has been "Sorry the problem has been corrected now" about 48hours after I submit my request and about 12h before it happens all over again. I was reluctant to move because my sites are huge but today I did my first full transfer to someone else - All pages are working gloriously.

Anonymous said...

Several of my sites on Apollo Hosting have been hacked too. This has been happening since late 2007 and two of my sites were rehacked yesterday. Very annoying! Interestingly two of my domains on Apollohosting have never been hacked and a few have been hacked several times. The latest to be altered were on the Secure4 server.

Apollo sent me a boiler plate email today letting me know about the compromise but did not tell me which of my domians were at issue. The email suggested that my FTP passwords were being stolen either by a virus on my computer or a compromised machine between my computer and theirs.
It reads:
"Many methods exist for acquiring FTP login information; the most common being spyware on a customer's computer or establishing a connection with an insecure protocol, such as FTP, over an insecure network."

IncrediBILL said...

I used to run a hosting company and I've seen a single infected client site vs. an infected server and what I'm seeing on Apollo looks like exactly what happened to one of our shared servers once.

I hope you realize that email about having your FTP password being stolen is most likely total bullshit because the most common method of infiltrating a server is via some open source software someone has installed that has a vulnerability that wasn't updated.

Besides, your stolen password doesn't explain why most of their servers have infected sites.

I ran across another Apollo Hosting customer today that was double infected, the spam links injected into the home page PLUS a malware injector script loading from China.

Loads of fun.

Anonymous said...

I had one of my sites on Apollo hacked in late December. After repeated contacts I was told for the most part it was my fault. I asked about log files of theirs that would show the culprets. Was told their logs are discarded after 2-3 days. I increased the size and how often my logs were kept. After about 30 days my logs were enormous. Well, end of March I noticed the same type phrama code and links on index and php files. Went to retrieve my log files and they were gone.

Well now what? Do we have legal recourse?

IncrediBILL said...

I can't advise on legal action but I can tell you they aren't the only hosts that appear to be hacked with pharma link farms.

Take a look at this:
http://www.thewhir.com/marketwatch/122007_Servers_Hacked_to_Boost_Google_Rank.cfm

Anonymous said...

Thanks for this info, Bill. My employer and I were both ApolloHosting customers for a few years. We moved our company website to a dedicated server last year after consistent outages were killing our website. Then, I found the same type of pharmas link on my website which was hosted on secure13.apollohosting.com. I racked my brain trying to figure out what I did wrong in my code then found this information which leads me to think it was the server that got hacked rather than just my site.

I have since moved to another hosting company and have had no problems at all!
Thanks again for this information!

john in Alabama

Anonymous said...

Minor errors in the previous post just in case it is of help to anyone else:

My employer's site was on
secure13.apollohosting.com
My personal site was on
secure18.apollohosting.com

Anonymous said...

Apollohosting has finally done something about this. They have installed an "FTP security" feature which when enabled allows FTP access only from designated IP addresses. So far so good. I was the victim of several FTP hacks on Apollohosting but not since enabling this new fix.

Anonymous said...

I just talked to tech-support at Apollo Hosting for close to an hour. I do search engine work and my client on Apollo was hacked. Badly hacked.

Before I talked to them I removed all the hacked content, setup robots.txt to exclude the pages, setup .htaccess to count the pages as 404s, setup Google sitemaps to exclude the content, and had Yahoo! manually review the content (Yahoo! won't do such things automatically like Google). Then I started checking SE rankings frequently. Yahoo bounced back but Google remained blacklisted. Because of that I went looking for inbound links to the site. What I found was shocking.

There are 2506 pages indexed in Google that all contain the same dirty links to my client (a huge list of dirty links). All of them are hidden with CSS, so most of these people have no idea that their pages contain horrible content. The pages are spread out over more than 100 domains. ALL of the pages are hosted on Apollo. Even more amazing: 95% of the domains begin with the letter 'a'.

Basically, Apollo tried to convince me that this happened with keystroke loggers and ftp listeners. What an odd thought: keystroke loggers that specifically listen for ftp accounts on Apollo Hosting for domains beginning in the letter 'a'.

They said that they can't use a script to automatically remove the content because they can't edit the intellectual property of their clients. That's amazing. Their server was OBVIOUSLY compromised, but they can't fix it. They can't even accept responsibility for it.

Ugh. Never use Apollo Hosting. Those people obviously don't know what they're doing.

If your server is compromised to such a significant degree, shut it down, change your passwords, and restore your content. It isn't that complicated. Instead they blame it on ftp listeners and keystroke loggers. Wow.

Anonymous said...

Wow. This makes so much sense now. I have a hosting account with Apollo, and it starts with an A. The other sites hosted under my account weren't affected, just the a's.

I've been hesistant to switch because it's easier, but I will be switching now, as Apollo doesn't seem to be terribly interested in fixing this.

Anonymous said...

my friend's apollohosting site got hacked this week. i guess it's working its way down to 's'.

it's stupid that they blame the FTP client. I use the same client for multiple sites, but only apollohosting got hacked.

Jeremy Snavely said...

Interestingly, all of my Apollo Hosting domains were hacked earlier in the year EXCEPT the one that started with "A".

Since I have installed their "FTP Security" feature I have not had a problem. However just yesterday they reset all my FTP passwords and told me my FTP access had been hacked. I see no evidence that any files were tampered with as had happened on previous occasions.